firewall-agent
文件大小: unknow
源码售价: 5 个金币 积分规则     积分充值
资源说明:Firewall Agent is a utility to simplify firewall configuration for clouds and clusters
= firewall-agent

Firewall Agent is a Ruby DSL for IPTables, designed to simplify firewall configuration for clouds and clusters, especially when hosted by 3rd party VPS services.

= Key Features
- Human readable/writable policy files
- Dynamic policy updates
- IPTables compatible
- Written in Ruby

What Are Dynamic Policy Updates?
IPTables uses a static configuration file to specify the ports, hosts and connections allowed through the firewall. Firewall-agent with Dynamic Policy Updates
allows you to go beyond static files to update your policy file as needed, based on changing network conditions, dynamic host or service lists, or time-based
criteria.  The policy examples below explain some of these applications in more detail.


= Getting Started
 sudo gem install powcloud-firewall-agent
 sudo firewall-agent bootstrap
 sudo firewall-agent

The command 'firewall-agent bootstrap' creates a policy.rb file in the /etc/firewall-agent directory using the same 'standard' policy shown in this README. You can edit this file to your needs or create custom policy files.  To pass a custom policy to the firewall-agent at startup, use this syntax:
 sudo firewall-agent 

== To Run as a Service (TBD)
 service start firewall-agent

== Writing a Policy File

Policy files are simple ruby files, and as such, can utilize the complete ruby syntax, requires, etc.  Policy files are required to
have a 'policy' block.  To get started create a policy file using one of the templates below, then customize it to your needs.

=== Basic Policy

  policy :standard_policy do
    deny_all             # deny all connections from all hosts
    allow_listen 'http'  # let HTTP connections in
    allow_established    # allow all established TCP connections
    allow_ping           # let any host ping this server
    allow_ssh            # allow SSH connections
  end

=== Dynamic Policy

  policy :dynamic_policy do
    deny_all
    allow_listen 'http', 'https'  # list multiple services or ports as needed

    # Firewall-agent will whitelist all slices in your account, enabling a Virtual Private Network for your slices
    update :each => 5.minutes do
      allow_ips slicehost_get_ips('https://8fff02f2853@api.slicehost.com/')
    end

    allow_established
    allow_ping
    allow_ssh
  end


=== Super Advanced Policy

  require 'resolve'
  policy :advanced_policy do
    deny_all
    allow_listen 'http', 'https'

    update :each => 5.minutes do
      allow_ips slicehost_get_ips('https://8fff02f2853@api.slicehost.com/')
    end

    # 3 different schedules for different types of policy elements
    # this block will enable you to always access all services on
    # this host - even when your IP changes, via a Dynamic DNS service
    update :each => 10.minutes do
      allow_ips Resolv.getaddress('your-desktop.dyndns.org')
      allow_ips Resolv.getaddress('your-laptop.dyndns.org')
    end

    # disable printing using CUPS/IPP outside of business hours
    update :each => 1.minutes do
      now = Time.now
      allow_listen 631 unless now.hour < 8 || now.hour > 18
    end

    allow_established
    allow_ping
    allow_ssh
  end


= Extending Firewall Agent

Firewall-agent includes a sample extension for Slicehost VPS users.  The extension uses the Slicehost API to get a list of all slices in your account, then updates the
policy to allow access from any of these nodes - for all ports - on the firewall-agent host.  You can use this as a model to create similar extensions
for other VPS providers such as Linode, etc.

In addition, we believe there are many opportunities for extensions to integrate dynamic whitelist and blacklist services.  Please share your
creations with the community.  Well documented and tested extensions will be added to the firewall-agent core - please contact us on GitHub.


== Note on Patches/Pull Requests
 
* Fork the project.
* Make your feature addition or bug fix.
* Add tests for it. This is important so I don't break it in a
  future version unintentionally.
* Commit, do not mess with rakefile, version, or history.
  (if you want to have your own version, that is fine but bump version in a commit by itself I can ignore when I pull)
* Send me a pull request. Bonus points for topic branches.

=License

Licensed under the MIT license: http://www.opensource.org/licenses/mit-license.php

COPYRIGHT 2010 POWCLOUD INC.

本源码包内暂不包含可直接显示的源代码文件,请下载源码包。