firewalld-gateway

module

v0.0.5 Latest Latest Go to latest Published: May 17, 2023 License: MIT

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/cylonchau/firewalld-gateway

Links

Open Source Insights

README ¶

Uranus

Uranus is a Linux firewalld central controller. In Greek mythology, Uranus king of gods. The firewall gateway is the Uranus for iptables.

Show

Show picture

▶ Click ◀

Show Video

In China ▶ bilibili ◀
In World ▶ YouTube ◀

Features

Full firewalld features
Full D-BUS API convert to REST API.(currently converted OS debian11, centos7)
Based dbus remotely.
Declarative API and Imperative API.
Asynchronous batch interface (only add).
Can control thousands of linux machine via firewall gateway remotely.
Support change tempate of thousands of machine fastly.
Support wrong operation backoff.
Support delay command effect.
Support iptables NAT ipset timer task.
Support template switch (only enable db).
Only HTTP Service (without store).
UI based VUE-element-admin.
Support datacenter tag and machine management.
Support SQLite & MySQL databases.

TODO

Asynchronous batch process
optional API on (v3 only)
security policy
Delay task
UI
Authtication.
Deplyment on Kubernetes & Docker
Prometheus Metics.
WAF SDK.

Deploy

To Compiling Uranus, execute following command:

git clone ..
make

To deploy Uranus on kubernetes, execute following command:

kubectl apply -f https://raw.githubusercontent.com/cylonchau/firewalld-gateway/main/deploy/deployment.yaml

To run Uranus on docker, execute following command:

docker run -d --rm  cylonchau/uranus

if you think update you dbus-daemon verion to lasest, can use dbus.spec make your package.

use

HTTP API DOC

v1 runtime resource.
v2 permanent resource.
v3 Asynchronous batck opreation.

FAQ

Why not use ssh or ansible tools.

Because D-Bus support remotely and firewalld implemented full D-Bus API, so we can batch manage iptables rules via firealld.

How diffrence your project and other

firewall gateway implemented full dbus API convert to HTTP API, so can control thousands of machine via gateway. And ohter project update iptables via agent scripts. or only run on one machines.

Is enable D-Bus remotely safe?

We can open D-Bus port only accpet gateway's IP, so is safed

default if you machine hacked, enable of disable D-Bus remote, it doesn't make any sense. Because hacker can run any command on your machine.

If you machine Is safe, so we can through open D-Bus port only accpet gateway's IP, so can management iptables rules via gateway and UI

For example

The layer 1, you can add iptables rule restrict dbus tcp port.
The layer 2, you can use dbus ACL restrict request.

To edit /etc/dbus-1/system.conf, example.

<policy context="default">
    <deny receive_path="/org/fedoraproject/FirewallD1" /> <!-- restrict all request -->
    <allow user="root" />
    <allow own="com.github.cylonchau.Uranus" /> <!-- allow uranus resiger to dbus-daemon -->
    <!-- if requseter is com.github.cylonchau.Uranus and request path is /org/fedoraproject/FirewallD1, then allow  -->
    <allow receive_sender="com.github.cylonchau.Uranus" receive_path="/org/fedoraproject/FirewallD1" />
</policy>

How to output debug ?

-v 5 // full log
-v 4 // info log
-v 2 // no log

Screenshot

Directories ¶

Path	Synopsis
apis
cmd
config
server
apis
app
app/auth
app/firewalld/host
app/firewalld/tag
app/firewalld/template
app/firewalld/token
app/firewalld/v1
app/firewalld/v2
app/firewalld/v3
app/middlewares
app/router
batch_processor
utils
auther
firewalld
model

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL