https://github.com/diefans/ferment
A tool to provide the current docker config in ferm format
https://github.com/diefans/ferment
docker ferm python
Last synced: about 1 year ago
JSON representation
A tool to provide the current docker config in ferm format
- Host: GitHub
- URL: https://github.com/diefans/ferment
- Owner: diefans
- License: apache-2.0
- Created: 2015-04-29T14:19:51.000Z (about 11 years ago)
- Default Branch: master
- Last Pushed: 2021-06-09T14:38:16.000Z (about 5 years ago)
- Last Synced: 2025-03-24T16:01:28.683Z (over 1 year ago)
- Topics: docker, ferm, python
- Language: Python
- Homepage:
- Size: 13.7 KB
- Stars: 11
- Watchers: 3
- Forks: 12
- Open Issues: 4
-
Metadata Files:
- Readme: README.rst
- License: LICENSE
Awesome Lists containing this project
README
Ferment
=======
Objective
---------
Create a ferm_ config for the current docker container setup. This seems useful
for automated provisioning of systems (e.g. with ansible_) which want to use
ferm_ for their firewall setup.
Usage
-----
Install Ferment via `pip`::
# pip install ferment
# ferment docker --help
Usage: ferment docker [OPTIONS] COMMAND [ARGS]...
Options:
-d, --docker PATH The docker api socket.
-c, --cidr TEXT Docker CIDR.
-i, --interface TEXT Docker interface.
--help Show this message and exit.
Commands:
config
You just include a callback to ferment within your `ferm.conf`::
# -*- shell-script -*-
#
# Configuration file for ferm(1).
#
table filter {
chain INPUT {
policy DROP;
# connection tracking
mod state state INVALID DROP;
mod state state (ESTABLISHED RELATED) ACCEPT;
# allow local packet
interface lo ACCEPT;
# respond to ping
proto icmp ACCEPT;
# allow IPsec
proto udp dport 500 ACCEPT;
proto (esp ah) ACCEPT;
# allow SSH connections
proto tcp dport ssh ACCEPT;
}
chain OUTPUT {
policy ACCEPT;
# connection tracking
#mod state state INVALID DROP;
mod state state (ESTABLISHED RELATED) ACCEPT;
}
chain FORWARD {
policy DROP;
# connection tracking
mod state state INVALID DROP;
mod state state (ESTABLISHED RELATED) ACCEPT;
}
}
@include '/usr/local/bin/ferment docker config|';
Todo
----
Since I am not the great firewall guy, I suppose there are some issues with
more complex docker_ setups - I am open for suggestions.
.. _ferm: http://ferm.foo-projects.org/
.. _ansible: http://docs.ansible.com/
.. _docker: http://docs.docker.com/articles/networking/