Comments

7 comments

  • Avatar
    Dylan Dulaney

    While Firewalla support confirmed it should not be done via modifying Iptables, I was able to get it to work with my system by using the <my-domain>.firewalla.net API and CrowdSec's local API. Essentially all I do is poll the CrowdSec API for Decisions (bans) and then use the Update List (PATCH) endpoint to replace the contents of a blocklist once per hour.

    I also managed to lock down access to my NGINX reverse proxy to CloudFlare's IPs by doing essentially the same thing. I have an auto-updating list of CloudFlare IPs, and once per day it checks for a change and if it changed, it updates the list that is on my Port Forward to my server. This way (hopefully) no one can just go around CloudFlare.

    #!/bin/bash

    CROWDSEC_API_URL="http://<CrowdSec IP>:8080/v1/alerts"
    CROWDSEC_API_TOKEN="Your-CrowdSec-Token"

    TARGET_LIST_ID="<Target List ID>"
    API_TOKEN="<My API Token>"

    banned_ips=$(curl --request GET \
      --url "$CROWDSEC_API_URL" \
      --header "Authorization: Bearer $CROWDSEC_API_TOKEN" \
      | jq -r '.[] | .ip')

    json_payload='{
      "targets": ['
    json_payload+=$(echo "$banned_ips" | sed -e ':a' -e 'N' -e '$!ba' -e 's/\n/","/g')
    json_payload+=']
    }'

    curl --request PATCH \
      --url "https://<your-firewalla-domain>.firewalla.net/v2/target-lists/TL-$TARGET_LIST_ID" \
      --header "Authorization: Token $API_TOKEN" \
      --header "Content-Type: application/json" \
      --data "$json_payload"

    And this one here for my CloudFlare IP list:

    #!/bin/bash

    # Read IP addresses from cf_real-ip.conf excluding my Docker subnet
    ip_addresses=$(grep -Eo '([0-9]{1,3}\.){3}[0-9]{1,3}(/[0-9]{1,2})?' /path/to/cf_real-ip.conf | \
      grep -Ev '^172\.18\.')

    # Function to check if IP list has changed
    ip_list_has_changed() {
      local new_ip_list="$1"
      local previous_ip_list="$2"

      if [ "$new_ip_list" != "$previous_ip_list" ]; then
        return 0 # IP list has changed
      else
        return 1 # IP list has not changed
      fi
    }

    # Create or read the previously stored IP list
    if [ -f previous_ip_list.txt ]; then
      previous_ip_list=$(cat previous_ip_list.txt)
    else
      touch previous_ip_list.txt
      previous_ip_list=""
    fi

    # Check if IP list has changed
    if ip_list_has_changed "$ip_addresses" "$previous_ip_list"; then
      echo "$ip_addresses" > previous_ip_list.txt

      # Construct the JSON payload
      json_payload='{
        "targets": ['

      # Loop through each IP address and add it to the JSON payload
      first_ip=true
      for ip in $ip_addresses; do
        if [ "$first_ip" = true ]; then
          json_payload+='
          "'"$ip"'"'
          first_ip=false
        else
          json_payload+=',
          "'"$ip"'"'
        fi
      done

      json_payload+='
        ]
      }'

      # Make the API call
      curl --request PATCH \
    --url "https://<Firewalla Domain>.firewalla.net/v2/target-lists/TL-<Target List ID>" \
    --header "Authorization: Token <API Token>" \
      --header "Content-Type: application/json" \
      --data "$json_payload"
    else
      echo "IP list has not changed. No API call needed."
    fi
    2
    Comment actions Permalink
  • Avatar
    Firewalla

    Hi

    Dylan, very nice!

    We just created this public repo for more examples, can you pull request your example here https://github.com/firewalla/msp-api-examples

    If not, can we have permission to push it for you?

    1
    Comment actions Permalink
  • Avatar
    Support Team

    @Dylan,

    Committed to the repo, thank you for your contribution!

    https://github.com/firewalla/msp-api-examples

     

    0
    Comment actions Permalink
  • Avatar
    Casper McFadden

    @Dylan 

    Brillant outside the box workaround that won't upset the Current Firewalla Firewall ACLs, thank you so much for sharing your Great Solution to a Setting up the CrowdSec Dynamic Blacklist on our Firewalls.

     

    @Firewalla & @Support Team

    Can this be added to the official Firewalla Targetlists?

    Maybe call it the "CrowdSec Dynamic IP BlockList"

    Just for ease of used

    0
    Comment actions Permalink
  • Avatar
    Support Team

    I'll forward it to the engineering team so that they can check if it's possible.

    0
    Comment actions Permalink
  • Avatar
    Anthony Izzo

    Eagar to try this out! But to confirm - is the initial setup process to just install the "crowdsec" package onto firewalla, register the "machine", and that's it? Pretty new to crowdsec but is any other configuration necessary on that end, such as adding "scenarios," etc?

    0
    Comment actions Permalink
  • Avatar
    Anthony Izzo

    It also seems to install to an area that doesn't give it enough space to create its sqlite db, so I had to create a few symlinks.

    Once I get clarity on the above comment I'd be happy to write up / make a pull request for an improved readme :)

    0
    Comment actions Permalink

Please sign in to leave a comment.