Flint examines firewalls, quickly computes the effect of all the configuration rules, and then spots problems, so you can:

save time

Clean up rusty configurations that are crudded up with rules that can’t match traffic.

spot flaws

Eradicate latent security problems lurking in overly-permissive rules.

stay sane

Sanity check changes to see if new rules create problems.

people suck at thinking like firewalls

To understand a firewall configuration, you have to to think like a firewall does. People have better things to do. So their firewalls are shot through with subtle mistakes:

Insecure services might be allowed through the firewall, preventing it from blocking attacks.

Lax controls on DMZs may expose staging and test servers.

Firewall management ports may be exposed to untrusted networks.

Redundant firewall rules may be complicating your configuration and slowing you down.

You have multiple firewalls protecting internal networks from the Internet and controlling access to customer data. Your business changes, and so do your firewalls. And not always at the same time. Firewalls get out of step with policies. This is a problem you should automate.

Flint prevents engineers from making costly mistakes. It takes just moments for Flint to evaluate a ruleset and spot errors. Your team can have it up and running in minutes. Flint is low-drag, no drama.

but wait, there's less

mascot:

It's a Shaolin monk composed of the Gill Sans comma character, and he's symbolizing the power of Lisp (which we didn't write Flint in).

it's gpl

Open source means never having to say we're sorry. Flint is GPL open source. That means you can download it, play with the source, give the source to your friends, change the source, even sell a product (please don't call it "Flint") based on our source --- as long as everything you do with the code is *also* licensed under the GPL. Have fun!

it's bare-bones

Like Reid Hoffman said, if you aren't embarassed by what you launch with, you waited too long to launch. Flint is missing a lot of stuff. It needs about 100 more checks and a couple dozen more features. Which features? We have no idea. That's why we got it out there.

it's pix/asa-only

This one is painful: we only support Cisco PIX and ASA firewalls right now (we barely support IOS in current builds). Why? We want to get Flint right for one firewall before we spend time making the wrong thing work on lots of firewalls.

get it now

vmware

No configuration. No dependencies. No drama. Download a virtual appliance, run it in the free VMWare player of your choice, and get started.

source

Roll your own Flint from the most recent stable source. Flint is a Sinatra Ruby application that should run on OS X, FreeBSD, or Linux.

git

Keep up to date with the most recent changes and easily submit patches back to us (please?) by using git to track our source repository.

installing via vm

The Flint virtual appliance runs on any system that can play VMWare virtual machines. This includes VMWare Server on Windows, VMWare ESX for enterprise deployments, and VMWare Fusion on Mac OS X.

There are two versions of the VM available; one is a standard VMWare VM, the other is OVF-style VM for ESX. If you're not using ESX, use the standard.

For the standard version, grab this file:

http://s3.amazonaws.com/matasano_flint/FlintVM-current.zip

For VMWare ESX, grab this file:

http://s3.amazonaws.com/matasano_flint/FlintVM-current.ovf.zip

Flint is not a particularly heavyweight application. It should run just fine on your desktop.

Once it's up and running, you should be able to point your browser at the IP address of the VM, port 4567 (ie, http://vm:4567/), and see Flint.

Log in as "admin", password "admin77".

installing via source

Flint should run anywhere you could ordinarily run a Ruby on Rails app. For most people, that means there's some assembly required.

Get the source

You can download the most recent snapshot of the source code here:

http://runplaybook.com/storage/flint/flint-current.tgz

Set up your environment

You need a development environment that can build C code and that can run Ruby. On Mac OS X, that means XCode. On Ubuntu or Debian Linux, you'll want the "build-essentials" packages and Ruby 1.8 with rubygems, the standard Ruby package manager. You should be able to type "gem help" and "rake --help" and see help messages.

Start Flint

Unpack the source. Go to the Flint directory. Type "rake install". That will install all of Flint's dependencies, including Redis, which you should check out because it is awesome.

Now, run "rake app". This will start Flint. Point your browser at http://localhost:4567 and you should get a login screen. By default, Flint listens only on localhost.

Log in as "admin", password "admin77".

installing via git

Flint should run anywhere you could ordinarily run a Ruby on Rails app. For most people, that means there's some assembly required.

Get the source

You need "git" installed. Google "git". It's the first hit.

Run "git clone http://runplaybook.com/git/flint.git". Now you have a full checkout of the source. You can update it any time by typing "git pull".

Set up your environment

You need a development environment that can build C code and that can run Ruby. On Mac OS X, that means XCode. On Ubuntu or Debian Linux, you'll want the "build-essentials" packages and Ruby 1.8 with rubygems, the standard Ruby package manager. You should be able to type "gem help" and "rake --help" and see help messages.

Start Flint

Unpack the source. Go to the Flint directory. Type "rake install". That will install all of Flint's dependencies, including Redis, which you should check out because it is awesome.

Now, run "rake app". This will start Flint. Point your browser at http://localhost:4567 and you should get a login screen. By default, Flint listens only on localhost.

Log in as "admin", password "admin77".