• Search by Module
• Search by Words
• Search Projects

• Java
• Python
• JavaScript
• TypeScript
• C++
• Scala
• Blog

Project: dnxfirewall-cmd (GitHub Link)

• dnxfirewall-cmd-master
  • .github
    • FUNDING.yml
  • deploy_script_part2.py
  • utils
    • remove_pycache.py
    • dnxfirewall-dependencies.txt
    • restart_services.py
  • services
    • dnx-interface.service
    • dnx-dns-proxy.service
    • sudoers.txt
    • dnx-log.service
    • dnx-syslog.service
    • dnx-startup.service
    • dnx-ip-proxy.service
    • dnx-database.service
    • dnx-ips.service
    • dnx-dhcp-server.service
  • dnx_system
    • signatures
      • domain_lists
        • dns-over-https.domains
        • ads.domains
        • domain.keywords
      • geo_lists
        • iran.geo
        • china.geo
        • north_korea.geo
        • venezuela.geo
      • ip_lists
        • tor_entry.ips
        • tor_exit.ips
        • dns-over-https.ips
    • iptables.lock
    • log
      • dhcp_server
        • temp
      • logins
        • temp
      • dns_proxy
        • temp
      • update
        • temp
      • syslog
        • temp
      • system
        • temp
      • combined
        • temp
      • ip_proxy
        • temp
      • ips
        • temp
    • iptables
      • iptables_backup.cnf
    • profiler_results
      • temp.txt
  • dhcp_server
    • dhcp_server.py
    • dhcp_server_requests.py
    • dhcp_server_automate.py
    • __init__.py
  • dnx_syslog
    • syl_protocols.py
    • syl_automate.py
    • syl_format.py
    • __init__.py
    • syl_main.py
  • dnx_configure
    • dnx_constants.py
    • dnx_interface_services.py
    • dnx_code_profiler.py
    • dnx_exceptions.py
    • dnx_lists.py
    • dnx_iptables.py
    • dnx_startup.py
    • dnx_system_info.py
    • __init__.py
    • dnx_namedtuples.py
    • dnx_file_operations.py
  • dnx_iptools
    • dnx_parent_classes.py
    • dnx_standard_tools.py
    • dnx_protocol_tools.py
    • dnx_interface.py
    • __init__.py
    • dnx_structs.py
  • LICENSE
  • dns_proxy
    • dns_proxy_server.py
    • dns_proxy_cache.py
    • dns_proxy_automate.py
    • dns_proxy_protocols.py
    • dns_proxy_log.py
    • __init__.py
    • dns_proxy_packets.py
    • dns_proxy.py
  • netfilter
    • __init__.py
  • .gitattributes
  • dnx_logging
    • __init__.py
    • log_main.py
  • deploy_script_part1.py
  • dnx_shell
    • commands.json
    • dnx_shell_dns.py
    • dnx_shell_blacklist.py
    • dnx_shell_ips_ids.py
    • dnx_shell_whitelist.py
    • dnx_shell_domain.py
    • dnx_shell_services.py
    • dnx_shell_standard.py
    • dnx_shell_ip.py
    • dnx_shell.py
    • dnx_shell_interface.py
    • __init__.py
    • dnx_shell_authentication.py
    • dnx_shell_main.py
  • data
    • config.json
    • ip_proxy.json
    • dns_server.json
    • logging_client.json
    • ip_proxy_timer.json
    • whitelist.json
    • dhcp_server.json
    • syslog_client.json
    • ips.json
    • dns_proxy.json
    • interface_speed.json
    • blacklist.json
    • dns_server_status.json
    • dns_cache.json
    • syslog_server_status.json
  • README.md
  • dnx_ips
    • dnx_ips.py
    • dnx_ips_log.py
    • __init__.py
    • dnx_ips_packets.py
    • dnx_ips_automate.py
  • CODE_OF_CONDUCT.md
  • unit_tests
    • test_1.py
  • dnx_database
    • ddb_main.py
    • ddb_connector.py
    • __init__.py
  • .gitignore
  • ip_proxy
    • ip_proxy_log.py
    • ip_proxy_automate.py
    • ip_proxy_restrict.py
    • ip_proxy_packets.py
    • __init__.py
    • ip_proxy.py

Command Line Version | coded/tested live on twitch.tv.

Overview

DNX Firewall is an optimized/high performance collection of applications or services to convert a standard linux system into a zone based next generation firewall. All software is designed to run in conjunction with eachother, but with a modular design certain aspects can be completely removed with little effort. The primary security modules have DIRECT/INLINE control over all connections, streams, messages, that goes through the system. That being said, depending on the protocol, offloading to lower level control is present to maintain the highest possible throughput with full inspection enabled. There is an IPTable custom chain to allow for the administrator to hook into the packet flow without the ability to accidentally override dnx security modules. A low level "architecture, system design" video will be created at some point to show how this is possible with pure python.

Included Features

• DNS Proxy

  • category based blocking (general, TLD, substring matching)

  • user added whitelist/blacklist or custom general category creation

  • native DNS over TLS conversion with optional UDP fallback

  • local dns server

  • software failover

  • 2 level record caching

• IP Proxy (transparent) Bi directional

  • reprutation based host filtering

  • geolocation filter

  • lan restriction (disables internet access to the LAN for all IPs not whitelisted)

• IPS/IDS (WAN/inbound)

  • Denial of service detection/prevention

  • Portscan detection/prevention

• Lightweight DHCP Server (custom)

  • ip reservations

  • security alert integration

• General Services

  • Log handling

  • Database management

  • Syslog client (UDP, TCP, TLS) IMPORTANT: currently in a beta/unstable state. this service will not be enabled by default and will require the service enabled to start on system start.

• Additional notes

  • IPv6 disabled
  • prebuilt iptable rules
  • DNS over HTTPs blocks (dns bypass prevention)
  • DNS over TCP blocks (dns bypass prevention)
  • DNS over TLS blocks (dns bypass prevention)
  • all inbound connections to wan DROPPED by default
  • IPTABLES custom chain for admin hook into packet flow

Before Running

• [+] Edit data/config.json and data/dhcp_server.json to reflect your system [interfaces]

• [+] Move all systemd service files into the systems systemd folder.

• [+] Configure system interfaces. LAN needs to be Default Gateway of local network.

• [+] Compile python-netfilterqueue for your current architecture/distro (link below)

  - ensure name is netfilter.so and placed in the dnxfirewall/netfilter folder

• [+] Run/ follow, in order, the deployment scripts to automate system setup. look at comments in script files for more direction.

Non DNX code dependencies/sources!

https://github.com/tlocke/pg8000 | pure python postgresql adapter

https://github.com/kti/python-netfilterqueue | cython/ python extension for binding to linux kernel netfilter | THIS IS AWESOME!!!!!

https://www.ip2location.com/free/visitor-blocker | geolocation ip filtering datasets

https://gitlab.com/ZeroDot1/CoinBlockerLists | cryptominer hostset

https://squidblacklist.org | malicious and advertisement hostsets

General Showcase Demo (outdated)

• NOTE: The front end is not currently included in the public/foss version of firewall, but the funcionality of the system is the same. Edit json files accordingly to implement specific system controls, eg whitelist, blacklist, dns records, etc. a DNX CLI/shell will be implemented eventually which will configuration changes easier to deal with.

This video is extremely outdated, but still shows general functionality and some of the high level security implementations. an updated video will be created soon which will show the newly added modules: syslog client, standard logging, ips/ids, updated dns proxy functionality, updated ip proxy functionality, more.