Firewall Bouncer
📚 Documentation💠 Hub💬 Discourse
Crowdsec bouncer written in golang for firewalls.
crowdsec-firewall-bouncer will fetch new and old decisions from a CrowdSec API to add them in a blocklist used by supported firewalls.
Supported firewalls:
- iptables (IPv4 ✔️ / IPv6 ✔️ )
- nftables (IPv4 ✔️ / IPv6 ✔️ )
- ipset only (IPv4 ✔️ / IPv6 ✔️ )
- pf (IPV4 ✔️ / IPV6 ✔️ )
Installation
Using packages
Packages for crowdsec-firewall-bouncer are available on our repositories. You need to pick the package accord to your firewall system :
IPTables
- Debian/Ubuntu
- RHEL/Centos/Fedora
- FreeBSD
sudo apt install crowdsec-firewall-bouncer-iptables
sudo yum install crowdsec-firewall-bouncer-iptables
sudo pkg install crowdsec-firewall-bouncer
NFTables
- Debian/Ubuntu
- RHEL/Centos/Fedora
- FreeBSD
sudo apt install crowdsec-firewall-bouncer-nftables
sudo yum install crowdsec-firewall-bouncer-nftables
sudo pkg install crowdsec-firewall-bouncer
Manual installation
Assisted
First, download the latest crowdsec-firewall-bouncer
release.
$ tar xzvf crowdsec-firewall-bouncer.tgz
$ sudo ./install.sh
From source
Run the following commands:
git clone https://github.com/crowdsecurity/cs-firewall-bouncer.git
cd cs-firewall-bouncer/
make release
tar xzvf crowdsec-firewall-bouncer.tgz
cd crowdsec-firewall-bouncer-v*/
sudo ./install.sh
Upgrade
If you already have crowdsec-firewall-bouncer
installed, please download the latest release and run the following commands:
tar xzvf crowdsec-firewall-bouncer.tgz
cd crowdsec-firewall-bouncer-v*/
sudo ./upgrade.sh
Configuration
note : this is only relevant for "manual" or "from source" installation, as packages would take care of all the needed configuration
To be functional, the crowdsec-firewall-bouncer
service must be able to authenticate with the local API.
The install.sh
script will take care of it (it will call cscli bouncers add
on your behalf).
If it was not the case, the default configuration file is located under : /etc/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml
mode: "iptables"
pid_dir: "/var/run/"
update_frequency: "10s"
daemonize: true
log_mode: "file"
log_dir: "/var/log/"
log_level: "info"
api_url: "<API_URL>" # when install, default is "localhost:8080"
api_key: "<API_KEY>" # Add your API key generated with `cscli bouncers add --name <bouncer_name>`
disable_ipv6: "false"
deny_mode: "DROP"
deny_log: "false
#deny_log_prefix: "crowdsec: "
#if present, insert rule in those chains
iptables_chains:
- "INPUT"
- "FORWARD"
mode
can be set toiptables
,nftables
,ipset
orpf
update_frequency
controls how often the bouncer is going to query the local APIapi_url
andapi_key
control local API parameters.iptables_chains
allows (in iptables mode) to control in which chain rules are going to be inserted. (if empty, bouncer will only maintain ipset lists)disable_ipv6
- set to true to disable ipv6deny_mode
- what action to use to deny, one of DROP or REJECTdeny_log
- set this to true to add a log statement to the firewall ruledeny_log_prefix
- if logging is true, this sets the log prefix, defaults to "crowdsec: "
You can then start the service:
sudo systemctl start crowdsec-firewall-bouncer
logs
logs can be found in /var/log/crowdsec-firewall-bouncer.log
modes
- mode
nftables
relies on github.com/google/nftables to create table, chain and set. - mode
iptables
relies oniptables
andipset
commands to insertmatch-set
directives and maintain associated ipsets - mode
ipset
relies onipset
and only manage contents of the sets (they need to exist at startup and will be flushed rather than created) - mode
pf
relies onpfctl
command to alter the tables. You are required to create the following tables on yourpf.conf
configuration:
# create crowdsec ipv4 table
table <crowdsec-blacklists> persist
# create crowdsec ipv6 table
table <crowdsec6-blacklists> persist
You can refer to step by step instructions of the user tutorial on FreeBSD to setup crowdsec-firewall-bouncer with pf.