NOTICE: The license has changed from the CMD version (GPLv3). The 'FULL' version (current branch) is licensed under AGPLv3.
Overview
DNX Firewall is an optimized/high performance collection of applications and services to convert a standard linux system into a zone based next generation firewall. All software is designed to run in conjunction with eachother, but with a modular design certain aspects can be completely removed with little effort. The primary security modules have DIRECT/INLINE control over all connections, streams, and messages that goes through the system. That being said, depending on the protocol, offloading to lower level control is present to maintain the highest possible throughput with full inspection enabled. custom iptable chains are used to allow for the administrator to hook into the packet flow without worrying about accidentally overriding dnx security modules control.
A low level "architecture, system design" video will be created at some point to show how this is possible with pure python.
Included Features
NEW: sqlite3 is now the default database in use (to simplify deployments). postgresql is still present on the backend and will be able to be enabled during system deployment in a future release.
NEW: Auto deployment utility (auto loader) is now live. This should be used to deploy the system on any compatible distro. See compatible distro list for more details.
-
DNS proxy
- category based blocking (general, TLD, substring matching)
- user added whitelist/blacklist or custom general category creation
- native DNS over TLS conversion with optional UDP fallback
- local dns server (authoritative via packet manipulation)
- automatic software failover
- 2 level record caching
-
IP proxy (transparent) bi-directional
- reputation based host filtering
- geolocation filter (country blocking)
- lan restriction (disables internet access to the LAN for all IPs not whitelisted) | Parental Control
-
IPS/IDS (WAN/inbound)
- denial of service detection/prevention
- portscan detection/prevention
-
Lightweight DHCP server (native software)
- ip reservations
- interface level control (enable/disable)
- security alert integration
-
General Services
- log handling
- database management
- syslog client (UDP, TCP, TLS) IMPORTANT: currently in a beta/unstable state. this service will not be enabled by default.
-
Additional Features
- IPv6 disabled
- prebuilt iptable rules (all inbound connections to wan DROPPED by default)
- DNS over HTTPs restricted (dns bypass prevention)
- DNS over TCP restricted (dns bypass prevention)
- DNS over TLS restricted (dns bypass prevention)
- IPTABLES custom chain for admin hook into packet flow
To deploy (using auto loader)
-
select linux distro on compatible distro list (see below)
-
install linux on physical hardware or a VM
2a. (3) interfaces are required (WAN, LAN, DMZ)
2b. create "dnx" user during install or once complete
2c. install and make python3.8 default (if applicable)
-
upgrade and update system
-
install git
-
clone https://github.com/dowrighttv/dnxfirewall.git to "dnx" user home directory (/home/dnx)
-
log in as "dnx" user run command: sudo python3 dnxfirewall/dnx_configure/dnx_autoloader.py
-
follow prompts to associate physical interfaces to dnxfirewall zones
-
once utility is complete, restart system and navigate to https://dnx.firewall from LAN or DMZ interface.
Compatible linux distros with dnxfirewall auto loader
-
Ubuntu server 20.04 LTS (stable)
-
Debian based distros (untested, but likely stable)
-
Non Debian based distros (not supported)
Additional info
coded and tested live on twitch.tv.
External code sources
https://github.com/kti/python-netfilterqueue | cython <-> python C extension for binding to linux kernel [netfilter]
https://www.ip2location.com/free/visitor-blocker | geolocation filtering datasets (ip address assignments by country)
https://gitlab.com/ZeroDot1/CoinBlockerLists | cryptominer host dataset
https://squidblacklist.org | malicious and advertisement host datasets
psql only: https://github.com/tlocke/pg8000 | pure python postgresql adapter