Dnxfirewall – A Pure Python Next Generation Firewall Built On Top Of Linux Kernel/Netfilter
DNX Firewall is an optimized/higher performance assortment of purposes or services to convert a common linux program into a zone based next generation firewall. All software is built to run in conjunction with eachother, but with a modular layout sure aspects can be entirely removed with minor effort and hard work. The most important protection modules have Direct/INLINE manage about all connections, streams, messages, that goes via the procedure. That staying mentioned, based on the protocol, offloading to reduced amount management is existing to keep the highest feasible throughput with full inspection enabled. There is an IPTable personalized chain to allow for for the administrator to hook into the packet move devoid of the ability to unintentionally override dnx safety modules. A lower amount “architecture, program style” video clip will be made at some point to clearly show how this is attainable with pure python.
- DNS Proxy
- classification centered blocking (general, TLD, substring matching)
- consumer additional whitelist/blacklist or custom normal category generation
- indigenous DNS around TLS conversion with optional UDP fallback
- community dns server
- software failover
- 2 stage file caching
- IP Proxy (clear) Bi directional
- reprutation based host filtering
- geolocation filter
- lan restriction (disables web entry to the LAN for all IPs not whitelisted)
- IPS/IDS (WAN/inbound)
- Denial of services detection/avoidance
- Portscan detection/prevention
- Lightweight DHCP Server (custom)
- ip reservations
- stability inform integration
- Typical Expert services
- Log dealing with
- Database administration
- Syslog customer (UDP, TCP, TLS) Crucial: now in a beta/unstable state. this assistance will not be enabled by default and will need the service enabled to start on procedure get started.
- More Capabilities
- IPv6 disabled
- prebuilt iptable procedures
- DNS around HTTPs blocks (dns bypass avoidance)
- DNS over TCP blocks (dns bypass prevention)
- DNS above TLS blocks (dns bypass avoidance)
- all inbound connections to wan DROPPED by default
- IPTABLES customized chain for admin hook into packet flow
In advance of Managing
NEW: sqlite3 is now the default database in use (to simplify deployments). The surroundings variable “SQL_Variation” situated in dnx_configure/dnx_constants.py can be flipped to use postgresql. WARNING: switching the database utilized following original configuration may perhaps lead to troubles.
- [+] Edit data/config.json and knowledge/dhcp_server.json to reflect your process [interfaces].
- [+] Transfer all systemd company information into the units systemd folder.
- [+] Configure program interfaces. LAN demands to be Default Gateway of local community.
- [+] Compile python-netfilterqueue for your existing architecture/distro (backlink below).
- be certain title is netfilter.so and put in the dnxfirewall/netfilter folder- Take note: in the foreseeable future this stage will be wrapped into the deployment script
- [+] Compile dnx_iptools/binary_research.pyx for your present-day architecture/distro.
- make certain name is binary_search.so and put in the dnxfirewall/dnx_iptools folder- Note: in the long term this phase will be wrapped into the deployment script
- [+] Operate/ adhere to, in buy, the corresponding deployment scripts [for the selected database] to automate program set up. look at remarks in script files for much more route.
Non DNX code dependencies/sources!
https://github.com/kti/python-netfilterqueue | cython python extension for binding to linux kernel [netfilter] | THIS IS Brilliant!
https://www.ip2spot.com/cost-free/customer-blocker | geolocation ip filtering datasets
https://gitlab.com/ZeroDot1/CoinBlockerLists | cryptominer host established
https://squidblacklist.org | malicious and ad host sets
OPTIONAL: https://github.com/tlocke/pg8000 | pure python postgresql adapter
Typical Showcase Demo (out-of-date)
This movie is particularly outdated, but still displays typical operation and some of the superior degree protection implementations. an up-to-date video clip will be produced quickly which will show the newly included modules: syslog client, common logging, ips/ids, up to date dns proxy performance, up-to-date ip proxy operation, a lot more.
