-
Notifications
You must be signed in to change notification settings - Fork 2
Home
In v0.1.2, firewool.yml is cached so if you change firewool.yml you have to restart your app server.
Global rules Currently it's not possible to just specify the configuration lines in the ApplicationController and have a global rule. Because of variable scope, this just won't work and you have to specify the include and acts_as line in each controller you have in your rails project. So for now, you just have to copy/paste
Passing ranges to filters It's not possible to specify a one-off IP range to a controller action. IE, you configure global ranges in the .yml configuration as usual but then pass in an exception to these rules:
`.yml config: allow:
in the controller you'd want to override this as a one-off rule: before_filter :ip_filter, :only => [:orders], :but_actually_allow_me_in_from_this => [ 1.2.3.4 ] ` Where you could get to the orders action from 1.2.3.4 perhaps trying to administrate the orders interface or something. This is getting really hairy and you should just use authentication to identify yourself as a admin user and not rely on your IP as identification. Firewool is not trying to solve this identification problem. In this example, you'd want to use an authentication solution and have firewool give you a doubled up security layer by only allowing admins from a known IP range.
Something like this would require named lists or more complicated configuration. In the future, this may be an option but it will dirty up the before_filter line and make the usage a bit weirder.
- IPv6 - IPv6 addresses have been completely ignored and I'm looking into this.
- Logging - Log allow/deny (configurable) to standard rails log and provide Splunk example configuration.
- Adding to block list based on an event. For example, you fail to auth 3x, you get blacklisted for an amount of time.
- Better tests. Performance, testing with Rails.env