chef - [chef] Re: AFW, Chef and Netfilter

Subscribers: 1946
Owners
Bryan McLellan
Joshua Timberman
Nathen Harvey
Seth Chisamore
Serdar Sutay

Subscribe
Unsubscribe
Info
Archive

Post

RSS
Shared documents

General discussion about Chef

[chef] Re: AFW, Chef and Netfilter

From: Julien Vehent < >
To: < >
Subject: [chef] Re: AFW, Chef and Netfilter
Date: Fri, 21 Dec 2012 19:13:15 -0500

Hi everyone,

v0.0.5 of the Advanced FireWall (AFW) was released today with a bunch of bugfixes and improvements.

* c2bf643 - Bump to version 0.0.5
* f905a13 - Typo/Indent fixes
* f607a16 - Clean up AFW node attributes at the end of Chef Run
* 81dd201 - Skip rules that fail validation
* 484f07e - Resolve FQDN into IPs before writing the rules
* bd603ff - Add OSPF support
* 72c4f27 - Fix missing node parameter for creation of predefined rules, by Julien Vehent
* 9c6af65 - Do not use the default network interface by default, simply do not specify one
* 0a0d682 - Add init & upstart scripts
* ed12e60 - Check rule interface with nil? in addition to empty?; look for node ip under ['ipaddress'] in addition to ['network']['lanip'], by elliotkendallUCSF
* 099185c - remove metadata.json file .. it's version is not up to date, by Jeremiah Snapp

More details here: http://jve.linuxwall.info/blog/index.php?post/2012/12/21/AFW-0.0.5-is-out
Repository on Github: https://github.com/jvehent/AFW/
Community cookbook: http://community.opscode.com/cookbooks/afw

Happy holidays !

- Julien Vehent

On 2012-11-13 18:23, Julien Vehent wrote:

Hi everyone,

Last friday I gave a talk at Security Bsides Delaware on building dynamic
firewalls with Chef and Netfilter. It's essentially a presentation of the AFW
cookbook (https://github.com/jvehent/AFW/) that we have been developing at
AWeber for the past 6 months.

The video is here: https://vimeo.com/53423330

I know from discussions on #chef that some folks are using similar techniques
in their own firewall cookbooks. I would be curious to hear about what
approach people are taking to configure them:
- Do you use static rules ?
- Do you use searches ?
- How do you tell database-B to accept connection from API-A ?

I also had an interesting question from a post-talk discussion: would it be
possible to use Chef to configure a Cisco firewall ? I'm not sure how that
would work... maybe run chef-client on a VM that mimics the Cisco device, and
that pushes the rules to the appliance using tftp ? If you have
ideas/thoughts, I'm definitely interested!

Cheers,
Julien

[chef] Re: AFW, Chef and Netfilter, Julien Vehent, 12/21/2012
- [chef] Re: Re: AFW, Chef and Netfilter, Jeremiah Snapp, 12/21/2012