RedWall - a container-based distributed dynamic firewall with Redis backend
This repository provides the janeczku/redwall image.
RedWall (Redis Firewall) is slim Alpine Linux based image acting as a firewall agent for managing iptables rules on a single server or whole clusters. The port- or IP-based rules are centrally stored in a Redis database and updates are dynamically applied to all hosts running the RedWall image.
In order to co-exist with the firewall rules created by the Docker daemon, RedWall inserts a jump rule at the top of the
FORWARD chains. Traffic arriving on the public interface is processed in the
redwall-main user chain. Traffic not matching any of the port- or IP-based rules is dropped.
- Setup a Redis instance accessible by the hosts that will run the RedWall Docker image
- Enable Redis keyspace events notifications by including
notify-keyspace-events Ksin redis.conf or by typing
CONFIG SET notify-keyspace-events Ksin redis-cli.
- Disable any existing firewall daemon on the hosts (e.g. UFW)
RedWall is designed to only filter traffic arriving on the specified public interface. This would normally be
eth0. The public interface can be configured by either passing an environmental variable to the RedWall Docker container or by storing it in the Redis database in the key
Configure the interface name in the database:
redis-cli SET firewall:<security-group>:interface eth0
Configure the interface name locally for a server:
docker run --env PUBLIC_IFACE=eth1 (...)
Port-based rules are stored in the database as members of the set
firewall:<security-group>:services formatted as
Allow public access to a Nginx instance running on port 80/443:
redis-cli SADD firewall:<security-group>:services http:tcp:80 redis-cli SADD firewall:<security-group>:services https:tcp:443
Traffic matching an IPv4 address or network entry in the
firewall:<security-group>:whitelist set will be allowed open access to all ports on the server.
Values can be plain IPv4 addresses or networks (with /mask).
Allow access to all ports for IP address
redis-cli SADD firewall:<security-group>:whitelist 126.96.36.199
Allow access to all ports for network
redis-cli SADD firewall:<security-group>:whitelist 188.8.131.52/24
Running the RedWall image
docker run -d --name redwall \ --cap-add=NET_ADMIN --net=host \ --env REDIS_HOST=*REPLACE_WITH_REDIS_IP:PORT* \ --env PUBLIC_IFACE=eth0 \ --restart on-failure janeczku/redwall
Alternatively, if your version of Docker doesn't support the
docker run -d --name redwall \ --privileged --net=host \ --env REDIS_HOST=*REPLACE_WITH_REDIS_IP:PORT* --env PUBLIC_IFACE=eth0 \ --restart on-failure janeczku/redwall
The address of the Redis instance as
The name of the public interface on the server. This is the interface that will be firewalled.
The name of the firewall security group from which rules are applied
The password for a password-protected Redis instance. Leave empty to disable password-authentication.
FALSE to disable filtering docker container network (FORWARD chain)
Allow public access to SSH (port 22). Set to
FALSE only if you know what you are doing.
Detect and rate-limit SSH brute-force attacks. Set to
TRUE to enable.
TRUE to enable debug log (run
docker logs redwall to inspect the log)