EnglishFrenchGermanPolishSpanishTurkishRussianItalianDutchDutch

rfw tutorial - remote firewall with REST API

Overview

rfw is the RESTful server which applies iptables rules to block or allow IP addresses on request from a remote client. rfw maintains the list of blocked IP addresses which may be updated on the fly from many sources.

rfw is an open source project developed by SecurityKISS. See the rfw source and description on GitHub

Example

This tutorial shows how to install and deploy rfw in the following setup example:

In this use case we administer two web servers in different locations: Toronto with IP 11.11.11.11 and Berlin with IP 22.22.22.22. Also we have the IP reputation server that collects data from various sources like IP geolocation database, IP blocklist services, spam and botnet honeypots. The purpose of the IP reputation server is to proactively prevent attacks and abuse on the two web servers.

We want the IP reputation server to be able to block on the fly the selected IP addresses or subnets which are the common source of abuse.

In order to do it we deploy rfw on the two web servers and the IP reputation server will act as a client. The rfw server expose SSL secured REST API for iptables firewall while the client can use any HTTP utility like curl. As an administrator we also want to make ad hoc firewall modifications from a laptop.

Deployment

Install rfw on web servers and on admin laptop:

pip install rfw

You can also install rfw from the tarball by standard:

python setup.py install

On the trusted machine (read: admin laptop) generate necessary keys and certificates:

cd /etc/rfw/deploy/
./rfwgen 11.11.11.11
./rfwgen 22.22.22.22

For the detailed description see rfwgen README

Copy rfw server keys to corresponding machines:

scp /etc/rfw/deploy/server_11.11.11.11/server.key root@11.11.11.11:/etc/rfw/ssl/
scp /etc/rfw/deploy/server_11.11.11.11/server.crt root@11.11.11.11:/etc/rfw/ssl/
scp /etc/rfw/deploy/server_22.22.22.22/server.key root@22.22.22.22:/etc/rfw/ssl/
scp /etc/rfw/deploy/server_22.22.22.22/server.crt root@22.22.22.22:/etc/rfw/ssl/

Copy CA certificate to clients

scp /etc/rfw/deploy/client/ca.crt user@99.99.99.99:/home/user/ca.crt
cp /etc/rfw/deploy/client/ca.crt /home/me/ca.crt # assuming we are on admin laptop

Edit /etc/rfw/rfw.conf on 11.11.11.11 and 22.22.22.22 to configure rfw servers. Make sure that the following options are configured:

outward.server.certfile = /etc/rfw/ssl/server.crt
outward.server.keyfile = /etc/rfw/ssl/server.key
auth.username = your_username_here
auth.password = your_password_here

Edit /etc/rfw/white.list on 11.11.11.11 and 22.22.22.22 to whitelist clients:

99.99.99.99
88.88.88.0/24

Start rfw server:

rfw &

For debugging you can start rfw server in foreground in verbose mode:

rfw -v

Testing

From admin laptop

Block some bad IP for 5 minutes:

curl -i --cacert /home/me/ca.crt --user your_username_here:your_password_here -XPUT https://11.11.11.11:7393/drop/eth/1.2.3.4?expire=5m

Check if the rule is present now and not present after 5 minutes:

curl -i --cacert /home/me/ca.crt --user your_username_here:your_password_here https://11.11.11.11:7393/list

Make the IP reputation server issue similar requests using any HTTP client or library.