irsl/dfwfw irsl/dfwfw

  • Stars
    star
    130
  • Rank 277,575 (Top 6 %)
  • Language
    Perl
  • Created almost 9 years ago
  • Updated almost 6 years ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
irsl/dfwfw
github

irsl

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Docker Firewall Framework

DFWFW is deprecated

Due to lack of time and motiviation, I can't support this project anymore (read: issues opened here won't receive a response). You might want to take a look on the following port instead:

https://github.com/pitkley/dfw

DFWFW

DFWFW, short of Docker Firewall Framework, is a light-weight Perl tool which offers easy administration of the iptables rules of your Docker containers. It reads the event stream of the local Docker daemon so it gets notified of happenings around the containers real-time and is able to maintain the firewall rules on the fly.

DFWFW focuses mostly on the firewall rules of the "main bridge" itself, but it supports injecting firewall rules into the containers' network namespaces as well.

DFWFW supports having different firewall rules for buildtime containers (docker build) and production ones (docker run). The rule specification is straight-forward, you can easily target the containers by simply specifying their names or a matching regular expression. The generated firewall ruleset relies on stateful support of iptables.

By default, a white-list based approach is recommended: the default policy drops everything and you can accept the wanted traffic by setting up white-list based firewall rules. Rules can be specified in the following five categories:

  • container_to_container
  • container_to_wider_world
  • container_to_host
  • wider_world_to_container
  • container_internals

Container aliasing is also supported; DFWFW is able to maintane some entries in /etc/hosts files of your containers with the desired aliases.

Docker versions supported: 1.9.0+ (including 1.10.0).

DFWFW is currently experimental, feedback and contributions are welcome.

Installation

DFWFW is intended to be run as a Docker container itself. The repository is linked with the Docker Hub, so the software images can be fetched the standard way:

docker pull irsl/dfwfw

The recommended way of building dfwfw manually is:

docker build -t dfwfw https://github.com/irsl/dfwfw.git

If you prefer to clone this repo manually, then don't forget about the submodules:

git clone --depth 1 --recursive https://github.com/irsl/dfwfw.git

The tool reads the firewall rules from a JSON formatted configuration file from the location /etc/dfwfw/dfwfw.conf. It is recommended to cross-mount this file when creating the container. The default configuration file available in this repository reproduces the behavior of the Docker daemon with the following options:

--iptables=true --icc=false --ip-forward=true

This means only containers being on the same network are able to communicate with each-other and containers can talk to the outside world. (The DNAT based rules are exception of this.)

After you are happy with the rules generated by DFWFW, it is also recommended to run with --restart=always policy, so the firewall will be the same even after restart.

The DFWFW container needs access the following resources in order to work as expected:

Normal operation:

  • IP forwarding to be enabled (echo 1 > /proc/sys/net/ipv4/ip_forward)
  • It is highly recommended to run the Docker daemon with --iptables=false so only DFWFW would tamper your firewall rules
  • Access to the Docker socket (so the default Unix domain socket cross-mounted or a TCP IP:port)
  • Access to network namespace of the host (--net=host)
  • NET_ADMIN capability so iptables can talk to the kernel via the netlink socket (--cap-add=NET_ADMIN)

Example command:

docker run \
  --name=dfwfw -d \
  -v /var/run/docker.sock:/var/run/docker.sock \
  -v /path/to/your/directory/with/config:/etc/dfwfw/ \
  --net=host \
  --cap-add=NET_ADMIN \
  irsl/dfwfw

Where /path/to/your/directory/with/config should contain your configuration file, named dfwfw.conf.

Additional prerequisites for injecting container internal rules:

  • Access to the process namespace of the host (--pid=host)
  • SYS_ADMIN capability so entering namespace of the target container is possible (--cap-add=SYS_ADMIN)

Example command:

docker run \
  --name=dfwfw -d \
  -v /var/run/docker.sock:/var/run/docker.sock \
  -v /path/to/your/directory/with/config:/etc/dfwfw/ \
  --net=host \
  --cap-add=NET_ADMIN \
  --pid=host \
  --cap-add=SYS_ADMIN \
  irsl/dfwfw

Additional prerequisites for container aliasing:

  • Access to the container directory of Docker

Example command:

docker run \
  --name=dfwfw -d \
  -v /var/run/docker.sock:/var/run/docker.sock \
  -v /var/lib/docker/containers:/var/lib/docker/containers \
  -v /path/to/your/directory/with/config:/etc/dfwfw/ \
  --net=host \
  --cap-add=NET_ADMIN \
  irsl/dfwfw

The configuration file (dfwfw.conf) and examples

See the dedicated page about the configuration file and the other with examples.

Command line options and signals

DFWFW supports the following command line switches:

  • --dry-run: No changes are commited to netfilter, they are just displayed (the same way as without this option)
  • --one-shot: Events are not monitored, current containers are queried from the Docker daemon, rules are generated and then the application terminates

You can see whats happening by attaching to the container (or starting it in an interactive container):

docker attach dfwfw

You can make DFWFW reread the configuration file by sending a HUP signal:

docker kill --signal=HUP dfwfw

Licence

The software is free for any purposes, but no responsibility.

TODO

  • More tests
  • IPv6 support

More Repositories

1

gcp-dhcp-takeover-code-exec

Google Compute Engine (GCE) VM takeover via DHCP flood - gain root access by getting SSH keys added by google_guest_agent
Go
532
star
2

curlshell

reverse shell using curl
Python
444
star
3

ADB-Backup-APK-Injection

Android ADB backup APK Injection POC
138
star
4

jackson-rce-via-spel

An example project that exploits the default typing issue in Jackson-databind via Spring application contexts and expressions
Java
121
star
5

CVE-2020-1313

Proof of concept exploit of Windows Update Orchestrator Service Elevation of Privilege Vulnerability
C++
120
star
6

Huawei-Hisuite-KobackupCipherTool

Tool to encrypt/decrypt backup packages created by Huawei Hisuite.
Java
51
star
7

CVE-2020-0728

Proof of Concept code for CVE-2020-0728
C++
46
star
8

apache-openoffice-rce-via-uno-links

35
star
9

php-bypass-disable-functions

Demo project how to bypass the disable_functions security control of PHP on Linux
PHP
24
star
10

microsoft-diagcab-rce-poc

Proof of concept about a path traversal vulnerability in Microsoft's Diagcab technology that could lead to remote code execution
Perl
22
star
11

CVE-2020-1967

Proof of concept exploit about OpenSSL signature_algorithms_cert DoS flaw (CVE-2020-1967)
19
star
12

lgosp-poc

LG On Screen Phone authentication bypass PoC (CVE-2014-8757)
Perl
14
star
13

struts-any-results

Demonstrating why Dynamic Method Invocation with unrestricted method names (the old default of Struts) is dangerous.
Java
12
star
14

golang-insecureskipverify-patch

Simple patcher tool to turn off TLS handshake validation in golang binaries
C
12
star
15

google-osconfig-privesc

Proof of concept about the privilege escalation flaw identified in Google's Osconfig
Python
10
star
16

CVE-2022-20128

Android Debug Bridge (adb) was vulnerable to directory traversal attacks that could have been mounted by rogue/compromised adb daemons during an adb pull operation.
Python
8
star
17

microsoft-diaghub-case-sensitivity-eop-cve

Proof of concept code about the Microsoft Diaghub case sensitivity Elevation of Privileges vulnerability
C#
8
star
18

tcp-http-proxy

A potential solution for OpenWRT + Mitmproxy
C
5
star
19

gnu-patch-vulnerabilities

The GNU patch utility was prone vulnerable to multiple attacks through version 2.7.6. You can find my related PoC files here.
5
star
20

mysql-load-data-local-abuse

Abusing MySQL's LOAD DATA LOCAL feature
Perl
4
star
21

golang-http2debug-onthefly

Tool to activate http2debug feature of golang on the fly.
Shell
3
star
22

go-reproto

An experimental tool to reconstruct proto definitions based on golang binaries
Perl
3
star
23

cloud-sql-auth-proxy-iam-mitm

PoC tool to demonstrate an MitM attack against Google's Cloud SQL authentication proxy product.
Go
2
star
24

pcap-proxy

A simple userland TCP proxy application that captures the network flow into a .pcap file
Perl
2
star
25

CVE-2022-3168-adb-unexpected-reverse-forwards

Proof of concept code to exploit flaw in adb that allowed opening network connections on the host to arbitrary destinations
Python
2
star
26

icedtea-web-vulnerabilities

Hosting proof of concept exploit code of the remote code execution vulnerabilities in the IcedTea-Web Java webstart implementation.
2
star
27

postgres-proxy-cloudsql-iam-vuln

A PoC proxy script that allowed me to extract access tokens from the Postgres wire messages in Google Cloud SQL.
Perl
1
star
28

cloud-shell-ssrf

Google Cloud Shell SSRF feature PoC tool
Python
1
star
29

grpcurl-for-android

gRPCurl precompiled binaries for Android
1
star
30

rdiff-backup

Simple docker image around rdiff-backup
Shell
1
star
31

raiffeisen-direktnet

Transaction parser for the Raiffeisen Direktnet banking website
Perl
1
star
32

hikvision-motion

SMTP server to receive HikVision camera/NVR notifications in order to post process the stream/images with GCP Vision AI (object tagging). Push notification to your device.
Python
1
star
33

p1x1

Open-source web application for cataloging and archiving private photos in S3 compatible stores, protecting content via a full-browser, client-side encryption logic.
TypeScript
1
star
34

proftpd-mysql-password

Support for MySQL PASSWORD() in Proftpd's SQLAuthTypes
C
1
star