Skip to content
master
Go to file
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 
 
 
 
 
 
 
 
 

README.rst

Ferment

Objective

Create a ferm config for the current docker container setup. This seems useful for automated provisioning of systems (e.g. with ansible) which want to use ferm for their firewall setup.

Usage

Install Ferment via pip:

# pip install ferment


# ferment docker --help
Usage: ferment docker [OPTIONS] COMMAND [ARGS]...

Options:
  -d, --docker PATH     The docker api socket.
  -c, --cidr TEXT       Docker CIDR.
  -i, --interface TEXT  Docker interface.
  --help                Show this message and exit.

Commands:
  config

You just include a callback to ferment within your ferm.conf:

# -*- shell-script -*-
#
#  Configuration file for ferm(1).
#

table filter {
    chain INPUT {
        policy DROP;

        # connection tracking
        mod state state INVALID DROP;
        mod state state (ESTABLISHED RELATED) ACCEPT;

        # allow local packet
        interface lo ACCEPT;

        # respond to ping
        proto icmp ACCEPT;

        # allow IPsec
        proto udp dport 500 ACCEPT;
        proto (esp ah) ACCEPT;

        # allow SSH connections
        proto tcp dport ssh ACCEPT;
    }
    chain OUTPUT {
        policy ACCEPT;

        # connection tracking
        #mod state state INVALID DROP;
        mod state state (ESTABLISHED RELATED) ACCEPT;
    }
    chain FORWARD {
        policy DROP;

        # connection tracking
        mod state state INVALID DROP;
        mod state state (ESTABLISHED RELATED) ACCEPT;
    }
}

@include '/usr/local/bin/ferment docker config|';

Todo

Since I am not the great firewall guy, I suppose there are some issues with more complex docker setups - I am open for suggestions.

About

A tool to provide the current docker config in ferm format

Topics

Resources

License

Releases

No releases published

Languages

You can’t perform that action at this time.