GithubHelp home page GithubHelp logo

olivierh59500 / bluewall Goto Github PK

View Code? Open in Web Editor NEW

This project forked from austin-taylor/bluewall

0.0 1.0 0.0 77 KB

Bluewall is a firewall framework designed for offensive and defensive cyber professionals.

Python 100.00%

bluewall's Introduction

BLUEWALL

Bluewall is a firewall framework designed for offensive and defensive cyber professionals. This framework allows Cybersecurity professionals to quickly setup their environment while staying within their scope.

Credit

Inspired by Andrew Benson's hostfw iptable generation script.

Features

Bluewall

  • Configure Firewall
  • Configure Hostname
  • Configure Interface(s)

Supported Operating Systems

  • Redhat/CentOS
  • **Windows configuration can be generated but not executed.

Commandline

*bw -c config/example.ini ** See example configuration

Utils

  • Enumerate - Identify live hosts inside your network (coming soon)

Symantecs

  • Target Host - Outbound communication
  • Trusted Host - Bidirectional communication
  • No Strike - Devices your computer should not communicate with

Getting Started

# BUILT FOR PYTHON 2.x
sudo python setup.py install
sudo bw -h (for help)

Help

usage: bw [-h] [-V] [-v] [-r] [-p] [-i] [-d] [-w WINDOWS_CONFIG]
          [-ot TCP_PORTS_OUT] [-ou UDP_PORTS_OUT] [-it TCP_PORTS_IN]
          [-iu UDP_PORTS_IN] [-oh OUTBOUND_HOSTS] [-ih INBOUND_HOSTS]
          [-eh EXCLUDE_HOSTS] [-l] [-s] [-q] [-D] [-A] [-F] [-S] [-c CONFIG]
          [--info]

         /////////////////////////////////////////////////////
        |  _____ __    _____ _____ _ _ _ _____ __    __      |
        | |  __ |  |  |  |  |   __| | | |  -  |  |  |  |     |
        | |  __-|  |__|  |  |   __| | | |     |  |__|  |__   |
        | |_____|_____|_____|_____|_____|__|__|_____|_____|  |
        |                                                    |
         \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
            A python framework to automate firewall setup.

        Defaults:
            Outbound connections will be allowed on all ports to all hosts.
            Inbound connections will be limited to related outbound traffic.
            DHCP will be enabled.
            Ping responses will be enabled.
            Unsolicited inbound connections will be dropped.

        

optional arguments:
  -h, --help            show this help message and exit
  -V, --version         Display Version
  -v, --verbose         Verbose Mode
  -r, --reset           Send TCP RST instead of dropping packet.
  -p, --disallow_ping   Disallow incoming PING
  -i, --allow_outbound_icmp
                        Don't restrict ICMP types
  -d, --disallow_dhcp   Disallow DHCP
  -w WINDOWS_CONFIG, --windows_config WINDOWS_CONFIG
                        Generate Windows Configuration. Usage: bw -w
                        config.ps1
  -ot TCP_PORTS_OUT, --tcp_ports_out TCP_PORTS_OUT
                        Comma separated list of allowed TCP ports outbound
  -ou UDP_PORTS_OUT, --udp_ports_out UDP_PORTS_OUT
                        Comma separated list of allowed UDP ports outbound
  -it TCP_PORTS_IN, --tcp_ports_in TCP_PORTS_IN
                        Comma separated list of allowed TCP ports inbound
  -iu UDP_PORTS_IN, --udp_ports_in UDP_PORTS_IN
                        Comma separated list of allowed UDP ports inbound
  -oh OUTBOUND_HOSTS, --outbound_hosts OUTBOUND_HOSTS
                        Restrict outbound to specified hosts. -oh
                        192.168.3.0/24,192.168.4.0/24
  -ih INBOUND_HOSTS, --inbound_hosts INBOUND_HOSTS
                        Restrict outbound to specified hosts. -ih
                        192.168.3.0/24,192.168.4.0/24
  -eh EXCLUDE_HOSTS, --exclude_hosts EXCLUDE_HOSTS
                        Exclude hosts -eh 192.168.3.0/24
  -l, --log_exceptions  Log Exceptions
  -s, --simulate        Simulate only.
  -q, --quiet           Quiet (don't display status messages
  -D, --deny_all        Absolute Deny all
  -A, --allow_all       Absolute allow all
  -F, --flush           Flush IPTables
  -S, --show_rules      Show rules after setting
  -c CONFIG, --config CONFIG
                        Configuration for firewall
  --info                About Bluewall

Output

[ataylor@localhost bluewall]$ sudo bw -c configs/exampleconfig.ini 
[OK] 192.168.1.101 is a valid setting for dns
[OK] 192.168.1.1 is a valid setting for gateway_addr
[OK] 24 is a valid setting for cidr_prefix
[OK] 192.168.1.254 is a valid setting for nostrike
[OK] * is a valid setting for rh_mac
[OK] WINtaylor is a valid setting for win_host
[OK] 192.168.2.0/24 is a valid setting for target_range
[OK] 192.168.3.0/24 is a valid setting for target_range
[OK] 192.168.1.30 is a valid setting for rh_ipaddr
[OK] RHEL-taylor is a valid setting for rh_host
[OK] 42.42.42.42 is a valid setting for trusted_host
[OK] 192.168.1.0/24 is a valid setting for trusted_range
[OK] 192.168.1.50 is a valid setting for win_ipaddr
==============================

[VALID CONFIG] No Errors Detected.

CONFIGURING
writing eth config to /etc/sysconfig/network-scripts/ifcfg-ens33
[CONFIGURATION]
TYPE="Ethernet"
BOOTPROTO=none
NAME=ens33
DEVICE="ens33"
ONBOOT=no
DEFROUTE="yes"
IPV4_FAILURE_FATAL=no
DNS1=192.168.1.101
IPADDR=192.168.1.30
PREFIX=24
GATEWAY=192.168.1.1
MACADDR=00:16:3E:52:7F:8D

[+] Interface ens33 shutdown.
[+] Restarting Network Service
[+] Interface ens33 brought up.
[+] Rules Flushed!
[+] Allowing outbound ICMP/traceroute to 192.168.2.0/24...
[+] Allowing outbound ICMP/traceroute to 192.168.3.0/24...
[+] Allowing outbound ICMP/traceroute to 192.168.1.0/24...
[+] Limiting outbound TCP connections to 192.168.2.0/24.
[+] Limiting outbound TCP connections to 192.168.3.0/24.
[+] Limiting outbound TCP connections to 192.168.1.0/24.
[+] Limiting outbound UDP connections to 192.168.2.0/24.
[+] Limiting outbound UDP connections to 192.168.3.0/24.
[+] Limiting outbound UDP connections to 192.168.1.0/24.
[+] Limiting inbound UDP connections to 192.168.1.0/24.
[+] Limiting inbound TCP connections to 192.168.1.0/24.
[+] Allowing traffic for localhost.
[+] 192.168.1.254 applied to NOSTRIKE
$ iptables -nvL
Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  *      *       192.168.1.254        0.0.0.0/0           
    0     0 ACCEPT     all  --  *      *       127.0.0.0/8          127.0.0.0/8         
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.1.0/24      
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            192.168.1.0/24      

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  *      *       0.0.0.0/0            192.168.1.254       
    0     0 ACCEPT     all  --  *      *       127.0.0.0/8          127.0.0.0/8         
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            192.168.1.0/24      
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            192.168.3.0/24      
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            192.168.2.0/24      
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.1.0/24      
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.3.0/24      
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.2.0/24      
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            192.168.1.0/24       icmptype 0
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            192.168.1.0/24       icmptype 8
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            192.168.3.0/24       icmptype 0
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            192.168.3.0/24       icmptype 8
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            192.168.2.0/24       icmptype 0
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            192.168.2.0/24       icmptype 8

[+] Setup Complete.

Common Usage

# Setup Initial Environment using Configuration
sudo bw -c config/hostconfig.ini

# Export optional windows configuration
sudo bw -c config/hostconfig.ini -w autoconfig.ps1

# Add additional inbound host or ranges
sudo bw -ih 192.168.0.3,192.168.1.0/24

# Exclude host to communicate with
sudo bw -eh 192.168.1.1

bluewall's People

Contributors

austin-taylor avatar

Watchers

avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.