Version: v1.0

Firewall Bouncer

Crowdsec bouncer written in golang for firewalls.

crowdsec-firewall-bouncer will fetch new and old decisions from a CrowdSec API to add them in a blocklist used by supported firewalls.

Supported firewalls:

iptables (IPv4 ✔️ / IPv6 ✔️ )
nftables (IPv4 ✔️ / IPv6 ✔️ )
ipset only (IPv4 ✔️ / IPv6 ✔️ )
pf (IPV4 ✔️ / IPV6 ✔️ )

Installation#

Using packages#

Packages for crowdsec-firewall-bouncer are available on our repositories. You need to pick the package accord to your firewall system:

IPTables#

Debian/Ubuntu
RHEL/Centos/Fedora
FreeBSD

sudo apt install crowdsec-firewall-bouncer-iptables

sudo yum install crowdsec-firewall-bouncer-iptables

sudo pkg install crowdsec-firewall-bouncer

NFTables#

Debian/Ubuntu
RHEL/Centos/Fedora
FreeBSD

sudo apt install crowdsec-firewall-bouncer-nftables

sudo yum install crowdsec-firewall-bouncer-nftables

sudo pkg install crowdsec-firewall-bouncer

Manual installation#

Assisted#

First, download the latest crowdsec-firewall-bouncer release.

$ tar xzvf crowdsec-firewall-bouncer.tgz$ sudo ./install.sh

From source#

Run the following commands:

git clone https://github.com/crowdsecurity/cs-firewall-bouncer.gitcd cs-firewall-bouncer/make releasetar xzvf crowdsec-firewall-bouncer.tgzcd crowdsec-firewall-bouncer-v*/sudo ./install.sh

Upgrade#

If you already have crowdsec-firewall-bouncer installed, please download the latest release and run the following commands:

tar xzvf crowdsec-firewall-bouncer.tgzcd crowdsec-firewall-bouncer-v*/sudo ./upgrade.sh

Configuration#

note : this is only relevant for "manual" or "from source" installation, as packages would take care of all the needed configuration

To be functional, the crowdsec-firewall-bouncer service must be able to authenticate with the local API. The install.sh script will take care of it (it will call cscli bouncers add on your behalf). If it was not the case, the default configuration file is located under : /etc/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml

/etc/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml

mode: "iptables"pid_dir: "/var/run/"update_frequency: "10s"daemonize: truelog_mode: "file"log_dir: "/var/log/"log_level: "info"api_url: "<API_URL>"  # when install, default is "localhost:8080"api_key: "<API_KEY>"  # Add your API key generated with `cscli bouncers add --name <bouncer_name>`disable_ipv6: "false"deny_mode: "DROP"deny_log: "false#deny_log_prefix: "crowdsec: "#if present, insert rule in those chainsiptables_chains:  - "INPUT"  - "FORWARD"

mode can be set to iptables, nftables , ipset or pf
update_frequency controls how often the bouncer is going to query the local API
api_url and api_key control local API parameters.
iptables_chains allows (in iptables mode) to control in which chain rules are going to be inserted. (if empty, bouncer will only maintain ipset lists)
disable_ipv6 - set to true to disable ipv6
deny_mode - what action to use to deny, one of DROP or REJECT
deny_log - set this to true to add a log statement to the firewall rule
deny_log_prefix - if logging is true, this sets the log prefix, defaults to "crowdsec: "

You can then start the service:

Start CrowdSec service

sudo systemctl start crowdsec-firewall-bouncer

logs#

logs can be found in /var/log/crowdsec-firewall-bouncer.log

modes#

mode nftables relies on github.com/google/nftables to create table, chain and set.
mode iptables relies on iptables and ipset commands to insert match-set directives and maintain associated ipsets
mode ipset relies on ipset and only manage contents of the sets (they need to exist at startup and will be flushed rather than created)
mode pf relies on pfctl command to alter the tables. You are required to create the following tables on your pf.conf configuration:

 # create crowdsec ipv4 tabletable <crowdsec-blacklists> persist
# create crowdsec ipv6 tabletable <crowdsec6-blacklists> persist

You can refer to step by step instructions of the user tutorial on FreeBSD to setup crowdsec-firewall-bouncer with pf.