Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/diefans/ferment

A tool to provide the current docker config in ferm format
https://github.com/diefans/ferment

docker ferm python

Last synced: 15 days ago
JSON representation

A tool to provide the current docker config in ferm format

Host: GitHub
URL: https://github.com/diefans/ferment
Owner: diefans
License: apache-2.0
Created: 2015-04-29T14:19:51.000Z (over 9 years ago)
Default Branch: master
Last Pushed: 2021-06-09T14:38:16.000Z (over 3 years ago)
Last Synced: 2023-04-04T13:58:35.530Z (almost 2 years ago)
Topics: docker, ferm, python
Language: Python
Homepage:
Size: 13.7 KB
Stars: 10
Watchers: 3
Forks: 12
Open Issues: 4
Metadata Files:
- Readme: README.rst
- License: LICENSE

Awesome Lists containing this project

README

Ferment
=======

Objective
---------

Create a ferm_ config for the current docker container setup. This seems useful
for automated provisioning of systems (e.g. with ansible_) which want to use
ferm_ for their firewall setup.

Usage
-----

Install Ferment via `pip`::

# pip install ferment

# ferment docker --help
Usage: ferment docker [OPTIONS] COMMAND [ARGS]...

Options:
-d, --docker PATH The docker api socket.
-c, --cidr TEXT Docker CIDR.
-i, --interface TEXT Docker interface.
--help Show this message and exit.

Commands:
config

You just include a callback to ferment within your `ferm.conf`::

# -*- shell-script -*-
#
# Configuration file for ferm(1).
#

table filter {
chain INPUT {
policy DROP;

# connection tracking
mod state state INVALID DROP;
mod state state (ESTABLISHED RELATED) ACCEPT;

# allow local packet
interface lo ACCEPT;

# respond to ping
proto icmp ACCEPT;

# allow IPsec
proto udp dport 500 ACCEPT;
proto (esp ah) ACCEPT;

# allow SSH connections
proto tcp dport ssh ACCEPT;
}
chain OUTPUT {
policy ACCEPT;

# connection tracking
#mod state state INVALID DROP;
mod state state (ESTABLISHED RELATED) ACCEPT;
}
chain FORWARD {
policy DROP;

# connection tracking
mod state state INVALID DROP;
mod state state (ESTABLISHED RELATED) ACCEPT;
}
}

@include '/usr/local/bin/ferment docker config|';

Todo
----

Since I am not the great firewall guy, I suppose there are some issues with
more complex docker_ setups - I am open for suggestions.

.. _ferm: http://ferm.foo-projects.org/
.. _ansible: http://docs.ansible.com/
.. _docker: http://docs.docker.com/articles/networking/