| modules | ||
| bots.txt | ||
| crawlers.txt | ||
| firewall.service | ||
| firewall.sh | ||
| ipv4-filter.nft | ||
| ipv6-filter.nft | ||
| nft.rules | ||
| ReadMe.md | ||
| safe.txt | ||
| trust.txt | ||
What is it?
A simple NFT firewall manager with DDOS protection. Written in Bash.
Features
- Web Crawler Detection and Blocker
- Easily Configure NFT
- Support for WireGuard NFT rules
- Automatic IP blocking for DDOS attacks
- Easily add custom DDOS modules to protect against attacks
- Automatic Rate-limiting for HTTP/HTTPS Connections if under attack
- Interactive Menu-driven User Experience
- Includes thousands of Web Crawler IP's ready to block!
Prerequisites
- NFT
- Redis
Install
cd /optgit clone https://git.poster.place/verita84/firewallcp firewall.service /etc/systemd/systemsystemctl enable --now firewall
Configure Redis Schema
bash firewall.sh import-db
Configure firewall.sh
- Edit the
portConfigvariables to allow ports - Modify
NGINX_ACCESSto point to your NGINX config file.
I recommend keeping the NGINX_ACCESS log in /tmp mounted via TMPFS to reduce writes on your SSD and so the script can quickly scan the file.
Add Detection by the Minute via Cron
*/1 * * * * bash /opt/firewall/firewall.sh attacker-protection
00 00 * * * bash /opt/firewall/firewall.sh export-db
Per the above, new attacks are searched every minute and temp blocks are forgiven every 5 minutes. The Redis DB is exported at midnight.
Accessing the Menu
bash firewall.sh
Custom Modules
- There are a few custom function modules to protect against certain DDOS attacks and they are named
module-foo(). - Modules can be loaded by adding them to the
attacker-protection()orwatch()functions as needed