- Install bpf-linker:
cargo install bpf-linker
- Blazingly fast
- Filter TCP and UDP with specified PORT
- Specified DNS reslover
- Rate limit 1,000 request per seconds
cargo sfw build-ebpf
cargo build
cargo sfw build
RUST_LOG=info cargo sfw run -i <NIC> -c <path-to-config.yaml>
To perform a release build you can use the --release
flag.
You may also change the target architecture with the --target
flag.
simple-firewall use simple yaml config pattern
i
Incomming-Port a port from outside server comming to us.(etc. web-browsing)o
Outgoing-Port a port from our server to outside.(etc. serving website/service)tcp
Allowed on TCP protocaludp
Allowed on UDP protocal
these options can be nested likes example below except dns
which we will provide only allowed DNS reslover IP address.
fwcfg.yaml
{
"80": "i,tcp",
"8181": "i,tcp",
"443": "i,tcp",
"123": "i,udp", # sync time
"67": "i,udp", # router
# "5353": "o,udp", # dns multi-cast
"22000": "i,o,tcp,udp", #syncthing
"21027": "i,o,udp", #// syncthing
"22022": "i,o,tcp", #// custom ssh
"4869": "i,o,tcp", #// nostr relay
"208.67.222.222": "dns", #// DNS
"9.9.9.9": "dns", #// DNS
}
git clone https://github.com/vazw/simple-firewall.git && cd simple-firewall
cargo install bpf-linker
cargo sfw install --path <install-path> # Default is /usr/bin/
then make a auto-startup script for it with sfw -i <NIC> -c <path-to-config.yaml>
in my case I was using pkexec
to auto-startup with my SwayWM started
.config/sway/config
exec pkexec sfw -i wlp1s0 -c /etc/fwcfg.yaml &