Re: AFW, Chef and Netfilter


#1

Hi everyone,

v0.0.5 of the Advanced FireWall (AFW) was released today with a bunch of
bugfixes and improvements.

  • c2bf643 - Bump to version 0.0.5
  • f905a13 - Typo/Indent fixes
  • f607a16 - Clean up AFW node attributes at the end of Chef Run
  • 81dd201 - Skip rules that fail validation
  • 484f07e - Resolve FQDN into IPs before writing the rules
  • bd603ff - Add OSPF support
  • 72c4f27 - Fix missing node parameter for creation of predefined rules, by
    Julien Vehent
  • 9c6af65 - Do not use the default network interface by default, simply do
    not specify one
  • 0a0d682 - Add init & upstart scripts
  • ed12e60 - Check rule interface with nil? in addition to empty?; look for
    node ip under [‘ipaddress’] in addition to [‘network’][‘lanip’], by
    elliotkendallUCSF
  • 099185c - remove metadata.json file … it’s version is not up to date, by
    Jeremiah Snapp

More details here:
http://jve.linuxwall.info/blog/index.php?post/2012/12/21/AFW-0.0.5-is-out
Repository on Github: https://github.com/jvehent/AFW/
Community cookbook: http://community.opscode.com/cookbooks/afw

Happy holidays !

  • Julien Vehent

On 2012-11-13 18:23, Julien Vehent wrote:

Hi everyone,

Last friday I gave a talk at Security Bsides Delaware on building dynamic
firewalls with Chef and Netfilter. It’s essentially a presentation of the
AFW
cookbook (https://github.com/jvehent/AFW/) that we have been developing at
AWeber for the past 6 months.

The video is here: https://vimeo.com/53423330

I know from discussions on #chef that some folks are using similar
techniques
in their own firewall cookbooks. I would be curious to hear about what
approach people are taking to configure them:

  • Do you use static rules ?
  • Do you use searches ?
  • How do you tell database-B to accept connection from API-A ?

I also had an interesting question from a post-talk discussion: would it
be
possible to use Chef to configure a Cisco firewall ? I’m not sure how that
would work… maybe run chef-client on a VM that mimics the Cisco device,
and
that pushes the rules to the appliance using tftp ? If you have
ideas/thoughts, I’m definitely interested!

Cheers,
Julien


#2

That’s great. Thanks for sharing your work. Init scripts and cleaning up
node attributes are two things I’m particularly happy to see.