firewall-agent 0.1.0

data/LICENSE

@@ -0,0 +1,20 @@
+Copyright (c) 2009 Max M. Petrov
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.rdoc

@@ -0,0 +1,113 @@
+= firewall-agent
+
+Firewall Agent
+
+Firewall Agent is a utility to simplify firewall configuration for clouds and clusters, especially when hosted with 3rd party VPS services.
+
+Key Features
+ - Human readable/writable policy files
+ - Dynamic policy updates
+ - IPTables compatible
+ - Written in Ruby
+
+What Are Dynamic Policy Updates?
+IPTables uses a static config file to specify the allowed ports, hosts and connections allowed at any given time. Firewall-agent with Dynamic Policy Updates
+allows you to go beyond static files to update your policy file as needed, based on changing network conditions, dynmic host or service lists, or time-based
+criteria.  Examples of several of the applications of this feature can be seen below in the policy examples.
+
+
+Getting Started
+ sudo gem install firewall-agent
+ sudo firewall-agent bootstrap
+ sudo firewall-agent
+
+To Run as a Service (TBD)
+ service start firewall-agent
+
+Writing a Policy File
+
+Policy files are simple ruby files, and as such, can have any ruby syntax necessary.  Policy files are required to
+have a 'policy' block.  To get started create a policy file using one of the templates below, then cusotmize it to your needs.
+
+The command 'firewall-agent bootstrap' creates a policy.rb file in the /etc/firewall-agent directory using the same 'standard' policy shown in this README.
+
+Basic Policy
+
+policy :standard_policy do
+  deny_all             # deny all connections from all hosts
+  allow_listen 'http'  # let HTTP connections in
+  allow_established    # allow all established TCP connections
+  allow_ping           # let any host ping this server
+  allow_ssh            # allow SSH connections
+end
+
+Dynamic Policy
+
+policy :dynamic_policy do
+  deny_all
+  allow_listen 'http', 'https'  # list multiple services or ports as needed
+
+  # Firewall-agent will whitelist all slices in your account, enabling a Virtual Private Network for your slices
+  update :each => 5.minutes do
+    allow_ips slicehost_get_ips('https://8fff02f2853@api.slicehost.com/')
+  end
+
+  allow_established
+  allow_ping
+  allow_ssh
+end
+
+
+Super Advanced Policy
+
+require 'resolve'
+policy :advanced_policy do
+  deny_all
+  allow_listen 'http', 'https'
+
+  update :each => 5.minutes do
+    allow_ips slicehost_get_ips('https://8fff02f2853@api.slicehost.com/')
+  end
+
+  # 3 different schedules for different types of policy elememnts
+  # this block will enable you to always access all services on
+  # this host - even when your IP changes, via a Dynamic DNS service
+  update :each => 10.minutes do
+    allow_ips Resolv.getaddress('your-desktop.dyndns.org')
+    allow_ips Resolv.getaddress('your-laptop.dyndns.org')
+  end
+
+  # disable printing using CUPS/IPP outside of business hours
+  update :each => 1.minutes do
+    now = Time.now
+    allow_listen 631 unless now.hour < 8 || now.hour > 18
+  end
+
+  allow_established
+  allow_ping
+  allow_ssh
+end
+
+
+Extending Firewall Agent
+Firewall-agent includes a simple Slicehost extension which uses the Slicehost API to get a list of all slices in your account, then updates the
+policy to allow access from any of these nodes - for all ports - on the firewall-agent host.  You can use this as a model to create similar extensions
+for other VPS provides such as Linode, etc.
+
+In addition, we believe there are lots of opportunities for extensions to integrate dynamic whitelist and blacklist services.  Please share your
+creations with the community.  Well documented and tested extensios will be added to the firewall-agent - please contact us on GitHub.
+
+
+== Note on Patches/Pull Requests
+ 
+* Fork the project.
+* Make your feature addition or bug fix.
+* Add tests for it. This is important so I don't break it in a
+  future version unintentionally.
+* Commit, do not mess with rakefile, version, or history.
+  (if you want to have your own version, that is fine but bump version in a commit by itself I can ignore when I pull)
+* Send me a pull request. Bonus points for topic branches.
+
+== Copyright
+
+Copyright (c) 2010 Powcloud Inc. See LICENSE for details.

data/Rakefile

@@ -0,0 +1,58 @@
+require 'rubygems'
+require 'rake'
+
+begin
+  require 'jeweler'
+  Jeweler::Tasks.new do |gem|
+    gem.name = "firewall-agent"
+    gem.summary = %Q{Firewall Agent is a utility to simplify firewall configuration}
+    gem.description = %Q{Firewall Agent is a utility to simplify firewall configuration for clouds and clusters, especially when hosted with 3rd party VPS services.}
+    gem.email = "maxmpz@gmail.com"
+    gem.homepage = "http://github.com/powcloud/firewall-agent"
+    gem.authors = ["Darren Rush", "Max M. Petrov"]
+    gem.add_development_dependency "thoughtbot-shoulda", ">= 0"
+    gem.files =  FileList["[A-Z_.]*", "{bin,lib,test}/**/*", 'lib/jeweler/templates/.gitignore']
+
+    # gem is a Gem::Specification... see http://www.rubygems.org/read/chapter/20 for additional settings
+    gem.add_dependency('activesupport', '>= 2.3.4')
+    gem.add_dependency('eventmachine', '>= 0.12.10')
+    gem.add_dependency('log4r', '>= 1.1.2')
+  end
+  Jeweler::GemcutterTasks.new
+rescue LoadError
+  puts "Jeweler (or a dependency) not available. Install it with: gem install jeweler"
+end
+
+require 'rake/testtask'
+Rake::TestTask.new(:test) do |test|
+  test.libs << 'lib' << 'test'
+  test.pattern = 'test/**/test_*.rb'
+  test.verbose = true
+end
+
+begin
+  require 'rcov/rcovtask'
+  Rcov::RcovTask.new do |test|
+    test.libs << 'test'
+    test.pattern = 'test/**/test_*.rb'
+    test.verbose = true
+  end
+rescue LoadError
+  task :rcov do
+    abort "RCov is not available. In order to run rcov, you must: sudo gem install spicycode-rcov"
+  end
+end
+
+task :test => :check_dependencies
+
+task :default => :test
+
+require 'rake/rdoctask'
+Rake::RDocTask.new do |rdoc|
+  version = File.exist?('VERSION') ? File.read('VERSION') : ""
+
+  rdoc.rdoc_dir = 'rdoc'
+  rdoc.title = "firewall-agent #{version}"
+  rdoc.rdoc_files.include('README*')
+  rdoc.rdoc_files.include('lib/**/*.rb')
+end

data/VERSION

@@ -0,0 +1 @@
+0.1.0

data/bin/firewall-agent

@@ -0,0 +1,25 @@
+#!/usr/bin/env ruby
+
+begin
+  require 'rubygems'
+rescue LoadError
+end
+
+require File.dirname(__FILE__) + '/../lib/firewall_agent'
+
+Log4r::Logger.root.level = Log4r::WARN
+
+
+if ARGV.length > 0
+  if ARGV[0] == 'bootstrap'
+    require 'fileutils'
+    FileUtils.mkdir_p('/etc/firewall-agent')
+    FileUtils.cp(File.join(File.dirname(__FILE__), '..', 'examples', 'standard_policy.rb'), FirewallAgent::DEFAULT_POLICY_FILE)
+    puts "Created #{FirewallAgent::DEFAULT_POLICY_FILE}"
+  else
+    FirewallAgent.start ARGV[0]
+  end
+else
+  FirewallAgent.start
+end
+

data/examples/advanced_policy.rb

@@ -0,0 +1,27 @@
+require 'resolve'
+policy :advanced_policy do
+  deny_all
+  allow_listen 'http', 'https'
+
+  update :each => 5.minutes do
+    allow_ips slicehost_get_ips('https://8fff02f2853@api.slicehost.com/')
+  end
+
+  # 3 different schedules for different types of policy elememnts
+  # this block will enable you to always access all services on
+  # this host - even when your IP changes, via a Dynamic DNS service
+  update :each => 10.minutes do
+    allow_ips Resolv.getaddress('your-desktop.dyndns.org')
+    allow_ips Resolv.getaddress('your-laptop.dyndns.org')
+  end
+
+  # disable printing using CUPS/IPP outside of business hours
+  update :each => 1.minutes do
+    now = Time.now
+    allow_listen 631 unless now.hour < 8 || now.hour > 18
+  end
+
+  allow_established
+  allow_ping
+  allow_ssh
+end

data/examples/dynamic_policy.rb

@@ -0,0 +1,13 @@
+policy :dynamic_policy do
+  deny_all
+  allow_listen 'http', 'https'  # list multiple services or ports as needed
+
+  # Firewall-agent will whitelist all slices in your account, enabling a Virtual Private Network for your slices
+  update :each => 5.minutes do
+    allow_ips slicehost_get_ips('https://8fff02f2853....@api.slicehost.com/')
+  end
+
+  allow_established
+  allow_ping
+  allow_ssh
+end

data/examples/standard_policy.rb

@@ -0,0 +1,7 @@
+policy :standard_policy do
+  deny_all             # deny all connections from all hosts
+  allow_listen 'http'  # let HTTP connections in
+  allow_established    # allow all established TCP connections
+  allow_ping           # let any host ping this server
+  allow_ssh            # allow SSH connections
+end

data/firewall-agent.gemspec

@@ -0,0 +1,70 @@
+# Generated by jeweler
+# DO NOT EDIT THIS FILE DIRECTLY
+# Instead, edit Jeweler::Tasks in rakefile, and run the gemspec command
+# -*- encoding: utf-8 -*-
+
+Gem::Specification.new do |s|
+  s.name = %q{firewall-agent}
+  s.version = "0.1.0"
+
+  s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
+  s.authors = ["Darren Rush", "Max M. Petrov"]
+  s.date = %q{2010-02-05}
+  s.default_executable = %q{firewall-agent}
+  s.description = %q{Firewall Agent is a utility to simplify firewall configuration for clouds and clusters, especially when hosted with 3rd party VPS services.}
+  s.email = %q{maxmpz@gmail.com}
+  s.executables = ["firewall-agent"]
+  s.extra_rdoc_files = [
+    "LICENSE",
+     "README.rdoc"
+  ]
+  s.files = [
+    "LICENSE",
+     "README.rdoc",
+     "Rakefile",
+     "VERSION",
+     "bin/firewall-agent",
+     "firewall-agent.gemspec",
+     "lib/firewall_agent.rb",
+     "lib/iptables_generator.rb",
+     "lib/policy.rb",
+     "lib/slicehost_support.rb",
+     "test/helper.rb",
+     "test/test_firewall-agent.rb"
+  ]
+  s.homepage = %q{http://github.com/powcloud/firewall-agent}
+  s.rdoc_options = ["--charset=UTF-8"]
+  s.require_paths = ["lib"]
+  s.rubygems_version = %q{1.3.5}
+  s.summary = %q{Firewall Agent is a utility to simplify firewall configuration}
+  s.test_files = [
+    "test/helper.rb",
+     "test/test_firewall-agent.rb",
+     "examples/advanced_policy.rb",
+     "examples/dynamic_policy.rb",
+     "examples/standard_policy.rb"
+  ]
+
+  if s.respond_to? :specification_version then
+    current_version = Gem::Specification::CURRENT_SPECIFICATION_VERSION
+    s.specification_version = 3
+
+    if Gem::Version.new(Gem::RubyGemsVersion) >= Gem::Version.new('1.2.0') then
+      s.add_development_dependency(%q<thoughtbot-shoulda>, [">= 0"])
+      s.add_runtime_dependency(%q<activesupport>, [">= 2.3.4"])
+      s.add_runtime_dependency(%q<eventmachine>, [">= 0.12.10"])
+      s.add_runtime_dependency(%q<log4r>, [">= 1.1.2"])
+    else
+      s.add_dependency(%q<thoughtbot-shoulda>, [">= 0"])
+      s.add_dependency(%q<activesupport>, [">= 2.3.4"])
+      s.add_dependency(%q<eventmachine>, [">= 0.12.10"])
+      s.add_dependency(%q<log4r>, [">= 1.1.2"])
+    end
+  else
+    s.add_dependency(%q<thoughtbot-shoulda>, [">= 0"])
+    s.add_dependency(%q<activesupport>, [">= 2.3.4"])
+    s.add_dependency(%q<eventmachine>, [">= 0.12.10"])
+    s.add_dependency(%q<log4r>, [">= 1.1.2"])
+  end
+end
+

data/lib/firewall_agent.rb

@@ -0,0 +1,98 @@
+require 'log4r'
+require 'log4r/outputter/syslogoutputter'
+require 'eventmachine'
+
+this_dir = File.dirname(__FILE__)
+require "#{this_dir}/iptables_generator"
+require "#{this_dir}/slicehost_support"
+require "#{this_dir}/policy"
+
+class FirewallAgent
+  attr_reader :logger
+
+  IPTABLES_FILE = "/etc/sysconfig/iptables"
+  DEFAULT_POLICY_FILE = '/etc/firewall-agent/policy.rb'
+
+  def initialize
+    @logger = Log4r::Logger.new File.basename(__FILE__)
+  end
+
+  def stop
+    logger.warn "Stopping..."
+    EM.stop
+  end
+
+  def start(policy_filename)
+    unless File.exists? policy_filename
+      logger.error "Policy file (#{policy_filename}) not found, exiting..."
+      exit 1 
+    end
+
+    EM.run do
+      Signal.trap('INT') { stop }
+      Signal.trap('TERM'){ stop }
+
+      policy = Policy.new policy_filename, logger
+
+      logger.warn "Starting agent"
+      logger.warn "Applying dynamic firewall policy #{policy.name.to_s} from #{policy_filename}"
+
+      apply_policy(policy)
+
+      EM.add_periodic_timer 5 do
+        apply_policy(policy) if policy.dirty?
+      end
+    end
+  end
+
+  def self.start(policy_filename = DEFAULT_POLICY_FILE)
+    agent = self.new
+
+    formatter = Log4r::PatternFormatter.new(:pattern => "[%5l] %d %C - %m")
+    Log4r::StdoutOutputter.new('console', :formatter => formatter)
+    Log4r::SyslogOutputter.new('syslog', :ident => File.basename(__FILE__))
+    agent.logger.outputters = ['syslog', 'console']
+
+    agent.start(policy_filename)
+  end
+
+  private
+
+  def apply_policy(policy)
+    logger.debug "apply_policy"
+
+    iptables = generate_iptables(policy)
+    policy.clean
+
+    # Read in old file
+    if File.exists?(IPTABLES_FILE)
+      begin
+        old_iptables = File.read(IPTABLES_FILE)
+      rescue Exception => ex
+        log_exception ex
+        exit 1
+      end
+    else
+      old_iptables = ''
+    end
+
+    # Restart service if changed
+    if old_iptables != iptables
+      logger.warn "Updating and restarting IPTables..."
+      open(IPTABLES_FILE , 'w') { |f|  f.puts iptables  }
+      system 'service iptables restart > /dev/null'
+      logger.warn "Policy enabled"
+    else
+      logger.debug "apply_policy - no changes"
+    end
+  end
+
+  def generate_iptables(policy)
+    policy.rules.flatten.join("\n") + "\nCOMMIT\n"
+  end
+
+  def log_exception(ex)
+    logger.error ex.to_s + (ex.backtrace.length > 0 ? ' ' + ex.backtrace.first : '')
+  end
+end
+

data/lib/iptables_generator.rb

@@ -0,0 +1,54 @@
+module IptablesGenerator
+  class << self
+
+    def deny_all
+# Default to dropping unmatched input, Default to dropping unmatched forward requests, Allow all outgoing requests, Allow everything on loopback
+<<EOS_DENY_ALL
+*filter
+:INPUT DROP [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+-A INPUT -i lo -j ACCEPT
+EOS_DENY_ALL
+    end
+
+    def allow_established
+      "-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT\n"
+    end
+
+    def allow_ping
+      "-A INPUT -p icmp --icmp-type any -j ACCEPT\n"
+    end
+
+    def allow_ssh
+      "-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT\n"
+    end
+
+    def allow_ip(ip)
+      "-A INPUT -s #{ip} -j ACCEPT\n"
+    end
+
+    def allow_ips(ips)
+      ips.map{ |ip| allow_ip(ip) }.join ''
+    end
+
+    # Rule to open a given port(s)
+    def allow_listen(ports, prot = 'tcp', nic = 'all')
+      if ports.empty?
+        return ''
+      end
+
+      # -A INPUT -p tcp -m multiport --dport 80,443 -j ACCEPT
+      result = "-A INPUT"
+
+      # Did we want a specific nics?
+      #TODO: Convert this to an options hash
+      if (nic != 'all' )
+        result << " -i #{nic}"
+      end
+
+      result << " -p #{prot} -m multiport --dport #{ports.join(",")} -j ACCEPT\n"
+      result
+    end
+  end
+end

data/lib/policy.rb

@@ -0,0 +1,96 @@
+require "active_support/core_ext/integer"
+
+class Policy
+  include SlicehostSupport
+
+  attr_reader :name, :logger
+
+  def initialize(dsl_file, logger)
+    @stack = []
+    @top = []
+    @stack.push(@top)
+    @dirty = false
+    @logger = logger
+
+    instance_eval File.open(dsl_file).read, dsl_file
+  end
+
+  def rules
+    @top
+  end
+
+  def dirty?
+    @dirty
+  end
+
+  def clean
+    @dirty = false
+  end
+
+  def config
+    yield
+  end
+
+  def policy(name = :unnamed)
+    @name = name
+    yield
+  end
+
+  def allow_ip(ip)
+    add_rule IptablesGenerator.allow_ip ip
+  end
+
+  def allow_ips(*hosts)
+    hosts = hosts.first if hosts.length == 1 && hosts.first.instance_of?(Array)
+    add_rule IptablesGenerator.allow_ips hosts
+  end
+
+  def allow_listen(*ports)
+    ports = ports.first if ports.length == 1 && ports.first.instance_of?(Array)
+    add_rule IptablesGenerator.allow_listen(ports)
+  end
+
+  def allow_slicehost_slices(key)
+    add_rule IptablesGenerator.allow_slicehost_slices(key)
+  end
+
+  def allow_established
+    add_rule IptablesGenerator.allow_established
+  end
+
+  def allow_ping
+    add_rule IptablesGenerator.allow_ping
+  end
+
+  def allow_ssh
+    add_rule IptablesGenerator.allow_ssh
+  end
+
+  def deny_all
+    add_rule IptablesGenerator.deny_all
+  end
+
+  def add_rule(rule)
+    @dirty = true
+    @stack.last << rule
+  end
+
+  def update(options = {})
+    index = @stack.last.length
+
+    @stack.push([])
+    yield
+    rules = @stack.pop
+    @stack.last[index] = rules
+
+    period = options[:each].to_i
+    if period > 0
+      EM.add_periodic_timer period do
+        rules.clear
+        @stack.push(rules)
+        yield
+        @stack.pop
+      end
+    end
+  end
+end

data/lib/slicehost_support.rb

@@ -0,0 +1,21 @@
+require 'active_resource'
+
+module SlicehostSupport
+  class Slice < ActiveResource::Base
+  end
+
+  def slicehost_get_ips(api_key)
+    Slice.site = api_key
+    slices = Slice.find(:all)
+
+    ips = []
+
+    for slice in slices
+      for address in slice.addresses
+        ips << address
+      end
+    end
+
+    ips
+  end
+end

data/test/helper.rb

@@ -0,0 +1,10 @@
+#require 'rubygems'
+#require 'test/unit'
+#require 'shoulda'
+#
+#$LOAD_PATH.unshift(File.join(File.dirname(__FILE__), '..', 'lib'))
+#$LOAD_PATH.unshift(File.dirname(__FILE__))
+#require 'firewall_agent'
+#
+#class Test::Unit::TestCase
+#end

data/test/test_firewall-agent.rb

@@ -0,0 +1,7 @@
+#require 'helper'
+#
+#class TestFirewallAgent < Test::Unit::TestCase
+#  should "probably rename this file and start testing for real" do
+#    flunk "hey buddy, you should probably rename this file and start testing for real"
+#  end
+#end

metadata

@@ -0,0 +1,111 @@
+--- !ruby/object:Gem::Specification 
+name: firewall-agent
+version: !ruby/object:Gem::Version 
+  version: 0.1.0
+platform: ruby
+authors: 
+- Darren Rush
+- Max M. Petrov
+autorequire: 
+bindir: bin
+cert_chain: []
+
+date: 2010-02-05 00:00:00 +03:00
+default_executable: firewall-agent
+dependencies: 
+- !ruby/object:Gem::Dependency 
+  name: thoughtbot-shoulda
+  type: :development
+  version_requirement: 
+  version_requirements: !ruby/object:Gem::Requirement 
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        version: "0"
+    version: 
+- !ruby/object:Gem::Dependency 
+  name: activesupport
+  type: :runtime
+  version_requirement: 
+  version_requirements: !ruby/object:Gem::Requirement 
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        version: 2.3.4
+    version: 
+- !ruby/object:Gem::Dependency 
+  name: eventmachine
+  type: :runtime
+  version_requirement: 
+  version_requirements: !ruby/object:Gem::Requirement 
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        version: 0.12.10
+    version: 
+- !ruby/object:Gem::Dependency 
+  name: log4r
+  type: :runtime
+  version_requirement: 
+  version_requirements: !ruby/object:Gem::Requirement 
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        version: 1.1.2
+    version: 
+description: Firewall Agent is a utility to simplify firewall configuration for clouds and clusters, especially when hosted with 3rd party VPS services.
+email: maxmpz@gmail.com
+executables: 
+- firewall-agent
+extensions: []
+
+extra_rdoc_files: 
+- LICENSE
+- README.rdoc
+files: 
+- LICENSE
+- README.rdoc
+- Rakefile
+- VERSION
+- bin/firewall-agent
+- firewall-agent.gemspec
+- lib/firewall_agent.rb
+- lib/iptables_generator.rb
+- lib/policy.rb
+- lib/slicehost_support.rb
+- test/helper.rb
+- test/test_firewall-agent.rb
+has_rdoc: true
+homepage: http://github.com/powcloud/firewall-agent
+licenses: []
+
+post_install_message: 
+rdoc_options: 
+- --charset=UTF-8
+require_paths: 
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement 
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      version: "0"
+  version: 
+required_rubygems_version: !ruby/object:Gem::Requirement 
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      version: "0"
+  version: 
+requirements: []
+
+rubyforge_project: 
+rubygems_version: 1.3.5
+signing_key: 
+specification_version: 3
+summary: Firewall Agent is a utility to simplify firewall configuration
+test_files: 
+- test/helper.rb
+- test/test_firewall-agent.rb
+- examples/advanced_policy.rb
+- examples/dynamic_policy.rb
+- examples/standard_policy.rb