A chef cookbook used to setup the Neti firewall sync service on Amazon EC2-VPCs.
Ruby Python HTML
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Failed to load latest commit information.



Cookbook to setup Neti (EC2-VPC firewall sync).


Currently, Neti works on Ubuntu/Debian, but should work on many more platforms with a few tweaks to the package management. Also, if you don't use AWS, you can just stop reading now...not even sure how you got here. You'll need a set of AWS keys that allows instance metadata modification. You will need to create a Zookeeper cluster, so familiarity with Zookeeper s necessary, but all that is needed is a very basic installation.


These attributes set up the Neti config file for you:

  • ssh_whitelist: The IPs that you want Neti to always allow on port 22, regardless of any firewall
  • zk_hosts:
    • ec2: hostname/ip and zookeeper port of zk proxies in EC2
    • vpc: hostname/ip and zookeeper port of zookeeper hosts in VPC
  • nat_overrides: hash of source and destination ips for overriding Neti's NAT manipulation
  • open_ports: ports to open to all access on the host
  • bin: location of Neti bin script
  • log_file: location of log file
  • table_files_path: location to store the iptables-save files for restoration
  • reject_all: Whether or not to reject all traffic that is not specifically specified in the iptables rules (when you open up access to all public AWS ranges)
  • aws_key: your aws key
  • aws_secret_key: your aws secret key
  • zk_update_interval_path: zookeeper node to store interval value
  • zk_max_change_threshold_path: zookeeper node to store max change threshold (how many rules can be changed at once...safeguard)
  • zk_prefix: zookeeper node prefix for all neti data
  • zk_iptoid_node: zookeeper node for map
  • zk_idtoip_node: zookeeper node for map
  • zk_ip_map_node: zookeeper node for map
  • overlay_subnet: subnet to pull overlay addresses from
  • overlay_ip_cache_file_path: path for file cache of ips

How Neti works

See Neti

See the CONTRIBUTING file for how to help out.


Neti is BSD-licensed. We also provide an additional patent grant.