This cookbook is available at https://github.com/rightscale/rightscale_cookbooks.

Built upon Opscode's 'iptables' cookbook. This cookbook provides a LWRP for managing access to multiple servers in a deployment using machine tags.

Requires a virtual machine launched from a RightScale managed RightImage.

Please see metadata.rb file for the latest dependencies.

There are no known limitations.

• Use the sys_firewall::default recipe in conjunction with the 'Firewall' input to enable or disable iptables.
• Use the sys_firewall::setup_rule recipe for enabling/disabling specific firewall rules.
• Use the sys_firewall::do_list_rules recipe to list the existing firewall rules set up on the server.

When the firewall is enabled it is completely closed for incoming connections - only outbound connections are allowed. sys_firewall::default then opens 22, 80 and 443 ports by default (additionally on SoftLayer 48000..48020 ports are opened on the private 10.* network for the monitoring agent).

When the firewall is disabled the iptables service is disabled and stopped.

When the firewall is set to "unmanaged" no changes are done to the iptables service so the cloud provider can manage the firewall rules. RightScale will not manage the firewall rules in this case.

sys_firewall::default recipe increases the value for the 'netfilter.nf_conntrack_max' parameter for CentOS images and the 'net.ipv4.ip_conntrack_max' for Ubuntu and RHEL images to avoid dropping packets on high-throughput systems.

All tag-based actions are scoped to the deployment.

To open a local port on the private IP to all servers with a given tag use:

sys_firewall "Open this server's ports to all servers with this 'tag' " do
  machine_tag "servertag:active=true"
  port 3306
  # ip_tag "server:private_ip_0" <= default value if not set
  enable true
  action :update
end

To open a local port to all servers with a given tag on a specified interface set the ip_tag to the desired interface.

sys_firewall "Open this server's ports to all servers with this 'tag' " do
  machine_tag "servertag:active=true"
  port 3306
  ip_tag "server:public_ip_0"
  enable true
  action :update
end

This can be used when a server is booting to open up access for multiple systems at once.

To request that all servers with a given tag open a port to a given IP address use:

sys_firewall "Reques master DB server to open the port to this slave server" do
  machine_tag "rs_dbrepl:master_instance_uuid=XXXXXXX"
  port 3306
  enable true
  ip_addr node[:cloud][:private_ips][0]
  action :update_request
end

This can be useful when launching a new server that needs to communicate with a running server (example: new slave server brought online)

To request that all servers with a given tag close a port to a given IP address use:

sys_firewall "Request all app servers close ports to this load balancer" do
  machine_tag "loadbalancer:app=www"
  port 8000
  enable false
  ip_addr node[:cloud][:private_ips][0]
  action :update_request
end

This can be useful when decommissioning a running server that had previously requested ports opened.

Copyright RightScale, Inc. All rights reserved. All access and use subject to the RightScale Terms of Service available at http://www.rightscale.com/terms.php and, if applicable, other agreements such as a RightScale Master Subscription Agreement.