squarism/firewool

语言: Ruby

git: https://github.com/squarism/firewool

Rails 3防火墙宝石
Rails 3 firewall gem
README.md (中文)

== Firewool

废弃查看(机架攻击)[https://github.com/kickstarter/rack-attack]以获得更多功能的不错选择。

Firewool是Rails的IP防火墙。您可以设置要阻止的IP以及允许的IP。详情如下。

==为什么我需要这个? 使用身份验证来保护您的应用程序非常棒,但有时您只想进行一些简单的IP过滤。 Firewool可以在以下用例中为您提供帮助: - 您有一个需要命中/ users / report的报告作业,并且您希望在不进行身份验证的情况下限制访问,即:您不想创建可能报告的“报告”用户,或者让您成为悲伤的熊猫。 - 具有IP /端口(第3层)的简单防火墙无法保护rails URL。 - 可以保护URL的第7层防火墙太昂贵/难以设置。 - 腰带和吊带式双重安全检查。 - 你杀了你的网络人,没有人知道。

==安装 宝石安装firewool

  • 在Rails 3.0.4上测试。
  • 在Ruby 1.9.2 / 1.8.7上测试过。
  • 在Rails 2.x上未经测试可能因为没有引擎而无法工作。

==配置 将firewool依赖项添加到Gemfile:  宝石'火焰'

在config / firewool.yml中创建配置文件

#config / firewool.yml  #更改任何值需要重启app server(Apache / Webrick / etc ..)

发展:    ip_restriction:true    允许:[127.0.0.1]

测试:    ip_restriction:false

生产:    ip_restriction:true    允许:[1.1.0.0 / 16,1.2.0.0/16,1.3.0.0/16]    否认:[10.50.0.0/16]

将这些行添加到要保护的控制器:

class DummyController <ApplicationController    包括Firewool    acts_as_firewalled    before_filter:ip_filter

或者,您可以像过滤器一样过滤某些操作:  before_filter:ip_filter,:only => [:admin,:secret]

==关于 默认情况下,Firewool具有隐式拒绝。这意味着Firewool会做以下评估:  首先拒绝  允许所有允许列表  否认所有拒绝列表

这允许您在默认情况下具有安全性,白名单,然后是该白名单的例外。但是,有时您需要默认允许,并且只需要该规则的例外。在这种情况下,像这样使用0.0.0.0的allow:  允许:[0.0.0.0]  否认:[无论如何]

那么firewool会允许 - >拒绝。

IP可以被欺骗,因此在强安全性的情况下,您将希望将其与一个或多个因子身份验证一起使用。

==快速网络入门 那么当我不是网络人员时,如何编写规则呢?没问题,让我们来看看一些例子。

首先,IP地址是由句点分隔的四个数字。每个数字称为八位字节。斜杠数(如上面的/ 16以上)是多少位匹配。因此,为了匹配10.0.0.1到10.0.0.254之间的每个可用IP,我们可以说:10.0.0.0/24而不是一次命名所有253个IP。

10.0.0.0/24与10.0.0。*匹配,因此会发生以下情况:  10.0.0.1(匹配)  10.0.0.204(匹配)  10.0.1.1(不匹配)   7.8.9.10(不匹配)

如果我们只想匹配一个IP地址,我们可以使用/ 32或只是自己指定IP地址。  192.168.0.1/32(仅匹配192.168.0.1)

更多例子:  192.168.0.1(仅匹配192.168.0.1,与/ 32相同)  5.0.0.0/8(匹配5 ...)  5.6.0.0/16(匹配5.6 ..)  5.6.0.0/24(匹配5.6.0。)  5.6.7.0/24(匹配5.6.7。*)

这些是这种表示法中最简单的例子(如果你想阅读更多内容,称为CIDR),但它足以构建一些用例。假设我们希望允许我们的客户阻止来自Evil Hackers'Inc。的任何人。我们客户的外部网络是5.6.7。*(即:当他们访问whatismyip.com时他们看到的内容)让我们说Evil Hackers'代理是58.14.0.0。这将是我们的config / firewool.yml:  生产:    ip_restriction:true    允许:[5.6.7.0/24]    否认:[58.14.0.0/16]

现在我们要小心5.6.7。真的是我们的用户来自哪里。如果我们想要阻止的另一群人来自5.6.7.200,那么我们想要收紧我们的规则并且不允许所有的5.6.7。因为.200在5.6.7。*中。因此,我们将研究客户的IP块实际上是什么,或者只添加我们知道的IP作为单独的IP。

作为一种特殊情况,0.0.0.0表示......或所有IP。另外一个特殊情况,127.0.0.1意味着localhost最好留在你的开发允许部分,这样你就可以用firewool开发你的app了。

==漂亮起来 如果您的公共目录中不存在403.html,则被阻止的用户只会看到“公共访问被拒绝”。这不是那么好。公开创建403.html文件,您可以使用此{403.html模板作为示例} [https://github.com/squarism/firewool/blob/master/test/dummy/public/403.html]。

==谢谢 {Bluemonk} [https://github.com/bluemonk]为他真棒的ipaddress宝石。并且{sinisterchipmunk} [https://github.com/sinisterchipmunk]帮助他了解如何快速测试Rails 3宝石。

本文使用googletrans自动翻译,仅供参考, 原文来自github.com

en_README.md

== Firewool

abandoned See (rack-attack)[https://github.com/kickstarter/rack-attack] for a nice alternative with more features.

Firewool is an IP firewall for Rails. You set what IPs to block and what IPs to allow. Specifics below.

== Why would I need this?
Using authentication to protect your app is great but sometimes you just want to do some simple IP filtering. Firewool can help you in the following use cases:
- You have a report job that needs to hit /users/report and you want to restrict access without authentication, ie: you don't want to create a "report" user which might get reported on or otherwise makes you a sad panda.
- A simple firewall with IP/ports (layer 3) can't protect rails URLs.
- A layer 7 firewall which can protect URLs is too expensive / hard to set up.
- Belt and suspenders style double security check.
- You killed your network guy and no one knows.

== Install
gem install firewool

  • Tested on Rails 3.0.4.
  • Tested on Ruby 1.9.2 / 1.8.7.
  • Untested on Rails 2.x. Probably won't work because no engines.

== Configuration
Add firewool dependency to Gemfile:
gem 'firewool'

Create a configuration file in config/firewool.yml

# config/firewool.yml
# changing any values requires app server restart (Apache/Webrick/etc..)

development:
ip_restriction: true
allow: [ 127.0.0.1 ]

test:
ip_restriction: false

production:
ip_restriction: true
allow: [ 1.1.0.0/16, 1.2.0.0/16, 1.3.0.0/16 ]
deny: [ 10.50.0.0/16 ]

Add these lines to the controller you want to protect:

class DummyController < ApplicationController
include Firewool
acts_as_firewalled
before_filter :ip_filter

Optionally, you can just filter certain actions like any filter:
before_filter :ip_filter, :only => [:admin, :secret]

== About
Firewool has an implicit deny by default. This means that Firewool does the following evaluation:
Deny first
Allow all in allow list
Deny all in deny list

This allows you to have security by default, a whitelist and then exceptions to that whitelist. However, sometimes you want a default allow and only exceptions to that rule. In that case, use an allow with 0.0.0.0 like this:
allow: [ 0.0.0.0 ]
deny: [ whatever ]

So then firewool will do allow -> deny.

IPs can be spoofed so in the case of strong security, you'll want to use this with one or more factor authentication.

== Quick Network Primer
So how do I write the rules when I'm not a network guy? No problem, let's go through some examples.

First, the IP address is four numbers separated by periods. Each number is called an octet. The slash number (like /16 up above) is how many bits match. So to match every usable IP from 10.0.0.1 to 10.0.0.254, we can just say: 10.0.0.0/24 instead of naming all 253 IPs one at a time.

10.0.0.0/24 matches 10.0.0.* so the following happens:
10.0.0.1 (match)
10.0.0.204 (match)
10.0.1.1 (no match)
7.8.9.10 (no match)

If we just want to match one IP address we can use the /32 or just specify the IP address by itself.
192.168.0.1/32 (matches only 192.168.0.1)

Some more examples:
192.168.0.1 (matches only 192.168.0.1, same meaning as /32)
5.0.0.0/8 (matches 5...)
5.6.0.0/16 (matches 5.6.
.)
5.6.0.0/24 (matches 5.6.0.
)
5.6.7.0/24 (matches 5.6.7.*)

These are the simplest examples of this notation (called CIDR if you want to read more) but it's enough to build a few use cases. Let's say we want to allow our customers in but block anyone coming from Evil Hackers' Inc. Our customer's external network is 5.6.7.* (ie: what they see when they go to whatismyip.com) and let's say that Evil Hackers' proxy is 58.14.0.0. This would be our config/firewool.yml:
production:
ip_restriction: true
allow: [ 5.6.7.0/24 ]
deny: [ 58.14.0.0/16 ]

Now we'd want to be careful that 5.6.7. was really where our users are coming from. If another group of people that we want to keep out are coming from 5.6.7.200 then we'd want to tighten up our rule a little bit and not allow all of the 5.6.7. network in because .200 is in 5.6.7.*. So we would research what our customer's IP block really is, or add only the IPs we know about as individual IPs.

As a special case, 0.0.0.0 means ..., or all IPs. Also a special case, 127.0.0.1 means localhost which is good to leave in your development allow section so you can develop your app with firewool on.

== Pretty Up
If 403.html doesn't exist in your public directory, then a blocked user will simply see "Public Access Denied." which isn't that great. Create a 403.html file in public, you can use this {403.html template as an example}[https://github.com/squarism/firewool/blob/master/test/dummy/public/403.html].

== Thanks to
{Bluemonk}[https://github.com/bluemonk] for his awesome ipaddress gem. And {sinisterchipmunk}[https://github.com/sinisterchipmunk] for his help in understanding how to test Rails 3 gems quickly.