Adoptable Cookbooks List

Looking for a cookbook to adopt? You can now see a list of cookbooks available for adoption!
List of Adoptable Cookbooks

Supermarket Belongs to the Community

Supermarket belongs to the community. While Chef has the responsibility to keep it running and be stewards of its functionality, what it does and how it works is driven by the community. The chef/supermarket repository will continue to be where development of the Supermarket application takes place. Come be part of shaping the direction of Supermarket by opening issues and pull requests or by joining us on the Chef Mailing List.

Select Badges

Select Supported Platforms

Select Status


firewall (96) Versions 1.2.0

Provides a set of primitives for managing firewalls and associated rules.

cookbook 'firewall', '= 1.2.0', :supermarket
cookbook 'firewall', '= 1.2.0'
knife supermarket install firewall
knife supermarket download firewall
Quality 0%

firewall Cookbook

Build Status

Provides a set of primitives for managing firewalls and associated rules.

PLEASE NOTE - The resource/providers in this cookbook are under heavy development. An attempt is being made to keep the resource simple/stupid by starting with less sophisticated firewall implementations first and refactor/vet the resource definition with each successive provider.



  • Ubuntu
  • Debian
  • Redhat
  • CentOS

Tested on:
* Ubuntu 12.04
* Ubuntu 14.04
* Debian 7.8
* CentOS 6.5
* CentOS 7.0



The default recipe creates a firewall resource with action install, and if node['firewall']['allow_ssh'], opens port 22 from the world.


  • default['firewall']['ufw']['defaults'] hash for template /etc/default/ufw


  • See librariez/z_provider_mapping.rb for a full list of providers for each platform and version.



  • :enable: Default action enable the firewall. this will make any rules that have been defined 'active'.
  • :disable: disable the firewall. drop any rules and put the node in an unprotected state.
  • :flush: Runs iptables -F. Only supported by the iptables firewall provider.
  • :save: Runs service iptables save under iptables, adds rules permanently under firewall. Not supported in ufw.

Attribute Parameters

  • name: name attribute. arbitrary name to uniquely identify this resource
  • log_level: level of verbosity the firewall should log at. valid values are: :low, :medium, :high, :full. default is :low.


# enable platform default firewall
firewall 'ufw' do
  action :enable

# increase logging past default of 'low'
firewall 'debug firewalls' do
  log_level :high
  action    :enable



  • :allow: the rule should allow incoming traffic.
  • :deny: the rule should deny incoming traffic.
  • :reject: *Default action: the rule should reject incoming traffic.
  • :masqerade: Add masqerade rule
  • :redirect: Add redirect-type rule
  • :log: Configure logging
  • :remove: Remove all rules

Attribute Parameters

  • name: name attribute. arbitrary name to uniquely identify this firewall rule
  • protocol: valid values are: :udp, :tcp. default is all protocols
  • port: incoming port number (ie. 22 to allow inbound SSH), or an array of incoming port numbers (ie. [80,443] to allow inbound HTTP & HTTPS). NOTE: protocol attribute is required with multiple ports, or a range of incoming port numbers (ie. 60000..61000 to allow inbound mobile-shell. NOTE: protocol, or an attribute is required with a range of ports.
  • source: ip address or subnet to filter on incoming traffic. default is (ie Anywhere)
  • destination: ip address or subnet to filter on outgoing traffic.
  • dest_port: outgoing port number.
  • position: position to insert rule at. if not provided rule is inserted at the end of the rule list.
  • direction: direction of the rule. valid values are: :in, :out, default is :in
  • interface: interface to apply rule (ie. 'eth0').
  • logging: may be added to enable logging for a particular rule. valid values are: :connections, :packets. In the ufw provider, :connections logs new connections while :packets logs all packets.
  • raw: for passing a raw command to the provider (for use with custom modules, also used by zap provider to clean up non-chef managed rules)


# open standard ssh port, enable firewall
firewall_rule 'ssh' do
  port     22
  action   :allow
  notifies :enable, 'firewall[ufw]'

# open standard http port to tcp traffic only; insert as first rule
firewall_rule 'http' do
  port     80
  protocol :tcp
  position 1
  action   :allow

# restrict port 13579 to on eth0
firewall_rule 'myapplication' do
  port      13579
  source    ''
  direction :in
  interface 'eth0'
  action    :allow

# open UDP ports 60000..61000 for mobile shell (, note
# that the protocol attribute is required when using port_range
firewall_rule 'mosh' do
  protocol   :udp
  port       60000..61000
  action     :allow

# open multiple ports for http/https, note that the protocol
# attribute is required when using ports
firewall_rule 'http/https' do
  protocol :tcp
  port     [80, 443]
  action   :allow

firewall 'ufw' do
  action :nothing


This section details "quick development" steps. For a detailed explanation, see [[]].

  1. Clone this repository from GitHub:

    $ git clone
  2. Create a git branch

    $ git checkout -b my_bug_fix
  3. Install dependencies:

    $ bundle install
  4. Make your changes/patches/fixes, committing appropiately

  5. Write tests

  6. Run the tests:

    • bundle exec foodcritic -f any .
    • bundle exec rspec
    • bundle exec rubocop
    • bundle exec kitchen test

In detail:
- Foodcritic will catch any Chef-specific style errors
- RSpec will run the unit tests
- Rubocop will check for Ruby-specific style errors
- Test Kitchen will run and converge the recipes

License & Authors

Copyright:: Copyright (c) 2011-2015 Opscode, Inc.

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
See the License for the specific language governing permissions and
limitations under the License.

Dependent cookbooks

poise ~> 2.0

Contingent cookbooks

L7-zabbix Applicable Versions
bastion Applicable Versions
centos-test Applicable Versions
chef-davical Applicable Versions
consul Applicable Versions
database_application Applicable Versions
debian-test Applicable Versions
drone_app Applicable Versions
elkstack Applicable Versions
firewall-ex Applicable Versions
firewall_rules Applicable Versions
gantbox Applicable Versions
http_platform Applicable Versions
jahia Applicable Versions
kube_cluster Applicable Versions
locustio Applicable Versions
lxmpbox Applicable Versions
mariadb_galera Applicable Versions
met-jenkins Applicable Versions
paramount Applicable Versions
rackspace_support Applicable Versions
stackup-base Applicable Versions
strongloop Applicable Versions
taurus Applicable Versions
test_kitchen_mssql_helpers Applicable Versions
ufw Applicable Versions
vesta Applicable Versions
vpn Applicable Versions

firewall Cookbook CHANGELOG

This file is used to list changes made in each version of the firewall cookbook.

v1.2.0 (2015-05-28)

  • #64 - Support the newer version of poise

v1.1.2 (2015-05-19)

  • #60 - Always add /32 or /128 to ipv4 or ipv6 addresses, respectively.
    • Make comment quoting optional; iptables on Ubuntu strips quotes on strings without any spaces

v1.1.1 (2015-05-11)

  • #57 - Suppress warning: already initialized constant XXX while Chefspec

v1.1.0 (2015-04-27)

  • #56 - Better ipv6 support for firewalld and iptables
  • #54 - Document raw parameter

v1.0.2 (2015-04-03)

  • #52 - Typo in :masquerade action name

v1.0.1 (2015-03-28)

  • #49 - Fix position attribute of firewall_rule providers to be correctly used as a string in commands

v1.0.0 (2015-03-25)

  • Major upgrade and rewrite as HWRP using poise
  • Adds support for iptables and firewalld
  • Modernize tests and other files
  • Fix many bugs from ufw defaults to multiport suppot

v0.11.8 (2014-05-20)

  • Corrects issue where on a secondary converge would not distinguish between inbound and outbound rules

v0.11.6 (2014-02-28)

[COOK-4385] - UFW provider is broken

v0.11.4 (2014-02-25)

[COOK-4140] Only notify when a rule is actually added



  • COOK-3615 - Install required UFW package on Debian



  • [COOK-2932]: ufw providers work on debian but cannot be used


  • [COOK-2250] - improve readme


  • [COOK-1234] - allow multiple ports per rule


  • [COOK-1615] - Firewall example docs have incorrect direction syntax


The default action for firewall LWRP is now :enable, the default action for firewall_rule LWRP is now :reject. This is in line with a "default deny" policy.

  • [COOK-1429] - resolve foodcritic warnings


  • refactor all resources and providers into LWRPs
  • removed :reset action from firewall resource (couldn't find a good way to make it idempotent)
  • removed :logging action from firewall resource...just set desired level via the log_level attribute


  • [COOK-725] Firewall cookbook firewall_rule LWRP needs to support logging attribute.
  • Firewall cookbook firewall LWRP needs to support :logging


  • [COOK-696] Firewall cookbook firewall_rule LWRP needs to support interface
  • [COOK-697] Firewall cookbook firewall_rule LWRP needs to support the direction for the rules


  • [COOK-695] Firewall cookbook firewall_rule LWRP needs to support destination port


  • [COOK-709] fixed :nothing action for the 'firewall_rule' resource.


  • [COOK-694] added :reject action to the 'firewall_rule' resource.


  • [COOK-698] added :reset action to the 'firewall' resource.


  • Add missing 'requires' statements. fixes 'NameError: uninitialized constant' error. thanks to Ernad Husremović for the fix.


  • [COOK-686] create firewall and firewall_rule resources
  • [COOK-687] create UFW providers for all resources

Foodcritic Metric

1.2.0 failed this metric

FC031: Cookbook without metadata file: /tmp/cook/33b919c223671ad8ede658fe/firewall/metadata.rb:1
FC045: Consider setting cookbook name in metadata: /tmp/cook/33b919c223671ad8ede658fe/firewall/metadata.rb:1