Skip to main content
Version: v1.2

Firewall Bouncer

📚 Documentation💠 Hub💬 Discourse

Crowdsec bouncer written in golang for firewalls.

crowdsec-firewall-bouncer will fetch new and old decisions from a CrowdSec API to add them in a blocklist used by supported firewalls.

Supported firewalls:

  • iptables (IPv4 ✔️ / IPv6 ✔️ )
  • nftables (IPv4 ✔️ / IPv6 ✔️ )
  • ipset only (IPv4 ✔️ / IPv6 ✔️ )
  • pf (IPV4 ✔️ / IPV6 ✔️ )

Installation

Using packages

Packages for crowdsec-firewall-bouncer are available on our repositories. You need to pick the package accord to your firewall system :

IPTables

sudo apt install crowdsec-firewall-bouncer-iptables

NFTables

sudo apt install crowdsec-firewall-bouncer-nftables

Manual installation

Assisted

First, download the latest crowdsec-firewall-bouncer release.

$ tar xzvf crowdsec-firewall-bouncer.tgz
$ sudo ./install.sh

From source

Run the following commands:

git clone https://github.com/crowdsecurity/cs-firewall-bouncer.git
cd cs-firewall-bouncer/
make release
tar xzvf crowdsec-firewall-bouncer.tgz
cd crowdsec-firewall-bouncer-v*/
sudo ./install.sh

Upgrade

If you already have crowdsec-firewall-bouncer installed, please download the latest release and run the following commands:

tar xzvf crowdsec-firewall-bouncer.tgz
cd crowdsec-firewall-bouncer-v*/
sudo ./upgrade.sh

Configuration

note : this is only relevant for "manual" or "from source" installation, as packages would take care of all the needed configuration

To be functional, the crowdsec-firewall-bouncer service must be able to authenticate with the local API. The install.sh script will take care of it (it will call cscli bouncers add on your behalf). If it was not the case, the default configuration file is located under : /etc/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml

/etc/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml
mode: "iptables"
pid_dir: "/var/run/"
update_frequency: "10s"
daemonize: true
log_mode: "file"
log_dir: "/var/log/"
log_level: "info"
api_url: "<API_URL>"  # when install, default is "localhost:8080"
api_key: "<API_KEY>"  # Add your API key generated with `cscli bouncers add --name <bouncer_name>`
disable_ipv6: "false"
deny_mode: "DROP"
deny_log: "false
#deny_log_prefix: "crowdsec: "
#if present, insert rule in those chains
iptables_chains:
  - "INPUT"
  - "FORWARD"
  • mode can be set to iptables, nftables , ipset or pf
  • update_frequency controls how often the bouncer is going to query the local API
  • api_url and api_key control local API parameters.
  • iptables_chains allows (in iptables mode) to control in which chain rules are going to be inserted. (if empty, bouncer will only maintain ipset lists)
  • disable_ipv6 - set to true to disable ipv6
  • deny_mode - what action to use to deny, one of DROP or REJECT
  • deny_log - set this to true to add a log statement to the firewall rule
  • deny_log_prefix - if logging is true, this sets the log prefix, defaults to "crowdsec: "

You can then start the service:

Start CrowdSec service
sudo systemctl start crowdsec-firewall-bouncer

logs

logs can be found in /var/log/crowdsec-firewall-bouncer.log

modes

  • mode nftables relies on github.com/google/nftables to create table, chain and set.
  • mode iptables relies on iptables and ipset commands to insert match-set directives and maintain associated ipsets
  • mode ipset relies on ipset and only manage contents of the sets (they need to exist at startup and will be flushed rather than created)
  • mode pf relies on pfctl command to alter the tables. You are required to create the following tables on your pf.conf configuration:
 # create crowdsec ipv4 table
table <crowdsec-blacklists> persist

# create crowdsec ipv6 table
table <crowdsec6-blacklists> persist

You can refer to step by step instructions of the user tutorial on FreeBSD to setup crowdsec-firewall-bouncer with pf.