Build Status Coverage Status Code Climate Inline docs


  • Generate rules for Netfilter and PF (extensible);
  • IPv6 and IPv4 support;
  • Define the configuration of multiple hosts in a single file;
  • Define services as group of rules to mix-in in hosts rules definitions;
  • Handle NAT & port redirection;


  • Accurate DNS information;


The Melt Melt::Rule syntax if basically a Ruby representation of the OpenBSD Packet Filter rules, with the ability to group them in reusable blocks in order to describe network rules in a single file.

As an example, the following PF rules:

pass in proto tcp to port 80
pass in proto udp from port 123 to port 123

can be expressed as:

pass :in, proto: :tcp, to: { port: 80 }
pass :in, proto: :udp, from: { host: '', port: 123 }, to: { port: 123 }

Rules must appear in either a host or service definition, services being reusable blocks of related rules:

service 'base' do
  service 'ntp'
  service 'ssh'

service 'ntp' do
  pass :out, proto: :udp, to: { port: 'ntp' }

service 'ssh' do
  pass :in, proto: :tcp, to: { port: 'ssh' }

host '' do
  service 'base'
  pass :in, proto: :tcp, from: { host: '' }, to: { port: 'postgresql' }

host /www\ do
  service 'base'
  pass :in, proto: :tcp, to: { port: 'www' }
  pass :out, proto: :tcp, to: { host: '', port: 'postgresql' }

Debugging rulesets

Logging is handy for debugging missing rules in your firewall configuration. An easy way to diagnose missing rules consists in setting a pass policy, and log both in and out:

host 'debilglos' do
  policy :pass

  # Existing rules

  log [:in, :out]