firewalld-gateway

module
v0.0.5 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: May 17, 2023 License: MIT

README

Uranus

Uranus is a Linux firewalld central controller. In Greek mythology, Uranus king of gods. The firewall gateway is the Uranus for iptables.

Show

Show picture

Click

Show Video

Features

  • Full firewalld features
  • Full D-BUS API convert to REST API.(currently converted OS debian11, centos7)
  • Based dbus remotely.
  • Declarative API and Imperative API.
  • Asynchronous batch interface (only add).
  • Can control thousands of linux machine via firewall gateway remotely.
  • Support change tempate of thousands of machine fastly.
  • Support wrong operation backoff.
  • Support delay command effect.
  • Support iptables NAT ipset timer task.
  • Support template switch (only enable db).
  • Only HTTP Service (without store).
  • UI based VUE-element-admin.
  • Support datacenter tag and machine management.
  • Support SQLite & MySQL databases.

TODO

  • Asynchronous batch process
  • optional API on (v3 only)
  • security policy
  • Delay task
  • UI
  • Authtication.
  • Deplyment on Kubernetes & Docker
  • Prometheus Metics.
  • WAF SDK.

Deploy

To Compiling Uranus, execute following command:

git clone ..
make

To deploy Uranus on kubernetes, execute following command:

kubectl apply -f https://raw.githubusercontent.com/cylonchau/firewalld-gateway/main/deploy/deployment.yaml

To run Uranus on docker, execute following command:

docker run -d --rm  cylonchau/uranus

if you think update you dbus-daemon verion to lasest, can use dbus.spec make your package.

use

HTTP API DOC

  • v1 runtime resource.
  • v2 permanent resource.
  • v3 Asynchronous batck opreation.

FAQ

Why not use ssh or ansible tools.

Because D-Bus support remotely and firewalld implemented full D-Bus API, so we can batch manage iptables rules via firealld.

How diffrence your project and other

firewall gateway implemented full dbus API convert to HTTP API, so can control thousands of machine via gateway. And ohter project update iptables via agent scripts. or only run on one machines.

Is enable D-Bus remotely safe?

We can open D-Bus port only accpet gateway's IP, so is safed

default if you machine hacked, enable of disable D-Bus remote, it doesn't make any sense. Because hacker can run any command on your machine.

If you machine Is safe, so we can through open D-Bus port only accpet gateway's IP, so can management iptables rules via gateway and UI

For example

  • The layer 1, you can add iptables rule restrict dbus tcp port.
  • The layer 2, you can use dbus ACL restrict request.

To edit /etc/dbus-1/system.conf, example.

<policy context="default">
    <deny receive_path="/org/fedoraproject/FirewallD1" /> <!-- restrict all request -->
    <allow user="root" />
    <allow own="com.github.cylonchau.Uranus" /> <!-- allow uranus resiger to dbus-daemon -->
    <!-- if requseter is com.github.cylonchau.Uranus and request path is /org/fedoraproject/FirewallD1, then allow  -->
    <allow receive_sender="com.github.cylonchau.Uranus" receive_path="/org/fedoraproject/FirewallD1" />
</policy>
How to output debug ?
-v 5 // full log
-v 4 // info log
-v 2 // no log

Screenshot

Directories

Path Synopsis
apis
app
app/auth
app/firewalld/host
app/firewalld/tag
app/firewalld/template
app/firewalld/token
app/firewalld/v1
app/firewalld/v2
app/firewalld/v3
app/middlewares
app/router
batch_processor
utils
auther
firewalld
model

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.