dnxfirewall icon indicating copy to clipboard operation
dnxfirewall copied to clipboard

Published 20 hours ago verified publisher icon DOWRIGHTTV

Metadata

DNXFIREWALL™ and DAD'S NEXT-GEN FIREWALL™, a C/CPython hybrid next generation firewall built on top of Linux and bound to kernel/ netfilter hooks for packet control.

NOTICE: The license has changed from the CMD version (GPLv3). The 'FULL' version (current branch) is licensed under AGPLv3.


dnxfirewall logo


Overview

DNXFIREWALL is an optimized/high performance collection of applications and services to convert a standard linux system into a zone based next generation firewall. All software is designed to run in conjunction with each other, but with a modular design certain aspects can be completely removed with little effort. The primary security modules have DIRECT/INLINE control over all connections, streams, and messages that goes through the system. That being said, depending on the protocol, offloading to lower level control is present to maintain the highest possible throughput with full inspection enabled. custom iptable chains are used to allow for the administrator to hook into the packet flow without worrying about accidentally overriding dnx security modules control.

A low level "architecture, system design" video will be created at some point to show how this is possible with pure python.


Included Features

NEW: sqlite3 is now the default database in use (to simplify deployments). postgresql is still present on the backend and will be able to be enabled during system deployment in a future release.

NEW: Auto deployment utility (autoloader) is now live. This should be used to deploy the system on any compatible distro. See compatible distro list for more details.

NEW: full zone based firewall rules (source and destination) and per rule based security profiles.

  • Custom packet handler

    • stateful or stateless packet inspection
    • complex packet decisions (defer packet action to security modules)
    • implemented in C

  • DNS proxy (LAN/outbound)

    • category based blocking (general, TLD, substring matching)
    • user added whitelist/blacklist or custom general category creation
    • native DNS over TLS conversion with optional UDP fallback
    • local dns server (authoritative via packet manipulation)
    • automatic software failover
    • 2 levels of record caching

  • IP proxy (transparent) bi-directional

    • reputation based host filtering (detection implemented in C)
    • geolocation filter (country blocking, detection implemented in C)
    • lan restriction (disables internet access to the LAN for all IPs not whitelisted) | Parental Control

  • IPS/IDS (WAN/inbound)

    • denial of service detection/prevention
    • portscan detection/prevention

  • Lightweight DHCP server (native software)

    • ip reservations
    • interface level control (enable/disable)
    • security alert integration

  • General Services

    • log handling
    • database management
    • syslog client (UDP, TCP, TLS) IMPORTANT: currently in a beta/unstable state. this service will not be enabled by default.

  • Additional Features

    • IPv6 disabled
    • prebuilt IPTABLE rules for device hardening (all inbound connections to wan DROPPED by default)
    • DNS proxy bypass prevention
      • DNS over HTTPs restricted
      • DNS over TCP restricted
      • DNS over TLS restricted
    • IPTABLES custom chain for admin hook into packet flow (reduced impact post cfirewall implementation)

To deploy (using autoloader)

  1. select linux distro on compatible distro list (see below)

  2. install linux on physical hardware or a VM

    2a. (3) interfaces are required (WAN, LAN, DMZ)

    2b. create "dnx" user during install or once complete

    2c. install and make python3.8 default (if applicable)

  3. upgrade and update system

  4. install git

  5. clone https://github.com/dowrighttv/dnxfirewall.git to "dnx" user home directory (/home/dnx)

  6. log in as "dnx" user run command: sudo python3 dnxfirewall/dnx_configure/dnx_autoloader.py

  7. follow prompts to associate physical interfaces to dnxfirewall zones

  8. once utility is complete, restart system and navigate to https://dnx.firewall from LAN or DMZ interface.


Compatible linux distros with dnxfirewall auto loader

  • Ubuntu server 20.04 LTS (stable)

  • Debian based distros (untested, but likely stable)

  • Non Debian based distros (not supported)


Additional info

coded and tested live on twitch.tv.

DOWRIGHTTV


External Contributors

afallenhope - web design, ux, and templating -> https://github.com/afallenhope

External code sources

https://www.ip2location.com/free/visitor-blocker | geolocation filtering datasets (ip address assignments by country)

https://gitlab.com/ZeroDot1/CoinBlockerLists | cryptominer host dataset

psql only: https://github.com/tlocke/pg8000 | pure python postgresql adapter


Showcase demo

This video is extremely outdated, but still shows general functionality and some high level security implementations. An updated video will be created one day, showing modern improvements and features.

DNX Firewall Demo

Metadata

213
Stars
41
Forks
Watchers

Owner

verified publisher icon DOWRIGHTTV

Metadata

DNXFIREWALL™ and DAD'S NEXT-GEN FIREWALL™, a C/CPython hybrid next generation firewall built on top of Linux and bound to kernel/ netfilter hooks for packet control.

Back