Vulcan Guard is a network management tool designed to test network security and performance. It combines a rate limiter, an eBPF-based XDP (Express Data Path) packet filter, and a load balancer with multiple algorithm support to provide a working firewall solution :D.
-
Rate Limiter:
- Controls the rate of incoming traffic to prevent overwhelming the network.
- Protects against DDoS attacks and ensures fair usage of network resources.
- Supports sticky HTTP session brownlisting: If a valid request with a session ID exceeds a pseudo rate of X requests in Y seconds, the source IP will be temporarily brownlisted (ie: denied service for a set Duration).
-
eBPF-based XDP Packet Filter:
- Utilizes eBPF (Extended Berkeley Packet Filter) for high-performance packet filtering.
- Operates at the lowest point in the network stack for minimal latency.
- Customizable filtering rules to suit specific security needs.
-
Load Balancer:
-
Round Robin Algorithm:
- Distributes incoming traffic evenly across multiple servers.
- Ensures optimal resource utilization and enhances the performance and reliability of services.
-
Least Connection Algorithm:
- Selects the server with the fewest active connections to distribute incoming traffic.
- Helps optimize server load balancing by directing requests to the least loaded server.
- Supports sticky sessions to maintain client-server affinity for HTTP sessions.
-
-
IP Tracking and Analysis:
- Enhanced Security through IP Intelligence: By integrating with the https://ip-api.com/ service, we query blacklisted IP addresses in real-time, allowing us to identify the geographical origin and additional context of incoming requests. This data enables more informed security decisions, enhancing our ability to detect and respond to potential threats.
- Automated Data Logging: The queried IP information is automatically stored as a JSON file, which includes detailed metadata and a timestamp marking the moment of blacklisting. This log serves as a valuable resource for forensic analysis, auditing, and future threat mitigation, ensuring that security events are well-documented and traceable.
- Linux operating system with kernel version 4.14 or higher.
libbpflibrary installed.GCCorClangcompiler.Goversion1.22.0or higher
-
Clone the repository:
git clone https://github.com/yourusername/suboptimal-Firewall.git cd suboptimal-Firewall -
Build the project:
go build
-
Add the binary to the global scope
#If using zsh
nano ~/.zshrc
#if using bash
nano ~/.bashrcand add the path to the binary using
export PATH="$PATH:/complete_path_to_cloned_repo/Suboptimal-firewall"-
Run the firewall:
sudo Firewall
-
Stopping The firewall:
Ctrl+C
Add a list of backend servers or URLs for Loadbalancing in https://github.com/Aditya1404Sal/Suboptimal-firewall/blob/6336a34363dd23fe10c6f9a3aa0cedbd51a6c73a/main.go#L88
Modify the eBPF filtering rules in PacketFilter/pkfilter.c file according to your usage (Optional) :
SEC("xdp")
int xdp_filter(struct xdp_md *ctx) {
// Custom filtering logic
return XDP_PASS;
}To start the firewall with default settings:
sudo FirewallLogs are stored in the root / directory. Monitor the firewall status and performance:
tail -f Firewall.logWARNING: Vulcan-Guard is Underdeveloped
This project is currently NOT SUITABLE for production environments. It is intended purely for learning and educational purposes . The current version lacks extensive testing, which can lead to security vulnerabilities, performance issues, and other critical problems.
Use at Your Own Risk
The creator of this tool will not be held liable for any damages or negative outcomes resulting from its use. By using this tool, you acknowledge the potential risks and agree that the responsibility for any issues lies solely with you.
Future Development Needed
Further work is required to make this project a stable and reliable tool. Contributions and feedback are warmly welcomed to help improve its functionality and security.
I welcome contributions to improve suboptimal-Firewall. Please follow these steps to contribute:
- Fork the repository.
- Create a new branch:
git checkout -b feature-branch. - Make your changes and commit them:
git commit -m 'Add new feature'. - Push to the branch:
git push origin feature-branch. - Open a pull request.
The eBPF-based XDP Packet Filter implementation in this project is inspired by the article "Simple XDP Firewall with Golang" by Hasan Behbahani. This article provided a solid foundation upon which I built the dynamic channel-based IP management system, enabling real-time IP blacklisting and automatic unblocking of temporarily blocked IPs.