securitykiss-com / rfw Goto Github PK

This solves a very particular problem that I have where I need fail2ban to control a Asus Merlin firewall. I have forked your code and made some rather significant changes to the API as well as function. It is still based on Python 2.7 as my router has python2 out of the box.

I have been running this code for a couple of days on my router and while it does need some polishing, it pretty much satisfies all my needs. Would you be interested in merging these two repos? My code is at alephnull/rfw.

A summary of changes:

• API now uses JSON body for rule parameters
• Chains can now be created
• CLI client implemented
• Debian package can be built

I am planning on packaging this for entware after I improve the tooling.

From reading the information Python 2.7 is required, will there be an update to work with Python 3.x?

2017-09-12 00:02:38,492 INFO rfw.py:283.main() - Logging to file: /var/log/rfw.log
2017-09-12 00:02:38,492 INFO rfw.py:284.main() - File log level: DEBUG
2017-09-12 00:02:38,493 ERROR rfwconfig.py:66.init() - Configuration error in /etc/rfw/rfw.conf: 'NoneType' object has no attribute 'group'
2017-09-12 00:02:39,598 INFO rfw.py:283.main() - Logging to file: /var/log/rfw.log
2017-09-12 00:02:39,598 INFO rfw.py:284.main() - File log level: DEBUG
2017-09-12 00:02:39,599 ERROR rfwconfig.py:66.init() - Configuration error in /etc/rfw/rfw.conf: 'NoneType' object has no attribute 'group'
2017-09-12 00:02:41,704 INFO rfw.py:283.main() - Logging to file: /var/log/rfw.log
2017-09-12 00:02:41,704 INFO rfw.py:284.main() - File log level: DEBUG
2017-09-12 00:02:41,706 ERROR rfwconfig.py:66.init() - Configuration error in /etc/rfw/rfw.conf: 'NoneType' object has no attribute 'group'
2017-09-12 00:02:44,813 INFO rfw.py:283.main() - Logging to file: /var/log/rfw.log
2017-09-12 00:02:44,813 INFO rfw.py:284.main() - File log level: DEBUG
2017-09-12 00:02:44,814 ERROR rfwconfig.py:66.init() - Configuration error in /etc/rfw/rfw.conf: 'NoneType' object has no attribute 'group'

I noticed that you are able to apply a reject connection response via the RFW client to server. But when you try to receive a list of the current rules it does not show up. Then when you try to re-add the same rule it says the rule already exists. Getting the current rules on the RFW server, it shows the rule is there. Are you going to add support of Reject?

hello

do you plan to update/improve rfw?
a very good improvement would be usage of ipset (maybe instead of iptables)
ipset is degined to be much more scalable than iptables (storing much more rules, IP etc...)
And i guess an automated firewall in real life can have lots lots lots of rules that could really slow down the traffic if not using some tools like ipset

thanks a lot for what has already been done

Jean

I want to have got a configuration with last rule as "-A INPUT -j DROP" but, after this, i want to add a rule before this drop all statement.

How to accomplish that?

Add option for -A
Anither important thing needed. I'm setting up some kind of authenticator before allowing access to main machine and so what I do is when authenticator allows it, it adds iP to iptables of main machine. Now as soon as user leaves I want to remove the ip from iptables.
So I need something like
iptables -D INPUT -s x.x.x.x -j ACCEPT

Is this possible?

Hello rfwers,
I work on Centos 6.9. I have installed 1 rfw rest server and 1 rfw rest client. Eveything is ok, the client send to the server perfectly.

After that i wanted to add another new clients , i copied the CA certificates to the new clients and added its ip adresses to the whitelist file in rfw server.
When i run this command curl -v --cacert config/deploy/client/ca.crt --user myuser:mypasswd -XPUT https://<server_ip>:7393/drop/input/eth0/1.2.3.4 in the new clients i've got this error :

How can i fix this problem !
Other question, how can i let rfw service work forever !

Thank you in advance !