cylonchau / firewalld-gateway Goto Github PK

Full rest API implemented Linux firewalld distributed manipulation controller and UI

License: MIT License

Makefile 0.17% Go 99.08% Shell 0.12% Dockerfile 0.63%

uranus firewalld-ui iptables nftables dbus firewall firewalld-rest iptables-ui iptables-web nftables-ui

firewalld-gateway's Introduction

Uranus

Uranus is a Linux firewalld central controller. In Greek mythology, Uranus king of gods. The firewall gateway is the Uranus for iptables.

Quick start

https://www.oomkill.com/2024/08/uranus-installation/

Show

Show picture：:

▶ Click ◀

Show Video

In China ▶ bilibili ◀
In World ▶ YouTube ◀

Features

Full firewalld features
Full D-BUS API convert to REST API.(currently converted OS debian11, centos7)
Based dbus remotely.
Declarative API and Imperative API.
Asynchronous batch interface (only add).
Can control thousands of linux machine via firewall gateway remotely.
Support change tempate of thousands of machine fastly.
Support wrong operation backoff.
Support delay command effect.
Support iptables NAT ipset timer task.
Support template switch (only enable db).
Only HTTP Service (without store).
UI based VUE-element-admin.
Support datacenter tag and machine management.
Support SQLite & MySQL databases.

TODO

Deploy

To Compiling Uranus, execute following command:

git clone ..
make

To deploy Uranus on kubernetes, execute following command:

kubectl apply -f https://raw.githubusercontent.com/cylonchau/firewalld-gateway/main/deploy/deployment.yaml

To run Uranus on docker, execute following command:

docker run -d --rm  cylonchau/uranus

if you think update you dbus-daemon verion to lasest, can use dbus.spec make your package.

use

Swagger API Doc: host:port/swagger/index.html

v1 runtime resource.
v2 permanent resource.
v3 Asynchronous batck opreation.

FAQ

Why not use ssh or ansible tools.

Because D-Bus support remotely and firewalld implemented full D-Bus API, so we can batch manage iptables rules via firealld.

How diffrence your project and other

firewall gateway implemented full dbus API convert to HTTP API, so can control thousands of machine via gateway. And ohter project update iptables via agent scripts. or only run on one machines.

Is enable D-Bus remotely safe?

We can open D-Bus port only accpet gateway's IP, so is safed

default if you machine hacked, enable of disable D-Bus remote, it doesn't make any sense. Because hacker can run any command on your machine.

If you machine Is safe, so we can through open D-Bus port only accpet gateway's IP, so can management iptables rules via gateway and UI

For example

The layer 1, you can add iptables rule restrict dbus tcp port.
The layer 2, you can use dbus ACL restrict request.

To edit /etc/dbus-1/system.conf, example.

<policy context="default">
    <deny receive_path="/org/fedoraproject/FirewallD1" /> <!-- restrict all request -->
    <allow user="root" />
    <allow own="com.github.cylonchau.Uranus" /> <!-- allow uranus resiger to dbus-daemon -->
    <!-- if requseter is com.github.cylonchau.Uranus and request path is /org/fedoraproject/FirewallD1, then allow  -->
    <allow receive_sender="com.github.cylonchau.Uranus" receive_path="/org/fedoraproject/FirewallD1" />
</policy>

How to output debug ?

-v 5 // full log
-v 4 // info log
-v 2 // no log

Run

migration

make build && \
    ./_output/firewalld-gateway  --migration --sql-driver=sqlite --config firewalld-gateway.toml -v 5

Run

make build && \
    ./_output/firewalld-gateway --sql-driver=sqlite  --config firewalld-gateway.toml -v 5

Screenshot

firewalld-gateway's People

Contributors

Stargazers

Watchers

Forkers

banna2019 liumw ccall248 pspglb yougl zhonghua0221

firewalld-gateway's Issues

Errors Establishing communication with dbus

Getting DBUS working on a tcp socket

This library establishes a connection to dbus over tcp. The problem is getting dbus to work with tcp on my Rocky Linux distro (rhel -based)

[root@startup-job-1 firewalld-gateway]# uname -a
Linux startup-job-1 5.14.0-427.20.1.el9_4.x86_64 #1 SMP PREEMPT_DYNAMIC Fri Jun 7 14:51:39 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux

Using CentOS7 is not an option
Using the docker image provided or debains-based distros is not an option, Rocky Linux 9 is required.

The first issue is this distro no longer uses dbus-daemon but dbus-broker-launch

cat /usr/lib/systemd/system/dbus-broker.service

[Unit]
Description=D-Bus System Message Bus
Documentation=man:dbus-broker-launch(1)
DefaultDependencies=false
Before=basic.target shutdown.target
Requires=dbus.socket
Conflicts=shutdown.target

[Service]
Type=notify
Sockets=dbus.socket
OOMScoreAdjust=-900
LimitNOFILE=16384
ProtectSystem=full
PrivateTmp=true
PrivateDevices=true
ExecStart=/usr/bin/dbus-broker-launch --scope system --audit
ExecReload=/usr/bin/busctl call org.freedesktop.DBus /org/freedesktop/DBus org.freedesktop.DBus ReloadConfig

[Install]
Alias=dbus.service

As such, following this method to open TCP doesn't work.
https://stackoverflow.com/questions/61327052/linux-dbus-remote-tcp-connection-with-systemd-fails

Modify /usr/lib/systemd/system/dbus.socket

[Unit]
Description=D-Bus System Message Bus Socket

[Socket]
ListenStream=/run/dbus/system_bus_socket
ListenStream=55556 # <-- added this line

[Install]
WantedBy=sockets.target

Adding that results in the following error:
Error: dbus-broker-launch[2476921]: More than one listener socket passed

dbus-broker doesn't like multiple listen streams specified in dbus.socket so we use dbus-daemon instead. This is what Centos 7 (rocky linux predecessor) is using.

Create a new system file at: /usr/lib/systemd/system/dbus.service

[Unit]
Description=D-Bus System Message Bus
Documentation=man:dbus-daemon(1)
Requires=dbus.socket

[Service]
ExecStart=/usr/bin/dbus-daemon --address=systemd: --system --nofork --nopidfile --systemd-activation --syslog-only
ExecReload=/usr/bin/dbus-send --print-reply --system --type=method_call --dest=org.freedesktop.DBus / org.freedesktop.DBus.ReloadConfig
OOMScoreAdjust=-900

[Install]
# Make sure that services can still refer to this under the name of the
# old SysV script (messagebus).
Alias=dbus.service messagebus.service
WantedBy=multi-user.target

Create the uranus busconfig

cat  /usr/share/dbus-1/system.d/Uranus.conf

This is included by the system.conf file

<?xml version="1.0" encoding="UTF-8"?> <!-- -*- XML -*- -->

<!DOCTYPE busconfig PUBLIC
 "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
 "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
<busconfig>

  <listen>tcp:host=10.108.0.17,bind=*,port=55556,family=ipv4</listen>
  <listen>unix:tmpdir=/tmp</listen>

  <policy context="default">
      <deny receive_path="org.fedoraproject.FirewallD1" /> <!-- restrict all request -->
      <allow user="root" />
      <allow own="com.github.cylonchau.Uranus" /> <!-- allow uranus resiger to dbus-daemon -->
      <!-- if requseter is com.github.cylonchau.Uranus and request path is /org/fedoraproject/FirewallD1, then allow  -->
      <allow receive_sender="com.github.cylonchau.Uranus" receive_path="org.fedoraproject.FirewallD1" />
  </policy>

  <auth>ANONYMOUS</auth>
  <allow_anonymous/>

</busconfig>

To resolve this, I use dbus-daemon instead:

systemctl stop dbus
systemctl stop dbus.socket
dnf install dbus-daemon
systemctl daemon-reload
systemctl start dbus

Note: Make sure you have password access to your machine in case dbus crashes on reboot.

Confirm that DBUS is listening on TCP

netstat -tulpn | grep 55556
0.0.0.0:55556           0.0.0.0:*               LISTEN      2502463/dbus-daemon

Finally, now we have dbus listening on tcp

Next,

Establishing connection to Uranus

Error when attempting to create a host on the localst machine:

https://uranus.com/fw/v1/dashboard?ip=0.0.0.0

dbus-daemon[12158]: [system] Unable to set up new connection: Failed to read an SELinux context from connection
I0825 04:56:45.184303   12200 structure.go:38] Start connect to D-Bus service: 0.0.0.0:55556
E0825 04:56:45.185505   12200 structure.go:73] Connect to firewalld service failed: write tcp 127.0.0.1:38896->127.0.0.1:55556: write: broken pipe

remove the following line from /usr/share/dbus-1/system.conf
followed by restarting service results in the same error:
==> /var/log/pmond/dbus-daemon.log <==
dbus-daemon[12564]: [system] Unable to set up new connection: Failed to read an SELinux context from connection

Disable SELinux (not Permissive or Enabled) and reboot is the only solution I've found to suppress this error.

After rebooting the machine and attempting to list the host:

I0825 06:47:57.345890     849 structure.go:38] Start connect to D-Bus service: 10.108.0.17:55556
E0825 06:47:57.390132     849 structure.go:73] Connect to firewalld service failed: Name "org.fedoraproject.FirewallD1" does not exist

Adding this line to the firewalld buspolicy resolves this error

    <allow send_destination="org.fedoraproject.FirewallD1"
        send_interface="com.github.cylonchau.Uranus"/>

cat  /usr/share/dbus-1/system.d/FirewallD.conf

<?xml version="1.0" encoding="UTF-8"?> <!-- -*- XML -*- -->

<!DOCTYPE busconfig PUBLIC
 "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
 "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
<busconfig>

  <!-- Only root can own the service and send signals -->
  <policy user="root">
    <allow own="org.fedoraproject.FirewallD1"/>
    <allow own="org.fedoraproject.FirewallD1.config"/>
    <allow send_destination="org.fedoraproject.FirewallD1"/>
    <allow send_destination="org.fedoraproject.FirewallD1.config"/>
  </policy>

  <!-- Allow anyone to invoke methods on the interfaces,
       authorization is performed by PolicyKit -->
  <policy context="default">
    <allow send_destination="org.fedoraproject.FirewallD1"/>
    <allow send_destination="org.fedoraproject.FirewallD1"
           send_interface="org.freedesktop.DBus.Introspectable"/>
    <allow send_destination="org.fedoraproject.FirewallD1"
      send_interface="org.freedesktop.DBus.Properties"/>
    <allow send_destination="org.fedoraproject.FirewallD1"
      send_interface="com.github.cylonchau.Uranus"/> <!-- added this line -->
    <allow send_destination="org.fedoraproject.FirewallD1.config"/>
  </policy>

</busconfig>

systemctl restart dbus
systemctl restart firewalld

Now restart dbus and attempt to list the policies again in the Uranus UI gives a new error:

I0825 06:40:11.095623     849 structure.go:38] Start connect to D-Bus service: 10.108.0.17:55556
E0825 06:40:11.142885     849 structure.go:73] Connect to firewalld service failed: GDBus.Error:org.freedesktop.DBus.Error.Failed: Could not determine UID for ':1.23'

Subsequent requests will result in the same error with an incremented UID

E0825 06:40:11.142885     849 structure.go:73] Connect to firewalld service failed: GDBus.Error:org.freedesktop.DBus.Error.Failed: Could not determine UID for ':1.24'

Recommend Projects

React

A declarative, efficient, and flexible JavaScript library for building user interfaces.
Vue.js

🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript

TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
TensorFlow

An Open Source Machine Learning Framework for Everyone
Django

The Web framework for perfectionists with deadlines.
Laravel

A PHP framework for web artisans
D3

Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

javascript

JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
web

Some thing interesting about web. New door for the world.
server

A server is a program made to process requests and deliver data to clients.
Machine learning

Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Visualization

Some thing interesting about visualization, use data art
Game

Some thing interesting about game, make everyone happy.

Recommend Org

Facebook

We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft

Open source projects and samples from Microsoft.
Google

Google ❤️ Open Source for everyone.
Alibaba

Alibaba Open Source for everyone
D3

Data-Driven Documents codes.
Tencent

China tencent open source team.