Windows Firewall

📚 Documentation 💠 Hub 💬 Discourse

ModeStream only

MetricsUnsupported

MTLSSupported

PrometheusUnsupported

Overview

The Windows firewall Remediation Component interacts with the Windows Firewall to block IPs banned by CrowdSec.

It will create multiple rules in the firewall (one rule will contain 1000 IPs) and will manage their lifecycle.

The rules are created on startup and automatically deleted when the component stops.

Installation

warning

The .NET 10 runtime is required for the component to work !

You can download the MSI installer from the github releases: https://github.com/crowdsecurity/cs-windows-firewall-bouncer/releases

You can also install the component with Chocolatey (this will automatically install the .NET runtime):

PS1

choco install crowdsec-windows-firewall-bouncer

Configuration

The configuration is stored in C:\ProgramData\CrowdSec\bouncers\cs-windows-firewall-bouncer\cs-windows-firewall-bouncer.yaml

Example

YAML
api_key: <your-api-key>
api_endpoint: http://127.0.0.1:8080
log_level: info
update_frequency: 10
log_media: file
log_dir: C:\\ProgramData\\CrowdSec\\log\\
fw_profiles:
  - domain

Configuration reference

`api_key`

string

API key to use for communication with LAPI.

`api_endpoint`

string

URL of LAPI.

`update_frequency`

int

How often the component will contact LAPI to update its content in seconds.

Defaults to 10.

`log_media`

file | console

Wether to log to file or to the console.

Defaults to file when running as service and console when running in interactive mode.

`log_dir`

string

Location of the log file.

Defaults to C:\ProgramData\CrowdSec\log\.

`log_level`

trace | debug | info | warn | error | fatal

Log level.

Defaults to info.

fw_profiles

[ ]string

The firewall profile the rules will be associated with.

The component automatically select the current profile, but you can override this behaviour with this parameter.

Allowed values are:

domain
private
public

`cert_path`

string

Path to the TLS client certificate used to authenticate to LAPI with mutual TLS instead of an API key.

Must be set together with key_path.

`key_path`

string

Path to the TLS client key matching cert_path.

`ca_cert_path`

string

Path to a custom CA certificate used to validate the LAPI server certificate.

`insecure_skip_verify`

bool

Skip verification of the LAPI TLS certificate.

Defaults to false.

`scopes`

[ ]string

Only fetch decisions matching the provided scopes.

Defaults to ip and range.

`scenarios_containing`

[ ]string

Only fetch decisions linked to scenarios containing one of the provided strings.

`scenarios_not_containing`

[ ]string

Only fetch decisions linked to scenarios that do not contain any of the provided strings.

`origins`

[ ]string

Only fetch decisions originating from the provided sources (for example crowdsec, cscli or lists).

`supported_decision_type`

string

Only fetch decisions of the provided type (for example ban).

By default, all decision types are fetched.

Overview​

Installation​

Configuration​

Example​

Configuration reference​

api_key​

api_endpoint​

update_frequency​

log_media​

log_dir​

log_level​

fw_profiles​

cert_path​

key_path​

ca_cert_path​

insecure_skip_verify​

scopes​

scenarios_containing​

scenarios_not_containing​

origins​

supported_decision_type​

Overview

Installation

Configuration

Example

Configuration reference

`api_key`

`api_endpoint`

`update_frequency`

`log_media`

`log_dir`

`log_level`

fw_profiles

`cert_path`

`key_path`

`ca_cert_path`

`insecure_skip_verify`

`scopes`

`scenarios_containing`

`scenarios_not_containing`

`origins`

`supported_decision_type`