Skip to main content
Version: Next

Firewall Bouncer

๐Ÿ“š Documentation๐Ÿ’  Hub๐Ÿ’ฌ Discourse

Crowdsec bouncer written in golang for firewalls.

crowdsec-firewall-bouncer will fetch new and old decisions from a CrowdSec API to add them in a blocklist used by supported firewalls.

Supported firewalls:

  • iptables (IPv4 โœ”๏ธ / IPv6 โœ”๏ธ )
  • nftables (IPv4 โœ”๏ธ / IPv6 โœ”๏ธ )
  • ipset only (IPv4 โœ”๏ธ / IPv6 โœ”๏ธ )
  • pf (IPV4 โœ”๏ธ / IPV6 โœ”๏ธ )

Installation#

Using packages#

Packages for crowdsec-firewall-bouncer are available on our repositories. You need to pick the package accord to your firewall system :

IPTables#

sudo apt install crowdsec-firewall-bouncer-iptables

NFTables#

sudo apt install crowdsec-firewall-bouncer-nftables

Manual installation#

Assisted#

First, download the latest crowdsec-firewall-bouncer release.

$ tar xzvf crowdsec-firewall-bouncer.tgz$ sudo ./install.sh

From source#

Run the following commands:

git clone https://github.com/crowdsecurity/cs-firewall-bouncer.gitcd cs-firewall-bouncer/make releasetar xzvf crowdsec-firewall-bouncer.tgzcd crowdsec-firewall-bouncer-v*/sudo ./install.sh

Upgrade#

If you already have crowdsec-firewall-bouncer installed, please download the latest release and run the following commands:

tar xzvf crowdsec-firewall-bouncer.tgzcd crowdsec-firewall-bouncer-v*/sudo ./upgrade.sh

Configuration#

note : this is only relevant for "manual" or "from source" installation, as packages would take care of all the needed configuration

To be functional, the crowdsec-firewall-bouncer service must be able to authenticate with the local API. The install.sh script will take care of it (it will call cscli bouncers add on your behalf). If it was not the case, the default configuration file is located under : /etc/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml

/etc/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml
mode: "iptables"pid_dir: "/var/run/"update_frequency: "10s"daemonize: truelog_mode: "file"log_dir: "/var/log/"log_level: "info"api_url: "<API_URL>"  # when install, default is "localhost:8080"api_key: "<API_KEY>"  # Add your API key generated with `cscli bouncers add --name <bouncer_name>`disable_ipv6: "false"deny_mode: "DROP"deny_log: "false#deny_log_prefix: "crowdsec: "#if present, insert rule in those chainsiptables_chains:  - "INPUT"  - "FORWARD"
  • mode can be set to iptables, nftables , ipset or pf
  • update_frequency controls how often the bouncer is going to query the local API
  • api_url and api_key control local API parameters.
  • iptables_chains allows (in iptables mode) to control in which chain rules are going to be inserted. (if empty, bouncer will only maintain ipset lists)
  • disable_ipv6 - set to true to disable ipv6
  • deny_mode - what action to use to deny, one of DROP or REJECT
  • deny_log - set this to true to add a log statement to the firewall rule
  • deny_log_prefix - if logging is true, this sets the log prefix, defaults to "crowdsec: "

You can then start the service:

Start CrowdSec service
sudo systemctl start crowdsec-firewall-bouncer

logs#

logs can be found in /var/log/crowdsec-firewall-bouncer.log

modes#

  • mode nftables relies on github.com/google/nftables to create table, chain and set.
  • mode iptables relies on iptables and ipset commands to insert match-set directives and maintain associated ipsets
  • mode ipset relies on ipset and only manage contents of the sets (they need to exist at startup and will be flushed rather than created)
  • mode pf relies on pfctl command to alter the tables. You are required to create the following tables on your pf.conf configuration:
 # create crowdsec ipv4 tabletable <crowdsec-blacklists> persist
# create crowdsec ipv6 tabletable <crowdsec6-blacklists> persist

You can refer to step by step instructions of the user tutorial on FreeBSD to setup crowdsec-firewall-bouncer with pf.

ipset#

ipset lists have to exits before crowdsec-firewall-bouncer starts you could create them and add them to your iptables like this:

ipset create crowdsec-blacklists hash:ip timeout 0 maxelem 150000ipset create crowdsec6-blacklists hash:ip timeout 0 family inet6 maxelem 150000iptables -I INPUT 1 -m set --match-set crowdsec-blacklists src -j DROPip6tables -I INPUT 1 -m set --match-set crowdsec6-blacklists src -j DROP