Skip to content
UPPERSAFE Open Source Firewall
Branch: master
Clone or download
Latest commit 698d6c2 Feb 10, 2019
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
assets Add supervisorctl config file Oct 18, 2018
daemon Improve readability of the web interface Aug 1, 2018
feeds Fix bug in relation with feeds caching files Jul 17, 2018
models Improve readability of the web interface Aug 1, 2018
tests Fix deprecated dynamic import Jul 3, 2018
utils
webapp
.gitignore
.travis.yml Fix deprecated dynamic import Jul 3, 2018
README.md
config.default.yml
osfw.py Add help message and avoid multiple launch of same component in screen Jul 13, 2018
requirements.txt Initial commit Jun 26, 2018
run.sh Fix run script in case osfw is not configured with supervisorctl Oct 18, 2018

README.md

UPPERSAFE

UPPERSAFE Open Source Firewall

Build status Python 3.4|3.5|3.6

OSFW is a firewall written in Python that provides an IP / domain filtering based on a collection of threat intelligence public feeds. It relies on underlying dependencies like iptables (netfilter) and unbound.

It blocks in real time incoming and outcoming traffic considered as malicious (matching the filtering rules automatically set up for each threat).

It also provides a secure DNS service that blocks different kind of malicious servers (phishing websites, malware hosting, malvertising, C&C servers, etc).

Summary

Firewall components

OSFW includes 3 main components:

Name Description
osfw-sensor In charge of monitoring and logging the requests blocked by the firewall
osfw-syncfw In charge of collecting and syncing the threat intelligence feeds
osfw-webapp In charge of managing the web interface (work in progress)

Screenshot

Quick start

Install the dependencies with your package manager (for example apt on Ubuntu or yum on Fedora):

apt install python3 virtualenv iptables unbound systemd supervisor screen

Install the virtual environment:

cd uppersafe-osfw
virtualenv -p python3 venv
source venv/bin/activate && pip install -r requirements.txt

Start the firewall components:

bash run.sh

Attach a screen:

screen -r osfw-sensor
screen -r osfw-syncfw
screen -r osfw-webapp

Automatically launch the firewall at startup (supervisorctl will be used instead of screen):

ln -s "$PWD/assets/supervisord.conf" /etc/supervisor/conf.d/osfw.conf

Configuration

It is possible to customize the behaviour of the firewall by copying the default config.default.yml file and editing your own config.yml file:

cp config.default.yml config.yml && chmod 600 config.yml

DNS service

To enable the secure DNS service, simply create a symbolic link of the unbound.conf file to the Unbound configuration directory with the following command:

ln -s "$PWD/assets/unbound.conf" /etc/unbound/unbound.conf.d/osfw.conf

Remote access

To securely enable remote access to the web interface, you need to install a web server with reverse proxy capabilities with your package manager (for example apt on Ubuntu or yum on Fedora):

apt install nginx ssl-cert

Then, create a symbolic link of the nginx.conf file to the Nginx configuration directory with the following command:

ln -s "$PWD/assets/nginx.conf" /etc/nginx/sites-enabled/osfw.conf

If you want to use your own SSL certificates instead of those provided by the ssl-cert package, don't forget to update the default nginx.conf file.

Launch mode

There are 3 ways to launch the firewall:

Mode Description
standalone This is the default mode of the firewall, in this mode the firewall works on his own without interacting with a server or a client
server In server mode the firewall dumps the threats, after processing them, to a file (by default /tmp/threats.txt) intended to be shared through an HTTP(S) server and fetched by the client
client In client mode the firewall does not process the threats, so it is recommended to only fetch the file generated by the server instead of all the feeds

Filter mode

Filtering can be achieved through 2 different methods:

Mode Description
classic Filtering is based on the INPUT chain and OUTPUT chain of iptables
forward Filtering is only based on the FORWARD chain of iptables

Miscellaneous

It happens that some legit and top ranked websites got blocked because of different reaspns, most of the time one of the following cases:

  • Their users can upload files on the main domain (file transfer providers or cloud storage providers)
  • Their users can upload files or even web pages on a subdomain (hosting providers)
  • Their users can perform URL redirect (link shortener websites)

To prevent these websites from being blocked, you can specify them as a list in the configuration file.

In case you want to edit the default list, you can use a magic keyword tld that will match any top level domain and some specific second level domain names. For example, domain.tld will match all of the following cases:

  • domain.uk
  • domain.co.uk
  • domain.com.uk
  • domain.net.uk
  • domain.org.uk
  • domain.edu.uk
  • domain.gov.uk
  • domain.jp
  • domain.co.jp
  • domain.com.jp
  • domain.net.jp
  • domain.org.jp
  • domain.edu.jp
  • domain.gov.jp

There is a way to perform a subdomain wildcard, to do so you need to use a *? instead of the subdomain (for example *?.domain.com will match domain.com and a.domain.com but not b.a.domain.com).

Dependencies

  • python3 (see also requirements.txt)
  • virtualenv
  • iptables
  • unbound
  • systemd
  • supervisor
  • screen
  • nginx
  • ssl-cert

Support

Nicolas THIBAUT (nicolas[@]uppersafe[.]com)

https://www.patreon.com/dev2lead/memberships

License

This software is provided under a GNU AGPLv3 License.

You can’t perform that action at this time.