Ript: making Linux firewall change management resilient

Slide 1

Slide 1 text

Ript making Linux firewall change management resilient

Slide 2

Slide 2 text

Hi!

Slide 3

Slide 3 text

I am Lindsay Holmwood @auxesis

Slide 4

Slide 4 text

No content

Slide 5

Slide 5 text

2008

Slide 6

Slide 6 text

No content

Slide 7

Slide 7 text

@auxesis

Slide 8

Slide 8 text

@imprecise_matt

Slide 9

Slide 9 text

An interesting problem

Slide 10

Slide 10 text

Scenario:

Slide 11

Slide 11 text

BULLETPROOF

Slide 12

Slide 12 text

IaaS & Managed Hosting

Slide 13

Slide 13 text

Multi-tenant firewalls

Slide 14

Slide 14 text

Many rules per-tenant

Slide 15

Slide 15 text

Existing tool to describe rules

Slide 16

Slide 16 text

But builds rules in a dumb way

Slide 17

Slide 17 text

Rules application == downtime

Slide 18

Slide 18 text

Worse: Changes for one tenant affect others

Slide 19

Slide 19 text

Rules application == downtime

Slide 20

Slide 20 text

Rules application == downtime (for all tenants)

Slide 21

Slide 21 text

No content

Slide 22

Slide 22 text

Rule application 0(n)

Slide 23

Slide 23 text

Lack of expressiveness when describing rules

Slide 24

Slide 24 text

Brittle, error prone framework for describing rules

Slide 25

Slide 25 text

Looking for tool:

Slide 26

Slide 26 text

Compartmentalises changes

Slide 27

Slide 27 text

Zero downtime changes

Slide 28

Slide 28 text

Friendly language for describing rules

Slide 29

Slide 29 text

Shortcuts to DRY up rules

Slide 30

Slide 30 text

No content

Slide 31

Slide 31 text

Hacked in the car

Slide 32

Slide 32 text

Rough prototype

Slide 33

Slide 33 text

No iptables rule generation

Slide 34

Slide 34 text

Focus on the language

Slide 35

Slide 35 text

What would the DSL look like?

Slide 36

Slide 36 text

What do the resulting data structures look like?

Slide 37

Slide 37 text

Ruby + IPTables

Slide 38

Slide 38 text

Questions answered. Thought experiment: complete

Slide 39

Slide 39 text

No content

Slide 40

Slide 40 text

2010: hired at Bulletproof

Slide 41

Slide 41 text

Outage Discussion

Slide 42

Slide 42 text

Seed planted

Slide 43

Slide 43 text

Bigger fish to fry

Slide 44

Slide 44 text

No content

Slide 45

Slide 45 text

Resumed in March 2011

Slide 46

Slide 46 text

commit b1625ead6c7fcb814a39f1db5a2d43acfbab80a1 Author: Lindsay Holmwood Date: Thu Mar 24 14:45:29 2011 +1100 initial commit

Slide 47

Slide 47 text

Thursday arvo skunkworks project

Slide 48

Slide 48 text

Steve Fisher: org knowledge change mgmt experience Lindsay Holmwood: iptables knowledge testing experience

Slide 49

Slide 49 text

Prototyped the DSL

Slide 50

Slide 50 text

partition "movember" do interface :default => "vlan666" address :iemedia, :address => "192.168.55.70/27", :interface => "vlan99" address "www.movember.com", :address => "117.53.174.95", :interface => "vlan44" address "movember subnet", :address => "117.53.174.0/27", :interface => "vlan44" address "mo2010prod-dvmh-web-01", :address => "10.0.21.2" address "mo2010prod-dvmh-proxy-01", :address => "10.0.21.3" address "mo2010prod-dvmh-app-01", :address => "10.0.21.4" address "mo2010prod subnet", :address => "10.0.21.0/27" address "mo2010prod-dvmh-ipv-06", :address => "00:00:de:ca:fe:c0:ff:33" address "dickhead", :address => "127.0.0.1" # ...

Slide 51

Slide 51 text

# ... reject "dickhead on www.movember.com" do from "dickhead" to "www.movember.com" end log "dickhead on www.movember.com" do from "dickhead" to "www.movember.com" end # dnat forward "movember.com public website" do ports 80, 443 dnat "www.movember.com" => "mo2010prod-dvmh-web-01" end # snat forward "movember" do to :anywhere snat "mo2010prod subnet" => "www.movember.com" end # nonat forward "ipv6 forward" do ports 80, 443 from :anywhere nonat "mo2010prod-dvmh-ipv-06" end end

Slide 52

Slide 52 text

Tested the DSL

Slide 53

Slide 53 text

Outside-in

Slide 54

Slide 54 text

Implemented migrations

Slide 55

Slide 55 text

Zero downtime changes

Slide 56

Slide 56 text

Compartmentalises changes

Slide 57

Slide 57 text

Took it live

Slide 58

Slide 58 text

Now in use by: Whirlpool, One Big Switch, Tourism Victoria, Network TEN, Movember, Quicksilver, IMAX, Bookworld, ABC, SBS

Slide 59

Slide 59 text

No content

Slide 60

Slide 60 text

No content

Slide 61

Slide 61 text

The Language

Slide 62

Slide 62 text

Partitions

Slide 63

Slide 63 text

partition "joeblogsco" do # ... end

Slide 64

Slide 64 text

partition "joeblogsco" do # Labels + rules go here end

Slide 65

Slide 65 text

Labels

Slide 66

Slide 66 text

partition "joeblogsco" do end

Slide 67

Slide 67 text

partition "joeblogsco" do end partition "joeblogsco" do label "www.joeblogsco.com", :address => "172.19.56.216" label "api.joeblogsco.com", :address => "172.19.56.217" label "joeblogsco subnet", :address => "192.168.5.224/27" label "app-01", :address => "192.168.5.230" end

Slide 68

Slide 68 text

Slide 69

Slide 69 text

Slide 70

Slide 70 text

Scoped to a partition

Slide 71

Slide 71 text

# joeblogsco.rb partition "joeblogsco" do label "app-01", :address => "192.168.5.230" end # foobar.rb partition "foobar" do label "app-01", :address => "192.168.78.3" end

Slide 72

Slide 72 text

# joeblogsco.rb partition "joeblogsco" do label "app-01", :address => "192.168.5.230" end # foobar.rb partition "foobar" do label "app-01", :address => "192.168.78.3" end no conflicts

Slide 73

Slide 73 text

Rules

Slide 74

Slide 74 text

Slide 75

Slide 75 text

Slide 76

Slide 76 text

Slide 77

Slide 77 text

partition "joeblogsco" do label "www.joeblogsco.com", :address => "172.19.56.216" label "api.joeblogsco.com", :address => "172.19.56.217" label "joeblogsco subnet", :address => "192.168.5.224/27" label "app-01", :address => "192.168.5.230" rewrite "public website" do ports 80 dnat "www.joeblogsco.com" => "app-01" end end comment arguments

Slide 78

Slide 78 text

Slide 79

Slide 79 text

Default policy: DROP

Slide 80

Slide 80 text

Slide 81

Slide 81 text

Slide 82

Slide 82 text

Slide 83

Slide 83 text

Slide 84

Slide 84 text

Ript does this for you!

Slide 85

Slide 85 text

Slide 86

Slide 86 text

equals

Slide 87

Slide 87 text

Slide 88

Slide 88 text

DRY

Slide 89

Slide 89 text

Cleanup

Slide 90

Slide 90 text

Slide 91

Slide 91 text

partition "joeblogsco" do label "www.joeblogsco.com", :address => "172.19.56.216" label "api.joeblogsco.com", :address => "172.19.56.217" label "joeblogsco subnet", :address => "192.168.5.224/27" label "app-01", :address => "192.168.5.230" rewrite "public website + ssh access" do ports 80, 22 dnat "www.joeblogsco.com" => "app-01" end end

Slide 92

Slide 92 text

Lockdown

Slide 93

Slide 93 text

Slide 94

Slide 94 text

partition "joeblogsco" do label "www.joeblogsco.com", :address => "172.19.56.216" label "api.joeblogsco.com", :address => "172.19.56.217" label "joeblogsco subnet", :address => "192.168.5.224/27" label "app-01", :address => "192.168.5.230" label "trusted office", :address => "172.20.4.124" rewrite "public website" do ports 80 dnat "www.joeblogsco.com" => "app-01" end rewrite "trusted ssh access" do ports 22 from "trusted office" dnat "www.joeblogsco.com" => "app-01" end end

Slide 95

Slide 95 text

Ports

Slide 96

Slide 96 text

No content

Slide 97

Slide 97 text

rewrite "public mail" do ports 25, 993 dnat "www.joeblogsco.com" => "app-01" end

Slide 98

Slide 98 text

rewrite "public mail" do ports 25, 993 dnat "www.joeblogsco.com" => "app-01" end rewrite "trusted private services" do from "trusted office" ports 6000..8000 dnat "www.joeblogsco.com" => "app-01" end

Slide 99

Slide 99 text

Slide 100

Slide 100 text

rewrite "public mail" do ports 25, 993 dnat "www.joeblogsco.com" => "app-01" end rewrite "trusted private services" do from "trusted office" ports 6000..8000 dnat "www.joeblogsco.com" => "app-01" end rewrite "public website" do ports 80 => 8080 dnat "www.joeblogsco.com" => "app-01" end rewrite "api services" do ports 80, 8000..8900, 2222 => 22 dnat "api.joeblogsco.com" => "app-02" end

Slide 101

Slide 101 text

Slide 102

Slide 102 text

Protocols

Slide 103

Slide 103 text

rewrite "public mail" do ports 25, 993 dnat "www.joeblogsco.com" => "app-01" end

Slide 104

Slide 104 text

rewrite "public mail" do protocols "tcp" ports 25, 993 dnat "www.joeblogsco.com" => "app-01" end

Slide 105

Slide 105 text

More rules

Slide 106

Slide 106 text

Slide 107

Slide 107 text

partition "joeblogsco" do label "www.joeblogsco.com", :address => "172.19.56.216" label "joeblogsco subnet", :address => "192.168.5.224/27" label "app-01", :address => "192.168.5.230" label "bad guy", :address => "172.19.110.247" rewrite "public website + ssh access" do ports 80, 22 dnat "www.joeblogsco.com" => "app-01" end drop "bad guy" do from "bad guy" to "www.joeblogsco.com" end end

Slide 108

Slide 108 text

partition "joeblogsco" do label "www.joeblogsco.com", :address => "172.19.56.216" label "joeblogsco subnet", :address => "192.168.5.224/27" label "app-01", :address => "192.168.5.230" label "bad guys", :address => "172.19.110.0/8" rewrite "public website + ssh access" do ports 80, 22 dnat "www.joeblogsco.com" => "app-01" end drop "bad guys" do protocols "udp" from "bad guys" to "www.joeblogsco.com" end end

Slide 109

Slide 109 text

partition "joeblogsco" do label "www.joeblogsco.com", :address => "172.19.56.216" label "joeblogsco subnet", :address => "192.168.5.224/27" label "app-01", :address => "192.168.5.230" label "bad guys", :address => "172.19.110.0/8" rewrite "public website + ssh access", :log => true do ports 80, 22 dnat "www.joeblogsco.com" => "app-01" end drop "bad guys", :log => true do protocols "udp" from "bad guys" to "www.joeblogsco.com" end end

Slide 110

Slide 110 text

Shortcuts

Slide 111

Slide 111 text

partition "joeblogsco" do label "joeblogsco uat subnet", :address => "192.168.5.0/24" label "joeblogsco stage subnet", :address => "10.60.2.0/24" label "joeblogsco prod subnet", :address => "10.60.3.0/24" label "www.joeblogsco.com", :address => "172.19.56.216" rewrite "private to public" do snat [ "joeblogsco uat subnet", "joeblogsco stage subnet", "joeblogsco prod subnet" ] => "www.joeblogsco.com" end end

Slide 112

Slide 112 text

accept "fruits of the forest" do protocols "tcp" ports 22 from %w(apple blueberry cranberry eggplant fennel grapefruit) to %w(apple blueberry cranberry eggplant fennel grapefruit) end

Slide 113

Slide 113 text

No content

Slide 114

Slide 114 text

The Rationale

Slide 115

Slide 115 text

Existing tool to describe rules

Slide 116

Slide 116 text

But builds rules in a dumb way

Slide 117

Slide 117 text

Rules application == downtime (for all tenants)

Slide 118

Slide 118 text

Large changes

Slide 119

Slide 119 text

Poor separation of concern

Slide 120

Slide 120 text

No content

Slide 121

Slide 121 text

How to fix?

Slide 122

Slide 122 text

Increase frequency

Slide 123

Slide 123 text

Limit size

Slide 124

Slide 124 text

Remove friction

Slide 125

Slide 125 text

Continuous delivery

Slide 126

Slide 126 text

change windows

Slide 127

Slide 127 text

My change windows are 24/7

Slide 128

Slide 128 text

Reduce risk

Slide 129

Slide 129 text

Release early, Release often

Slide 130

Slide 130 text

Fail fast, Recover quickly

Slide 131

Slide 131 text

No content

Slide 132

Slide 132 text

How do other people solve this problem?

Slide 133

Slide 133 text

Incrementalism

Slide 134

Slide 134 text

What about the current state?

Slide 135

Slide 135 text

Current (unknown) state Desired state

Slide 136

Slide 136 text

Inspiration: Active Record Migrations

Slide 137

Slide 137 text

Migrations can manage the evolution of a schema used by several physical databases. It’s a solution to the common problem of adding a ﬁeld to make a new feature work in your local database, but being unsure of how to push that change to other developers and to the production server. With migrations, you can describe the transformations in self-contained classes that can be checked into version control systems and execute against another database that might be one, two, or ﬁve versions behind. -- http://api.rubyonrails.org/classes/ActiveRecord/Migration.html

Slide 138

Slide 138 text

Slide 139

Slide 139 text

class AddSsl < ActiveRecord::Migration def up add_column :accounts, :ssl_enabled, :boolean end def down remove_column :accounts, :ssl_enabled end end

Slide 140

Slide 140 text

Sequel.migration do up do create_table(:artists) do primary_key :id String :name, :null => false end end down do drop_table(:artists) end end

Slide 141

Slide 141 text

Sequel.migration do change do create_table(:artists) do primary_key :id String :name, :null => false end end end

Slide 142

Slide 142 text

➔ ls -1 db/migrations/ | head -n 20 001_initialize.rb 002_add_test_column.rb 003_2012Iteration2.rb 004_2012Iteration3.rb 005_2012Iteration4.rb 006_2012Iteration5.rb 007_2012Iteration6.rb 008_2012Iteration7.rb 009_2012Iteration8.rb 010_2012Iteration8.rb 011_2012Gateways.rb 012_2012Iteration8FAQ.rb 013_2012NetworkUpdates.rb 014_2012DonationDenmark.rb

Slide 143

Slide 143 text

➔ sequel -m db/migrations postgres://localhost/database

Slide 144

Slide 144 text

No content

Slide 145

Slide 145 text

Show me!

Slide 146

Slide 146 text

No content

Slide 147

Slide 147 text

So... how does it work?

Slide 148

Slide 148 text

iptables

Slide 149

Slide 149 text

INPUT FORWARD OUTPUT Packets originating locally Packets to be delivered locally Packets being forwarded FILTER table

Slide 150

Slide 150 text

NAT table PREROUTING POSTROUTING Packets for DNAT Packets for SNAT

Slide 151

Slide 151 text

No content

Slide 152

Slide 152 text

Ript-specific chains

Slide 153

Slide 153 text

before-a

Slide 154

Slide 154 text

Trafﬁc scrubbing (ICMP, stateful inspection, keepalive CONNMARK) before-a

Slide 155

Slide 155 text

Boilerplate chain You will never touch this before-a

Slide 156

Slide 156 text

Pointers to partition access chains INPUT + OUTPUT + FORWARD all jump to partition-a partition-a

Slide 157

Slide 157 text

Rules for the partition named moprodau moprodau-a123abc

Slide 158

Slide 158 text

moprodau-a123abc

Slide 159

Slide 159 text

moprodau-a123abc

Slide 160

Slide 160 text

moprodau-a123abc partition name

Slide 161

Slide 161 text

moprodau-a123abc partition name ruleset type a - access, d - dnat, s - snat

Slide 162

Slide 162 text

moprodau-a123abc partition name ruleset type a - access, d - dnat, s - snat ruleset hash

Slide 163

Slide 163 text

No content

Slide 164

Slide 164 text

Chain traversal

Slide 165

Slide 165 text

No content

Slide 166

Slide 166 text

FORWARD OUTPUT INPUT

Slide 167

Slide 167 text

FORWARD OUTPUT INPUT

Slide 168

Slide 168 text

FORWARD OUTPUT INPUT before-a

Slide 169

Slide 169 text

FORWARD OUTPUT INPUT before-a

Slide 170

Slide 170 text

FORWARD OUTPUT INPUT before-a FORWARD OUTPUT INPUT

Slide 171

Slide 171 text

FORWARD OUTPUT INPUT before-a FORWARD OUTPUT INPUT

Slide 172

Slide 172 text

partition-a FORWARD OUTPUT INPUT before-a FORWARD OUTPUT INPUT

Slide 173

Slide 173 text

partition-a

Slide 174

Slide 174 text

partition-a

Slide 175

Slide 175 text

rgrprod-a5af73d bwired-ac12dce moprodau-a9c4dec abcradio-a3e32ce partition-a

Slide 176

Slide 176 text

rgrprod-a5af73d bwired-ac12dce moprodau-a9c4dec abcradio-a3e32ce partition-a

Slide 177

Slide 177 text

rgrprod-a5af73d bwired-ac12dce moprodau-a9c4dec abcradio-a3e32ce partition-a

Slide 178

Slide 178 text

rgrprod-a5af73d bwired-ac12dce moprodau-a9c4dec abcradio-a3e32ce partition-a

Slide 179

Slide 179 text

rgrprod-a5af73d bwired-ac12dce moprodau-a9c4dec abcradio-a3e32ce partition-a

Slide 180

Slide 180 text

rgrprod-a5af73d bwired-ac12dce moprodau-a9c4dec abcradio-a3e32ce partition-a

Slide 181

Slide 181 text

rgrprod-a5af73d bwired-ac12dce moprodau-a9c4dec abcradio-a3e32ce partition-a

Slide 182

Slide 182 text

rgrprod-a5af73d bwired-ac12dce moprodau-a9c4dec abcradio-a3e32ce FORWARD OUTPUT INPUT partition-a

Slide 183

Slide 183 text

No content

Slide 184

Slide 184 text

jump to partition _ pointers chains

Slide 185

Slide 185 text

There are for each destination pointers

Slide 186

Slide 186 text

match on source + destination pointers

Slide 187

Slide 187 text

Makes traversal of quick partition-a

Slide 188

Slide 188 text

No content

Slide 189

Slide 189 text

partition-a rgrprod-a5af73d bwired-ac12dce moprodau-a9c4dec abcradio-a3e32ce

Slide 190

Slide 190 text

partition-a rgrprod-a5af73d bwired-ac12dce moprodau-a9c4dec abcradio-a3e32ce

Slide 191

Slide 191 text

partition-a rgrprod-a5af73d bwired-ac12dce moprodau-a9c4dec abcradio-a3e32ce

Slide 192

Slide 192 text

partition-a rgrprod-a5af73d bwired-ac12dce moprodau-a9c4dec abcradio-a3e32ce

Slide 193

Slide 193 text

partition-a rgrprod-a5af73d bwired-ac12dce moprodau-a9c4dec abcradio-a3e32ce

Slide 194

Slide 194 text

partition-a rgrprod-a5af73d bwired-ac12dce moprodau-a9c4dec abcradio-a3e32ce

Slide 195

Slide 195 text

partition-a rgrprod-a5af73d bwired-ac12dce moprodau-a9c4dec abcradio-a3e32ce

Slide 196

Slide 196 text

partition-a rgrprod-a5af73d bwired-ac12dce moprodau-a9c4dec abcradio-a3e32ce

Slide 197

Slide 197 text

partition-a rgrprod-a5af73d bwired-ac12dce moprodau-a9c4dec abcradio-a3e32ce

Slide 198

Slide 198 text

partition-a rgrprod-a5af73d bwired-ac12dce moprodau-a9c4dec abcradio-a3e32ce

Slide 199

Slide 199 text

partition-a rgrprod-a5af73d bwired-ac12dce moprodau-a9c4dec abcradio-a3e32ce

Slide 200

Slide 200 text

d c e abcradio-a3e32ce

Slide 201

Slide 201 text

d e ec ce abcradio-a3e32ce

Slide 202

Slide 202 text

d e ec ce abcradio-a3e32ce Verdict

Slide 203

Slide 203 text

d e ec ce abcradio-a3e32ce log 117.53.167.72 accept 117.53.167.72 reject 117.53.173.17 accept 117.53.180.9 Verdict

Slide 204

Slide 204 text

d e ec ce abcradio-a3e32ce log 117.53.167.72 accept 117.53.167.72 reject 117.53.173.17 accept 117.53.180.9 Verdict

Slide 205

Slide 205 text

d e ec ce abcradio-a3e32ce log 117.53.167.72 accept 117.53.167.72 reject 117.53.173.17 accept 117.53.180.9 Verdict

Slide 206

Slide 206 text

d e ec ce abcradio-a3e32ce log 117.53.167.72 accept 117.53.167.72 reject 117.53.173.17 accept 117.53.180.9 Verdict

Slide 207

Slide 207 text

d e ec ce abcradio-a3e32ce log 117.53.167.72 accept 117.53.167.72 reject 117.53.173.17 accept 117.53.180.9 Verdict

Slide 208

Slide 208 text

d e ec ce abcradio-a3e32ce log 117.53.167.72 accept 117.53.167.72 reject 117.53.173.17 accept 117.53.180.9 Verdict

Slide 209

Slide 209 text

d e ec ce abcradio-a3e32ce log 117.53.167.72 accept 117.53.167.72 reject 117.53.173.17 accept 117.53.180.9 Verdict

Slide 210

Slide 210 text

d e ec ce abcradio-a3e32ce log 117.53.167.72 accept 117.53.167.72 reject 117.53.173.17 accept 117.53.180.9 Verdict

Slide 211

Slide 211 text

d e ec ce abcradio-a3e32ce

Slide 212

Slide 212 text

d e ec ce abcradio-a3e32ce Logging

Slide 213

Slide 213 text

d e ec ce abcradio-a3e32ce log 117.53.167.72 accept 117.53.167.72 reject 117.53.173.17 accept 117.53.180.9 Logging

Slide 214

Slide 214 text

d e ec ce abcradio-a3e32ce log 117.53.167.72 accept 117.53.167.72 reject 117.53.173.17 accept 117.53.180.9 Logging

Slide 215

Slide 215 text

d e ec ce abcradio-a3e32ce log 117.53.167.72 accept 117.53.167.72 reject 117.53.173.17 accept 117.53.180.9 Logging

Slide 216

Slide 216 text

d e ec ce abcradio-a3e32ce log 117.53.167.72 accept 117.53.167.72 reject 117.53.173.17 accept 117.53.180.9 Logging

Slide 217

Slide 217 text

d e ec ce abcradio-a3e32ce log 117.53.167.72 accept 117.53.167.72 reject 117.53.173.17 accept 117.53.180.9 Logging

Slide 218

Slide 218 text

d e ec ce abcradio-a3e32ce log 117.53.167.72 accept 117.53.167.72 reject 117.53.173.17 accept 117.53.180.9 Logging

Slide 219

Slide 219 text

No content

Slide 220

Slide 220 text

Zero downtime migrations

Slide 221

Slide 221 text

partition-a rgrprod-a5af73d bwired-ac12dce moprodau-a9c4dec abcradio-a3e32ce

Slide 222

Slide 222 text

partition-a rgrprod-a5af73d bwired-ac12dce moprodau-a9c4dec abcradio-a3e32ce # ript rules apply

Slide 223

Slide 223 text

partition-a rgrprod-a5af73d bwired-ac12dce moprodau-a9c4dec abcradio-a3e32ce # ript rules apply

Slide 224

Slide 224 text

partition-a bwired-a67edce rgrprod-a5af73d bwired-ac12dce moprodau-a9c4dec abcradio-a3e32ce # ript rules apply

Slide 225

Slide 225 text

partition-a bwired-a67edce rgrprod-a5af73d bwired-ac12dce moprodau-a9c4dec # ript rules apply

Slide 226

Slide 226 text

partition-a abcradio-a023fe8 bwired-a67edce rgrprod-a5af73d bwired-ac12dce moprodau-a9c4dec # ript rules apply

Slide 227

Slide 227 text

No content

Slide 228

Slide 228 text

ript rules apply always inserts at the top of _ partition-a pointers

Slide 229

Slide 229 text

No content

Slide 230

Slide 230 text

# ript rules apply partition-a abcradio-a023fe8 bwired-a67edce rgrprod-a5af73d bwired-ac12dce moprodau-a9c4dec

Slide 231

Slide 231 text

overlapping pointers # ript rules apply partition-a abcradio-a023fe8 bwired-a67edce rgrprod-a5af73d bwired-ac12dce moprodau-a9c4dec

Slide 232

Slide 232 text

overlapping pointers # ript rules apply partition-a abcradio-a023fe8 bwired-a67edce rgrprod-a5af73d bwired-ac12dce moprodau-a9c4dec

Slide 233

Slide 233 text

# ript rules apply overlapping pointers partition-a abcradio-a023fe8 bwired-a67edce rgrprod-a5af73d bwired-ac12dce moprodau-a9c4dec

Slide 234

Slide 234 text

No content

Slide 235

Slide 235 text

No content

Slide 236

Slide 236 text

bwired-a67edce

Slide 237

Slide 237 text

bwired-a67edce accept 117.53.168.72:80 ...

Slide 238

Slide 238 text

bwired-a67edce accept 117.53.168.72:80 ...

Slide 239

Slide 239 text

bwired-a67edce accept 117.53.168.72:80 ...

Slide 240

Slide 240 text

bwired-a67edce accept 117.53.168.72:80 ... no match, returns to partition-a

Slide 241

Slide 241 text

bwired-a67edce accept 117.53.168.72:80 ... bwired-ac12dce no match, returns to partition-a

Slide 242

Slide 242 text

bwired-a67edce accept 117.53.168.72:80 ... bwired-ac12dce no match, returns to partition-a same destination, jumps into old chain

Slide 243

Slide 243 text

bwired-a67edce accept 117.53.168.72:80 ... bwired-ac12dce accept 117.53.167.72:22 ... no match, returns to partition-a same destination, jumps into old chain

Slide 244

Slide 244 text

bwired-a67edce accept 117.53.168.72:80 ... bwired-ac12dce accept 117.53.167.72:22 ... no match, returns to partition-a same destination, jumps into old chain

Slide 245

Slide 245 text

bwired-a67edce accept 117.53.168.72:80 ... bwired-ac12dce accept 117.53.167.72:22 ... no match, returns to partition-a same destination, jumps into old chain hits old rule

Slide 246

Slide 246 text

You need to clean the rules!

Slide 247

Slide 247 text

No content

Slide 248

Slide 248 text

ript clean apply

Slide 249

Slide 249 text

# ript clean apply partition-a abcradio-a023fe8 bwired-a67edce rgrprod-a5af73d bwired-ac12dce moprodau-a9c4dec

Slide 250

Slide 250 text

identical partition name # ript clean apply partition-a abcradio-a023fe8 bwired-a67edce rgrprod-a5af73d bwired-ac12dce moprodau-a9c4dec

Slide 251

Slide 251 text

# ript clean apply partition-a abcradio-a023fe8 bwired-a67edce rgrprod-a5af73d moprodau-a9c4dec

Slide 252

Slide 252 text

# ript clean apply partition-a abcradio-a023fe8 bwired-a67edce rgrprod-a5af73d moprodau-a9c4dec abcradio-a3e32ce

Slide 253

Slide 253 text

# ript clean apply partition-a abcradio-a023fe8 bwired-a67edce rgrprod-a5af73d abcradio-a3e32ce moprodau-a9c4dec

Slide 254

Slide 254 text

identical partition name # ript clean apply partition-a abcradio-a023fe8 bwired-a67edce rgrprod-a5af73d abcradio-a3e32ce moprodau-a9c4dec

Slide 255

Slide 255 text

# ript clean apply partition-a abcradio-a023fe8 bwired-a67edce rgrprod-a5af73d moprodau-a9c4dec

Slide 256

Slide 256 text

No content

Slide 257

Slide 257 text

Workflows

Slide 258

Slide 258 text

git

Slide 259

Slide 259 text

Config mgmt

Slide 260

Slide 260 text

No content

Slide 261

Slide 261 text

Real world example

Slide 262

Slide 262 text

What workflow does Bulletproof use?

Slide 263

Slide 263 text

Install Ript with Puppet

Slide 264

Slide 264 text

ript.rules repo

Slide 265

Slide 265 text

Deploy with Capistrano

Slide 266

Slide 266 text

/etc/firewall/current

Slide 267

Slide 267 text

cap deploy

Slide 268

Slide 268 text

ript rules diff

Slide 269

Slide 269 text

cap deploy apply=true

Slide 270

Slide 270 text

ript rules apply

Slide 271

Slide 271 text

No content

Slide 272

Slide 272 text

Vagrant

Slide 273

Slide 273 text

No content

Slide 274

Slide 274 text

Challenges

Slide 275

Slide 275 text

Testing

Slide 276

Slide 276 text

Cucumber

Slide 277

Slide 277 text

Outside-in

Slide 278

Slide 278 text

Lots of examples Used by tests

Slide 279

Slide 279 text

~/code/ript ➔ ls -1 examples/ |wc -l 41

Slide 280

Slide 280 text

Systems code

Slide 281

Slide 281 text

Lingering state

Slide 282

Slide 282 text

rake clean_slate

Slide 283

Slide 283 text

No content

Slide 284

Slide 284 text

Open Sourcing

Slide 285

Slide 285 text

We love Open Source!

Slide 286

Slide 286 text

*but*

Slide 287

Slide 287 text

Minimum Viable Product

Slide 288

Slide 288 text

Started concrete

Slide 289

Slide 289 text

Hard coded Bulletproofisms

Slide 290

Slide 290 text

Scrub internal references

Slide 291

Slide 291 text

Rewrite history

Slide 292

Slide 292 text

No content

Slide 293

Slide 293 text

Nuke git repo

Slide 294

Slide 294 text

~/code/ript.history ➔ git log --pretty=format:%H |wc -l 234 ~/code/ript.public ➔ git log --pretty=format:%H |wc -l 5

Slide 295

Slide 295 text

Retained CHANGELOG

Slide 296

Slide 296 text

No content

Slide 297

Slide 297 text

Interface

Slide 298

Slide 298 text

bin/ript

Slide 299

Slide 299 text

A little manky

Slide 300

Slide 300 text

On the roadmap

Slide 301

Slide 301 text

No content

Slide 302

Slide 302 text

IPv6

Slide 303

Slide 303 text

No current support

Slide 304

Slide 304 text

Really important

Slide 305

Slide 305 text

.to_iptables

Slide 306

Slide 306 text

.to_ip6tables

Slide 307

Slide 307 text

Q2 2013

Slide 308

Slide 308 text

No content

Slide 309

Slide 309 text

Writing our own history

Slide 310

Slide 310 text

Too easy to complain

Slide 311

Slide 311 text

Question your circumstances.

Slide 312

Slide 312 text

Working with shitty tools?

Slide 313

Slide 313 text

What lead you to this point?

Slide 314

Slide 314 text

What is the problem you're trying to solve?

Slide 315

Slide 315 text

Tools are a means

Slide 316

Slide 316 text

They can be rebuilt, rewritten, replaced

Slide 317

Slide 317 text

Find your concrete principals

Slide 318

Slide 318 text

Frequency

Slide 319

Slide 319 text

Size

Slide 320

Slide 320 text

Friction

Slide 321

Slide 321 text

Thank you! Questions?

Slide 322

Slide 322 text

Questions? Tweet @auxesis if you liked the talk!

Slide 323

Slide 323 text

No content

Slide 324

Slide 324 text

http://www.flickr.com/photos/25084516@N03/4994100153 http://www.flickr.com/photos/pfenwick/2237728495 http://www.flickr.com/photos/varrqnuht/2228404970 http://www.flickr.com/photos/t3rmin4t0r/2276495257 http://www.flickr.com/photos/chrissamuel/2231908105 http://www.flickr.com/photos/nhankamer/4703022414 http://www.flickr.com/photos/nortonp/6236722793 http://www.flickr.com/photos/thomasforsyth/4313764488 http://www.flickr.com/photos/mag3737/204597831 http://www.flickr.com/photos/carleycomartin/3912655528 http://www.flickr.com/photos/thomas_hackl/8172975389 http://www.flickr.com/photos/memestate/54408373 http://www.flickr.com/photos/ldsykora/2414497811 http://www.flickr.com/photos/usdagov/7061668841 http://www.flickr.com/photos/studiogabe/5213143779 http://www.flickr.com/photos/terrio/4303997455 http://www.flickr.com/photos/cmbellman/3219012282 Credits

Slide 325

Slide 325 text

http://www.flickr.com/photos/sizemore/2215594186 http://www.flickr.com/photos/tsuna72/5939008153 http://www.flickr.com/photos/stevensnodgrass/3543579066 http://www.flickr.com/photos/altemark/363947977 http://www.flickr.com/photos/moff/4504997898 http://www.flickr.com/photos/charlestilford/8295523130 http://www.flickr.com/photos/nasacommons/4858567480 http://www.vagrantup.com/images/vagrant_header_background-482a12a7.png http://www.flickr.com/photos/10318341@N02/4425899887 http://www.flickr.com/photos/deadair/3361335831 http://www.flickr.com/photos/zanehollingsworth/3260908168 http://www.flickr.com/photos/cushinglibrary/3740398710 http://www.flickr.com/photos/89964047@N07/8181225923 http://www.flickr.com/photos/minnesotahistoricalsociety/5186865305 http://www.flickr.com/photos/58558794@N07/5739801904 http://www.flickr.com/photos/steverhode/3134180338 http://www.flickr.com/photos/acediscovery/3030548744 Credits