Integrating CrowdSec with Firewall Appliances
Hi Everybody,
Just wondering if there is anybody who has tried the following:
https://www.crowdsec.net/blog/integrating-crowdsec-with-firewall-appliances
https://docs.crowdsec.net/docs/next/getting_started/install_crowdsec/#install-our-repositories
What was your general feedback?
-
While Firewalla support confirmed it should not be done via modifying Iptables, I was able to get it to work with my system by using the <my-domain>.firewalla.net API and CrowdSec's local API. Essentially all I do is poll the CrowdSec API for Decisions (bans) and then use the Update List (PATCH) endpoint to replace the contents of a blocklist once per hour.
I also managed to lock down access to my NGINX reverse proxy to CloudFlare's IPs by doing essentially the same thing. I have an auto-updating list of CloudFlare IPs, and once per day it checks for a change and if it changed, it updates the list that is on my Port Forward to my server. This way (hopefully) no one can just go around CloudFlare.
#!/bin/bash
CROWDSEC_API_URL="http://<CrowdSec IP>:8080/v1/alerts"
CROWDSEC_API_TOKEN="Your-CrowdSec-Token"
TARGET_LIST_ID="<Target List ID>"
API_TOKEN="<My API Token>"
banned_ips=$(curl --request GET \
--url "$CROWDSEC_API_URL" \
--header "Authorization: Bearer $CROWDSEC_API_TOKEN" \
| jq -r '.[] | .ip')
json_payload='{
"targets": ['
json_payload+=$(echo "$banned_ips" | sed -e ':a' -e 'N' -e '$!ba' -e 's/\n/","/g')
json_payload+=']
}'
curl --request PATCH \
--url "https://<your-firewalla-domain>.firewalla.net/v2/target-lists/TL-$TARGET_LIST_ID" \
--header "Authorization: Token $API_TOKEN" \
--header "Content-Type: application/json" \
--data "$json_payload"And this one here for my CloudFlare IP list:
#!/bin/bash
# Read IP addresses from cf_real-ip.conf excluding my Docker subnet
ip_addresses=$(grep -Eo '([0-9]{1,3}\.){3}[0-9]{1,3}(/[0-9]{1,2})?' /path/to/cf_real-ip.conf | \
grep -Ev '^172\.18\.')
# Function to check if IP list has changed
ip_list_has_changed() {
local new_ip_list="$1"
local previous_ip_list="$2"
if [ "$new_ip_list" != "$previous_ip_list" ]; then
return 0 # IP list has changed
else
return 1 # IP list has not changed
fi
}
# Create or read the previously stored IP list
if [ -f previous_ip_list.txt ]; then
previous_ip_list=$(cat previous_ip_list.txt)
else
touch previous_ip_list.txt
previous_ip_list=""
fi
# Check if IP list has changed
if ip_list_has_changed "$ip_addresses" "$previous_ip_list"; then
echo "$ip_addresses" > previous_ip_list.txt
# Construct the JSON payload
json_payload='{
"targets": ['
# Loop through each IP address and add it to the JSON payload
first_ip=true
for ip in $ip_addresses; do
if [ "$first_ip" = true ]; then
json_payload+='
"'"$ip"'"'
first_ip=false
else
json_payload+=',
"'"$ip"'"'
fi
done
json_payload+='
]
}'
# Make the API call
curl --request PATCH \
--url "https://<Firewalla Domain>.firewalla.net/v2/target-lists/TL-<Target List ID>" \
--header "Authorization: Token <API Token>" \
--header "Content-Type: application/json" \
--data "$json_payload"
else
echo "IP list has not changed. No API call needed."
fi -
Hi
Dylan, very nice!
We just created this public repo for more examples, can you pull request your example here https://github.com/firewalla/msp-api-examples
If not, can we have permission to push it for you?
-
@Dylan,
Committed to the repo, thank you for your contribution!
https://github.com/firewalla/msp-api-examples
-
@Dylan
Brillant outside the box workaround that won't upset the Current Firewalla Firewall ACLs, thank you so much for sharing your Great Solution to a Setting up the CrowdSec Dynamic Blacklist on our Firewalls.
@Firewalla & @Support Team
Can this be added to the official Firewalla Targetlists?
Maybe call it the "CrowdSec Dynamic IP BlockList"
Just for ease of used
Please sign in to leave a comment.
Comments
7 comments