bots.txt | ||
crawlers.txt | ||
firewall.service | ||
firewall.sh | ||
ipv4-filter.nft | ||
ipv6-filter.nft | ||
nft.rules | ||
ReadMe.md | ||
safe.txt |
Features
- Web Crawler Detection and Blocker
- Easily Configure NFT
- Support for WireGuard NFT rules
- Easily add custom DDOS modules to protect against attacks
- Automatic Rate-limiting for HTTP/HTTPS Connections if under attack
- Interactive Menu-driven User Experience
Prerequisites
- NFT
- Redis
Install
cd /opt
git clone https://git.poster.place/verita84/firewall
cp firewall.service /etc/systemd/system
systemctl enable --now firewall
Configure Redis Schema
bash firewall.sh import-db
Configure firewall.sh
- Edit the
portConfig
variables to allow ports - Modify
NGINX_ACCESS
to point to your NGINX config file.
I recommend keeping the NGINX_ACCESS
log in /tmp mounted via TMPFS to reduce writes on your SSD and so the script can quickly scan the file.
Add Detection by the Minute via Cron
*/1 * * * * bash /opt/firewall/firewall.sh attacker-protection
*/5 * * * * bash /opt/firewall/firewall.sh forgive
00 00 * * * bash /opt/firewall/firewall.sh export-db
Per the above, new attacks are searched every minute and temp blocks are forgiven every 5 minutes. The Redis DB is exported at midnight.
Accessing the Menu
bash firewall.sh
Custom Modules
- There are a few custom function modules to protect against certain DDOS attacks and they are named
module-foo()
. - Modules can be loaded by adding them to the
attacker-protection()
orwatch()
functions as needed