Adoptable Cookbooks List

Looking for a cookbook to adopt? You can now see a list of cookbooks available for adoption!
List of Adoptable Cookbooks

Supermarket Belongs to the Community

Supermarket belongs to the community. While Chef has the responsibility to keep it running and be stewards of its functionality, what it does and how it works is driven by the community. The chef/supermarket repository will continue to be where development of the Supermarket application takes place. Come be part of shaping the direction of Supermarket by opening issues and pull requests or by joining us on the supermarket mailing list.

Select Badges

Select Supported Platforms


cerberus (4) Versions 2.1.0

Installs/Configures Cerberus firewall manager for Windows 2003 and 2008

cookbook 'cerberus', '~> 2.1.0'
cookbook 'cerberus', '~> 2.1.0', :supermarket
knife cookbook site install cerberus
knife cookbook site download cerberus


Installs/Configures cerberus firewall manager for Windows. Supports 2003 and 2008. The key thought behind Cerberus' modus operandi is simple: define the permitted ports and protocols in one databag and the permitted IP addresses / ranges in another. Any IP inside the ip_permit databag would have access to all of the declared ports.

Cerberus >= 1.0.0 handles a significant bug in (both architectures of) Windows 2008 advfirewall manager whereby the "remoteip=" string has a short character limit. Instead of concatinating all the permitted ips onto one line, cerberus now writes a rule for every remoteip. This is a bummer, actually, because the netsh advfirewall command takes an extremely long time to run on Windows 2008 i386. An. Extremely. Long. Time. Note, this slow behaviour seems to build over time, and regular reboots seem to mitigate the issue significantly. This issue does not seem to impact Windows 2008 R2 x86_64. If you can migrate your machines from Windows 2008 i386 to Windows 2008 R2 x86_64, this is highly recommended.

Updated to support opening http to facebook, twitter, and AWS networks.

Cerberus >= 2.1.0 is a complete re-write for chef-client version 11! Although the supporting structure is identical and compatible with previous versions of the cookbook, the internal logic has received a significant upgrade. Cerberus now creates json templates internally with information from the ip_permit and firewall_rules data bags, and only instructs windows to edit the firewall rule if it changes. Previously, the entire ruleset was removed and replaced during each chef run, which could cause connections to stutter. Cerberus now runs much more quickly and is more robust.


Windows 2003 or 2008, a data bag to hold permitted ip addresses and a data bag to hold protocol details. Also requires the twitter cookbook to tweet service status changes; this dependency can be broken and removed easily.


The Windows 2003 version uses a few attributes to point at the the "inf" file used for rule deployment; however, the vast majority of the information is stored inside data bags. Logging of dropped connections and packets is now stored inside an attribute.


Create two data bags and add the permitted ips to the first and the permitted ports to the second as such:

ip_permit (sample item below) { "name": "data_bag_item_ip_permit_www", "raw_data": { "netmask": "/32", "comment": "example host description here", "fqdn": "", "ipaddress": "", "id": "www", "owner": "Joe User" }, "json_class": "Chef::DataBagItem", "data_bag": "ip_permit", "chef_type": "data_bag_item" }

firewall_rules (sample item below) { "name": "data_bag_item_firewall_rules_3389", "raw_data": { "name": "rdp", "protocol": "tcp", "id": "3389", "permit": "enabled", "description": "Remote Desktop (tcp 3389)" }, "json_class": "Chef::DataBagItem", "data_bag": "firewall_rules", "chef_type": "data_bag_item" }

Then add the cookbook to the runlist and watch it go!

No quality metric results found