Skip to content


Subversion checkout URL

You can clone with
Download ZIP


Ript: making firewalling simple with Ruby #87

wants to merge 1 commit into from

2 participants


Running your own servers? Hate managing firewall rules? You'll love Ript.


Thank you for your proposal. Unfortunately, due to the high number of excellent proposals, our panel has not been able to include this talk at this stage. Should this situation change, we will contact you.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Commits on Oct 31, 2012
  1. @auxesis

    Add proposal

    auxesis authored
This page is out of date. Refresh to see the latest.
48 lindsay_holmwood-ript_making_firewalling_simple_with_ruby/
@@ -0,0 +1,48 @@
+# Ript: making firewalling simple with Ruby
+For those of us still encumbered with running our own servers, firewalling is an important but dark art. UNIX hackers traditionally don't care about the UI of their programs, which means that 30 second firewall change you were going to make on a production system ends up taking an hour..
+What we need is a simple abstraction that covers 90% of your firewalling needs.
+Enter Ript, a clean and opinionated Domain Specific Language for describing firewall rules, that implements database migrations-like functionality for applying these rules with zero downtime.
+At Ript's core is an easy to use Ruby DSL for describing both simple and complex sets of iptables firewall rules. After defining the hosts and networks you care about, Ript's DSL provides helpers for all the common use cases: accepting, dropping, & rejecting packets, as well as for performing DNAT and SNAT.
+Here is an example ruleset definition:
+``` ruby
+# partitions/joeblogsco.rb
+partition "joeblogsco" do
+ label "", :address => ""
+ label "app-01", :address => ""
+ rewrite "public website + ssh access" do
+ ports 80, 22
+ dnat "" => "app-01"
+ end
+Ript provides a method to group common sets of rules together called "partitions", which are used at rule application time to perform zero-downtime migrations. This fosters a much more agile approach to firewall changes that limits the size and helps increase the frequency of changes - core principles behind Continuous Delivery.
+Ript is designed from the ground up to be easy to use, and is extremely well tested end-to-end. Developed at [Bulletproof Networks](, it's been in use since 2012 in multi-tenanted firewall platforms as well as standalone systems running some very high profile sites.
+In this talk Lindsay Holmwood will take you on a whirlwind tour of the DSL, explain how Ript utilises iptables features to work its magic, analyse testing complexities when writing systems code, and provide some concrete examples of how Ript can help increase the reliability of the services you deliver.
+## My Name
+Lindsay is sysadmin/developer/toolsmith/engineering manager, living in the New South Wales Blue Mountains.
+He is the creator of cucumber-nagios (a tool that helps you describe how a system should work in natural language, and outputs whether it does in the Nagios plugin format), and Visage (a web service + interface for exposing collectd statistics).
+Lindsay works at Bulletproof Networks running a distributed infrastructure development team that is strongly focused on testing & automation. He was responsible for keeping Movember up for the 2010 + 2011 + 2012 campaigns, and works on scaling both internal and customer facing systems.
+He served as President of the Sydney Linux Users Group from 2006-2008, was on the organising committee of 2007, and organised the inaugural DevOps Down Under in 2010, and again in 2011. He also organises the monthly Sydney DevOps meetups, and speaks at conferences both in Australia and abroad.
+![Profile picture](
+- [My website](
+- [My twitter](
+- [Past talk slides](
+- [Past talk video](
BIN  lindsay_holmwood-ript_making_firewalling_simple_with_ruby/profile_picture.jpg
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Something went wrong with that request. Please try again.