Last friday, I talked about building dynamic firewalls with Chef and Netfilter at Security Bsides Delaware. It's essentially a presentation of the AFW cookbook ( that we have been developing at AWeber for the past 6 months.

I've received great feedback from the attendees. What really struck me is the fact that, while almost recognizes that massive security appliances fail at securing networks (outdated rules, connections that bypass the firewalls, ...), there doesn't seem to be any obvious solution available to improve the situation.

At AWeber, we are fans of Netfilter. We have been using it for years in multiple forms, so moving to Chef and AFW was just the next logical step. But even for us, it has not been a painless one. Connections broke between servers that, we forgot, were communicating with each other. I spent weeks hunting broken connections all over the place, while trying to keep the ruleset as tight and consistent as we wanted it to be.

AFW solves a difficult problem: appliance-based firewall are hard to keep up to date and will, after a few years of service, have open rules all over the place that no one wants to close, for fear of "breaking something". AFW only requires a few dozen generic rules to firewall an entire infrastructure. And it's all Linux based, using the fancy features of Netfilter ! What else could you possibly want?

Virtualized web infrastructures often means having a bunch of web applications talking HTTP to each other all over your network. REST APIs everywhere, VMs appearing and disappearing every day, without any sort of ACL or passwords between them. From a firewall standpoint, manually managing the firewall rules between those VMs is unreallistic, and often results in opening tcp/80 (and more) everywhere by default. This is obviously not ideal. Some have tried to deploy web application firewall, but few have survived to testify. The Advanced FireWall ( is a Chef cookbook that solves these problems by controlling host-based Netfiter firewalls on each system of a Chef provisioned environment. I will demonstrate how host-to-host rules can be created and kept up to date by using a set of generic rules expanded dynamically, and how, using AFW, you can keep control over every single packet of your network.