Puffy

Build Status Maintainability Test Coverage Inline docs

Features

  • Generate rules for Netfilter and PF (extensible);
  • IPv6 and IPv4 support;
  • Define the configuration of multiple nodes in a single file;
  • Define services as group of rules to mix-in in nodes rules definitions;
  • Handle NAT & port redirection;

Requirements

  • Accurate DNS information;

Syntax

The Puffy syntax is inspired by the syntax of the OpenBSD Packet Filter, with the ability to group rules in reusable blocks in order to describe all rules of a network of nodes in a single file.

Rules must appear in either a node or service definition, services being reusable blocks of related rules:

service base do
  service ntp
  service ssh
end

service ntp do
  pass out proto udp from any to port ntp
end

service ssh do
  pass in proto tcp form any to port ssh
end

node 'db.example.com' do
  service base
  pass in proto tcp from 'www1.example.com' to port postgresql
end

node /www\d+.example.com/ do
  service base
  pass in proto tcp from any to port www
  pass out proto tcp from any to 'db.example.com' port postgresql
end