
Announcing Firewall Rules - buro9
https://blog.cloudflare.com/announcing-firewall-rules/
======
buro9
I worked on this system and am happy to answer questions about it.

The main documentation can be found here
[https://developers.cloudflare.com/firewall/cf-firewall-
rules...](https://developers.cloudflare.com/firewall/cf-firewall-rules/fields-
and-expressions/)

As an outline:

\+ We use a Wireshark(r)
[https://www.wireshark.org/](https://www.wireshark.org/) inspired DSL for
expressions that match traffic throughout our network
[https://www.wireshark.org/docs/wsug_html_chunked/ChWorkBuild...](https://www.wireshark.org/docs/wsug_html_chunked/ChWorkBuildDisplayFilterSection.html)

\+ That is a generic capability and was written in Rust, internally the lib is
called wirefilter, our product name for it is Cloudflare Filters

\+ Firewall Rules is the first of our products that implement the Filters, and
the essence is "when filter matches traffic, apply firewall action"

\+ Because it is Wireshark style expressions, firewall actions can now target
very specific attacks and allow for complex implementations of traditionally
custom WAF rules in a very simple expression language

Happy to answer any question I can. This is a first launch, and it will see a
lot of new additions in the future and we're really excited about it.

~~~
steveklabnik
No questions, just glad to see this written in Rust!

~~~
buro9
We chose Rust with very open eyes. It's a very good fit for our scenario.

We needed to make a single implementation of this, as it had to behave
precisely the same within an API, and within multiple products in different
languages elsewhere... whilst being very fast and safe.

Rust is a really good choice for this, and thanks for writing the book that is
on my desk.

~~~
steveklabnik
Glad to hear it, and you’re welcome <3

