firewall-agent

Firewall Agent

Firewall Agent is a utility to simplify firewall configuration for clouds and clusters, especially when hosted with 3rd party VPS services.

Key Features

- Human readable/writable policy files
- Dynamic policy updates
- IPTables compatible
- Written in Ruby

What Are Dynamic Policy Updates? IPTables uses a static config file to specify the allowed ports, hosts and connections allowed at any given time. Firewall-agent with Dynamic Policy Updates allows you to go beyond static files to update your policy file as needed, based on changing network conditions, dynmic host or service lists, or time-based criteria. Examples of several of the applications of this feature can be seen below in the policy examples.

Getting Started

sudo gem install powcloud-firewall-agent
sudo firewall-agent bootstrap
sudo firewall-agent

To Run as a Service (TBD)

service start firewall-agent

Writing a Policy File

Policy files are simple ruby files, and as such, can have any ruby syntax necessary. Policy files are required to have a ‘policy’ block. To get started create a policy file using one of the templates below, then cusotmize it to your needs.

The command ‘firewall-agent bootstrap’ creates a policy.rb file in the /etc/firewall-agent directory using the same ‘standard’ policy shown in this README.

Basic Policy

policy :standard_policy do
  deny_all             # deny all connections from all hosts
  allow_listen 'http'  # let HTTP connections in
  allow_established    # allow all established TCP connections
  allow_ping           # let any host ping this server
  allow_ssh            # allow SSH connections
end

Dynamic Policy

policy :dynamic_policy do
  deny_all
  allow_listen 'http', 'https'  # list multiple services or ports as needed
  # Firewall-agent will whitelist all slices in your account, enabling a Virtual Private Network for your slices
  update :each => 5.minutes do
    allow_ips slicehost_get_ips('https://8fff02f2853@api.slicehost.com/')
  end
  allow_established
  allow_ping
  allow_ssh
end

Super Advanced Policy

require 'resolve'
policy :advanced_policy do
  deny_all
  allow_listen 'http', 'https'
  update :each => 5.minutes do
    allow_ips slicehost_get_ips('https://8fff02f2853@api.slicehost.com/')
  end
  # 3 different schedules for different types of policy elememnts
  # this block will enable you to always access all services on
  # this host - even when your IP changes, via a Dynamic DNS service
  update :each => 10.minutes do
    allow_ips Resolv.getaddress('your-desktop.dyndns.org')
    allow_ips Resolv.getaddress('your-laptop.dyndns.org')
  end
  # disable printing using CUPS/IPP outside of business hours
  update :each => 1.minutes do
    now = Time.now
    allow_listen 631 unless now.hour < 8 || now.hour > 18
  end
  allow_established
  allow_ping
  allow_ssh
end

Extending Firewall Agent

Firewall-agent includes a simple Slicehost extension which uses the Slicehost API to get a list of all slices in your account, then updates the policy to allow access from any of these nodes - for all ports - on the firewall-agent host. You can use this as a model to create similar extensions for other VPS provides such as Linode, etc.

In addition, we believe there are lots of opportunities for extensions to integrate dynamic whitelist and blacklist services. Please share your creations with the community. Well documented and tested extensios will be added to the firewall-agent - please contact us on GitHub.

Note on Patches/Pull Requests

• Fork the project.

• Make your feature addition or bug fix.

• Add tests for it. This is important so I don’t break it in a future version unintentionally.

• Commit, do not mess with rakefile, version, or history. (if you want to have your own version, that is fine but bump version in a commit by itself I can ignore when I pull)

• Send me a pull request. Bonus points for topic branches.

Copyright

Copyright © 2010 Powcloud Inc. See LICENSE for details.