gandalf/secubox-openwrt
gandalf/secubox-openwrt
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

refactor: Merge secubox-app-crowdsec-bouncer into cs-firewall-bouncer

Browse Source 
- Move UCI defaults script for auto-registration to cs-firewall-bouncer
- Remove redundant secubox-app-crowdsec-bouncer wrapper package
- Update luci-app-crowdsec-dashboard reference to new package name
- Increment PKG_RELEASE to 3

The defaults script handles:
- Automatic bouncer registration with CrowdSec LAPI
- Interface detection for LAN/WAN
- API key generation and UCI config update

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
CyberMind-FR 2026-01-17 06:46:09 +01:00
parent c1860b4aea
commit 4e5d5275f9
7 changed files with 6 additions and 655 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
package/secubox/luci-app-crowdsec-dashboard/htdocs/luci-static/resources/view/crowdsec-dashboard/bouncers.js
View File

@ -698,7 +698,7 @@ return view.extend({
E('p', { 'style': 'color: #ffc107; font-weight: bold;' },
_('⚠️ Firewall bouncer is not configured yet.')),
E('p', {},
_('Please install the secubox-app-crowdsec-bouncer package to configure the firewall bouncer.'))
_('Please install the secubox-app-cs-firewall-bouncer package to configure the firewall bouncer.'))
]),
E('div', { 'class': 'right', 'style': 'margin-top: 1em;' }, [
E('button', {

219
package/secubox/secubox-app-crowdsec-bouncer/BUILD.md
View File

@ -1,219 +0,0 @@
# Building CrowdSec Firewall Bouncer Binary
This document explains how to build the real `crowdsec-firewall-bouncer` binary package from the upstream OpenWrt feeds.
## Overview
The `secubox-app-crowdsec-bouncer` package is a lightweight wrapper that provides enhanced configuration and auto-registration. However, it depends on the actual binary package `crowdsec-firewall-bouncer` which must be built separately.
## Build Environment
- **OpenWrt SDK**: Version 24.10.5
- **Architecture**: aarch64_cortex-a72 (MOCHAbin platform)
- **Build System**: OpenWrt SDK with golang support
- **Source**: GitHub `crowdsecurity/cs-firewall-bouncer` v0.0.31
## Prerequisites
1. OpenWrt SDK set up at `secubox-tools/sdk/`
2. Feeds updated (packages feed must be available)
3. Golang build dependencies installed
## Build Process
### Step 1: Install Golang Dependencies
```bash
cd secubox-tools/sdk
./scripts/feeds install -p packages golang
```
This installs the Go compiler and build framework needed for cross-compilation.
### Step 2: Install Package from Feed
```bash
./scripts/feeds install crowdsec-firewall-bouncer
```
This creates a symlink in `package/feeds/packages/crowdsec-firewall-bouncer/` pointing to the upstream package in `feeds/packages/net/crowdsec-firewall-bouncer/`.
### Step 3: Build Package
```bash
make package/feeds/packages/crowdsec-firewall-bouncer/compile V=s -j1
```
Build options:
- `V=s`: Verbose output (useful for debugging)
- `-j1`: Single-threaded build (more stable for Go compilation)
Build time: ~50-60 seconds on a modern system
### Step 4: Locate Built Package
The IPK package is created at:
```
bin/packages/aarch64_cortex-a72/packages/crowdsec-firewall-bouncer_0.0.31-r2_aarch64_cortex-a72.ipk
```
## Package Details
### Binary Information
- **Size**: ~4.9MB (compressed IPK), ~14MB (binary)
- **Binary Path**: `/usr/bin/cs-firewall-bouncer`
- **Architecture**: ELF 64-bit LSB executable, ARM aarch64
- **Linked**: Dynamically linked with musl libc
- **Go Version**: 1.23.12
- **Stripped**: Yes (to reduce size)
### Package Contents
- Binary: `/usr/bin/cs-firewall-bouncer`
- Init Script: `/etc/init.d/crowdsec-firewall-bouncer`
- Config Template: `/etc/config/crowdsec`
## Deployment
### Upload to Router
```bash
scp bin/packages/aarch64_cortex-a72/packages/crowdsec-firewall-bouncer_0.0.31-r2_aarch64_cortex-a72.ipk root@192.168.8.191:/tmp/
```
### Install on Router
```bash
ssh root@192.168.8.191
opkg install --force-reinstall /tmp/crowdsec-firewall-bouncer_0.0.31-r2_aarch64_cortex-a72.ipk
```
Use `--force-reinstall` to upgrade existing installations.
### Verify Installation
```bash
/usr/bin/cs-firewall-bouncer --version
/etc/init.d/crowdsec-firewall-bouncer restart
cscli bouncers list
```
Expected output:
- Service running
- Active API pulls to CrowdSec LAPI
- nftables tables created (crowdsec, crowdsec6)
## Integration with SecuBox Wrapper
The `secubox-app-crowdsec-bouncer` wrapper package:
1. Depends on `+crowdsec-firewall-bouncer` (this binary package)
2. Provides enhanced UCI configuration with router-optimized defaults
3. Adds automatic API key registration via uci-defaults script
4. Configures network interfaces automatically
When installed together:
```bash
opkg install crowdsec-firewall-bouncer_*.ipk
opkg install secubox-app-crowdsec-bouncer_*.ipk
```
The wrapper will detect the binary and configure it automatically.
## Updating to Newer Versions
When upstream releases a new version:
1. Update feeds:
```bash
./scripts/feeds update packages
```
2. Check new version:
```bash
cat feeds/packages/net/crowdsec-firewall-bouncer/Makefile | grep PKG_VERSION
```
3. Rebuild:
```bash
make package/feeds/packages/crowdsec-firewall-bouncer/clean
make package/feeds/packages/crowdsec-firewall-bouncer/compile V=s -j1
```
4. Test on router before deploying to production
## Troubleshooting
### Build Fails - Golang Not Found
**Solution**: Install golang dependencies first
```bash
./scripts/feeds install -a -f golang
```
### Out of Memory During Build
**Solution**: Ensure at least 2GB RAM available or use swap
```bash
free -h # Check memory
```
### Download Timeout
**Solution**: Manually download source
```bash
cd dl/
wget https://codeload.github.com/crowdsecurity/cs-firewall-bouncer/tar.gz/v0.0.31 -O cs-firewall-bouncer-0.0.31.tar.gz
cd ..
make package/feeds/packages/crowdsec-firewall-bouncer/compile V=s
```
### Binary Size Too Large
This is expected - Go binaries include the runtime and dependencies. The 14MB binary is normal for a Go application with networking and nftables integration.
## Build System Details
The build process:
1. Downloads source from GitHub
2. Verifies SHA256 checksum
3. Sets up Go workspace with proper GOPATH
4. Downloads Go module dependencies
5. Cross-compiles using OpenWrt toolchain
6. Injects version info via LDFLAGS
7. Strips binary symbols
8. Creates IPK package with control files
Go build flags:
```makefile
GO_PKG_LDFLAGS_X:=
github.com/crowdsecurity/cs-firewall-bouncer/pkg/version.Version=v0.0.31
github.com/crowdsecurity/cs-firewall-bouncer/pkg/version.BuildDate=<timestamp>
github.com/crowdsecurity/cs-firewall-bouncer/pkg/version.Tag=openwrt-0.0.31-2
github.com/crowdsecurity/cs-firewall-bouncer/pkg/version.GoVersion=1.23.12
```
## CI/CD Integration
For GitHub Actions or automated builds:
```yaml
- name: Build CrowdSec Firewall Bouncer
run: |
cd secubox-tools/sdk
./scripts/feeds install -p packages golang
./scripts/feeds install crowdsec-firewall-bouncer
make package/feeds/packages/crowdsec-firewall-bouncer/compile V=s -j$(nproc)
- name: Upload Package
uses: actions/upload-artifact@v3
with:
name: crowdsec-firewall-bouncer
path: bin/packages/aarch64_cortex-a72/packages/crowdsec-firewall-bouncer_*.ipk
```
## Version History
- **0.0.31-r2** (2026-01-06): First build with OpenWrt SDK, Go 1.23.12
- Built from upstream: `https://github.com/crowdsecurity/cs-firewall-bouncer/releases/tag/v0.0.31`
## References
- Upstream Package: `secubox-tools/sdk/feeds/packages/net/crowdsec-firewall-bouncer/`
- OpenWrt Golang Framework: `feeds/packages/lang/golang/golang-package.mk`
- CrowdSec Documentation: https://docs.crowdsec.net/
- Firewall Bouncer Repo: https://github.com/crowdsecurity/cs-firewall-bouncer

43
package/secubox/secubox-app-crowdsec-bouncer/Makefile
View File

@ -1,43 +0,0 @@
include $(TOPDIR)/rules.mk
PKG_NAME:=secubox-app-crowdsec-bouncer
PKG_VERSION:=0.0.32
PKG_RELEASE:=1
PKG_ARCH:=all
PKG_MAINTAINER:=CyberMind Studio <contact@cybermind.fr>
PKG_LICENSE:=MIT
include $(INCLUDE_DIR)/package.mk
define Package/secubox-app-crowdsec-bouncer
SECTION:=net
CATEGORY:=Network
PKGARCH:=all
SUBMENU:=SecuBox Apps
TITLE:=SecuBox CrowdSec Firewall Bouncer wrapper
DEPENDS:=+uci +libuci +secubox-app-cs-firewall-bouncer +crowdsec +nftables
endef
define Package/secubox-app-crowdsec-bouncer/description
Enhanced wrapper for CrowdSec Firewall Bouncer with automatic configuration
and registration for SecuBox-powered OpenWrt routers. Provides nftables-based
IP blocking from CrowdSec decisions with automatic API key management and
interface detection.
endef
define Package/secubox-app-crowdsec-bouncer/conffiles
/etc/config/crowdsec
endef
define Build/Compile
endef
define Package/secubox-app-crowdsec-bouncer/install
$(INSTALL_DIR) $(1)/etc/config
$(INSTALL_CONF) ./files/crowdsec-bouncer.config $(1)/etc/config/crowdsec-bouncer
$(INSTALL_DIR) $(1)/etc/uci-defaults
$(INSTALL_BIN) ./files/crowdsec-bouncer.defaults $(1)/etc/uci-defaults/99_crowdsec-bouncer
endef
$(eval $(call BuildPackage,secubox-app-crowdsec-bouncer))

369
package/secubox/secubox-app-crowdsec-bouncer/README.md
View File

@ -1,369 +0,0 @@
# SecuBox CrowdSec Firewall Bouncer
Enhanced wrapper package for CrowdSec Firewall Bouncer with automatic configuration and registration for SecuBox-powered OpenWrt routers.
## Overview
The CrowdSec Firewall Bouncer is a component that blocks malicious IP addresses detected by CrowdSec using nftables firewall rules. This package wraps the upstream `crowdsec-firewall-bouncer` with SecuBox-specific enhancements:
- **Automatic API key registration** with CrowdSec LAPI
- **Interface auto-detection** for LAN/WAN
- **Pre-configured defaults** optimized for routers
- **UCI configuration** for easy management via LuCI
- **Seamless integration** with SecuBox CrowdSec dashboard
## Features
- **nftables-based blocking**: Uses modern nftables instead of legacy iptables
- **IPv4 and IPv6 support**: Blocks threats on both protocol versions
- **Real-time updates**: Polls CrowdSec LAPI for new decisions (default: 10s)
- **Flexible filtering**: Configure INPUT and FORWARD chain filtering
- **Logging support**: Optional logging of blocked connections
- **Multiple deny actions**: drop, reject, or tarpit malicious traffic
- **Interface-based filtering**: Specify which interfaces to protect
## Requirements
- `crowdsec` - CrowdSec detection engine (must be installed and running)
- `crowdsec-firewall-bouncer` - Upstream firewall bouncer binary
- `nftables` - Modern Linux firewall
- Working CrowdSec Local API (LAPI) on port 8080
## Installation
### Via opkg
```bash
opkg update
opkg install secubox-app-crowdsec-bouncer
```
### From Source
```bash
./secubox-tools/local-build.sh build secubox-app-crowdsec-bouncer
opkg install /path/to/secubox-app-crowdsec-bouncer_*.ipk
```
## Initial Configuration
The package automatically configures itself on first install via the UCI defaults script:
1. **Merges configuration** into `/etc/config/crowdsec`
2. **Detects network interfaces** (LAN/WAN)
3. **Registers bouncer** with CrowdSec LAPI
4. **Generates API key** and stores in UCI
5. **Loads nftables modules**
After installation, you need to:
```bash
# Enable the bouncer
uci set crowdsec.bouncer.enabled='1'
uci commit crowdsec
# Start the service
/etc/init.d/crowdsec-firewall-bouncer enable
/etc/init.d/crowdsec-firewall-bouncer start
```
## Configuration
All configuration is done via UCI at `/etc/config/crowdsec` in the `bouncer` section:
```uci
config bouncer
option enabled '1' # Enable/disable bouncer
option ipv4 '1' # Enable IPv4 filtering
option ipv6 '1' # Enable IPv6 filtering
option api_url 'http://127.0.0.1:8080/' # CrowdSec LAPI URL
option api_key '<generated>' # API key (auto-generated)
option update_frequency '10s' # How often to poll for decisions
option priority '4' # nftables hook priority
option deny_action 'drop' # Action: drop|reject|tarpit
option deny_log '1' # Log blocked connections
option log_prefix 'CrowdSec: ' # Kernel log prefix
option log_level 'info' # Log level
option filter_input '1' # Filter INPUT chain
option filter_forward '1' # Filter FORWARD chain
option chain_name 'crowdsec-chain' # IPv4 chain name
option chain6_name 'crowdsec6-chain' # IPv6 chain name
option retry_initial_connect '1' # Retry if LAPI unavailable
list interface 'br-lan' # Interfaces to filter
list interface 'eth1'
```
### Common Configuration Tasks
#### Change Update Frequency
```bash
uci set crowdsec.bouncer.update_frequency='30s'
uci commit crowdsec
/etc/init.d/crowdsec-firewall-bouncer restart
```
#### Add/Remove Protected Interfaces
```bash
# Add interface
uci add_list crowdsec.bouncer.interface='wlan0'
# Remove specific interface
uci del_list crowdsec.bouncer.interface='eth1'
# Commit and restart
uci commit crowdsec
/etc/init.d/crowdsec-firewall-bouncer restart
```
#### Change Deny Action
```bash
# Options: drop (silent), reject (send ICMP), tarpit (slow response)
uci set crowdsec.bouncer.deny_action='reject'
uci commit crowdsec
/etc/init.d/crowdsec-firewall-bouncer restart
```
#### Enable/Disable Logging
```bash
uci set crowdsec.bouncer.deny_log='1' # Enable
uci set crowdsec.bouncer.deny_log='0' # Disable
uci commit crowdsec
/etc/init.d/crowdsec-firewall-bouncer restart
```
## Manual Bouncer Registration
If automatic registration fails, register manually:
```bash
# Register bouncer and get API key
API_KEY=$(cscli bouncers add crowdsec-firewall-bouncer -o raw)
# Set in UCI
uci set crowdsec.bouncer.api_key="$API_KEY"
uci commit crowdsec
# Restart bouncer
/etc/init.d/crowdsec-firewall-bouncer restart
```
## Verification
### Check Bouncer Status
```bash
# Service status
/etc/init.d/crowdsec-firewall-bouncer status
# Check if running
ps | grep cs-firewall-bouncer
# Check bouncer registration
cscli bouncers list
```
### Check nftables Rules
```bash
# IPv4 table
nft list table ip crowdsec
# IPv6 table
nft list table ip6 crowdsec6
# Check blacklist set
nft list set ip crowdsec crowdsec-blacklists
```
### Verify Blocking
```bash
# Add a test decision
cscli decisions add --ip 1.2.3.4 --duration 4h --reason "Test block"
# Check if IP is in blacklist
nft list set ip crowdsec crowdsec-blacklists | grep 1.2.3.4
# Delete test decision
cscli decisions delete --ip 1.2.3.4
```
### Check Logs
```bash
# Service logs
logread | grep crowdsec-firewall-bouncer
# Kernel logs for blocked packets (if deny_log=1)
dmesg | grep CrowdSec
# Check bouncer log file
tail -f /var/log/crowdsec-firewall-bouncer.log
```
## How It Works
1. **Startup**:
- Reads UCI configuration from `/etc/config/crowdsec`
- Generates YAML config at `/var/etc/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml`
- Creates nftables tables (`crowdsec`, `crowdsec6`)
- Creates nftables sets for blacklists
- Adds filter chains to INPUT/FORWARD hooks
2. **Runtime**:
- Polls CrowdSec LAPI every `update_frequency` seconds
- Fetches active ban decisions
- Updates nftables sets with banned IPs
- Sets timeout based on decision duration
- Automatically removes expired bans
3. **Shutdown**:
- Deletes nftables tables and chains
- Removes YAML config
- Cleans up resources
## Integration with CrowdSec Dashboard
The SecuBox CrowdSec dashboard (`luci-app-crowdsec-dashboard`) automatically detects the bouncer:
- **Detection**: Checks for `cs-firewall-bouncer` process
- **Display**: Shows bouncer status in Overview page
- **Decisions**: Shows blocked IPs and applies them via bouncer
Access the dashboard at: **System → CrowdSec → Overview**
## Troubleshooting
### Bouncer Not Starting
**Check CrowdSec is running**:
```bash
/etc/init.d/crowdsec status
cscli lapi status
```
**Check nftables is available**:
```bash
nft list tables
modprobe nf_tables
```
**Check API key is set**:
```bash
uci get crowdsec.bouncer.api_key
```
### No IPs Being Blocked
**Check for active decisions**:
```bash
cscli decisions list
```
**Check nftables sets**:
```bash
nft list set ip crowdsec crowdsec-blacklists
```
**Check bouncer can reach LAPI**:
```bash
# From bouncer log
logread | grep "connection refused\|timeout"
```
### Interface Not Filtered
**Check interface list**:
```bash
uci show crowdsec.bouncer.interface
```
**Verify interface exists**:
```bash
ip link show
```
**Check nftables rules reference correct interface**:
```bash
nft list chain ip crowdsec crowdsec-chain-input
```
### High CPU Usage
**Reduce update frequency**:
```bash
uci set crowdsec.bouncer.update_frequency='30s'
uci commit crowdsec
/etc/init.d/crowdsec-firewall-bouncer restart
```
**Disable logging**:
```bash
uci set crowdsec.bouncer.deny_log='0'
uci commit crowdsec
/etc/init.d/crowdsec-firewall-bouncer restart
```
## Advanced Configuration
### Using Remote LAPI
To connect to a remote CrowdSec LAPI:
```bash
# Set remote LAPI URL
uci set crowdsec.bouncer.api_url='https://crowdsec-lapi.example.com:8080/'
# Register bouncer on remote server
ssh remote-server "cscli bouncers add router-bouncer"
# Copy API key and set locally
uci set crowdsec.bouncer.api_key='<remote-api-key>'
uci commit crowdsec
/etc/init.d/crowdsec-firewall-bouncer restart
```
### Custom Chain Priority
Higher priority = earlier in filter chain:
```bash
# Default is 4 (before normal filter rules)
uci set crowdsec.bouncer.priority='10'
uci commit crowdsec
/etc/init.d/crowdsec-firewall-bouncer restart
```
### Prometheus Metrics
The bouncer can expose Prometheus metrics (requires recompilation with metrics enabled).
## Files
- `/etc/config/crowdsec` - UCI configuration
- `/etc/init.d/crowdsec-firewall-bouncer` - Init script (from upstream)
- `/var/etc/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml` - Generated YAML config
- `/var/log/crowdsec-firewall-bouncer.log` - Bouncer log file
- `/usr/bin/cs-firewall-bouncer` - Bouncer binary
## Links
- [CrowdSec Documentation](https://docs.crowdsec.net/)
- [Firewall Bouncer GitHub](https://github.com/crowdsecurity/cs-firewall-bouncer)
- [nftables Documentation](https://wiki.nftables.org/)
- [SecuBox Project](https://secubox.com)
## License
MIT License - See upstream package for details
## Support
For issues related to:
- **SecuBox integration**: Open issue on SecuBox GitHub
- **Bouncer functionality**: Refer to [cs-firewall-bouncer issues](https://github.com/crowdsecurity/cs-firewall-bouncer/issues)
- **CrowdSec core**: Refer to [CrowdSec documentation](https://docs.crowdsec.net/)

22
package/secubox/secubox-app-crowdsec-bouncer/files/crowdsec-bouncer.config
View File

@ -1,22 +0,0 @@
config bouncer
option enabled '0'
option ipv4 '1'
option ipv6 '1'
option api_url 'http://127.0.0.1:8080/'
option api_key ''
option update_frequency '10s'
option priority '4'
option deny_action 'drop'
option deny_log '1'
option log_prefix 'CrowdSec: '
option log_level 'info'
option log_max_size '100'
option log_max_backups '3'
option log_max_age '30'
option filter_input '1'
option filter_forward '1'
option chain_name 'crowdsec-chain'
option chain6_name 'crowdsec6-chain'
option retry_initial_connect '1'
list interface 'br-lan'
list interface 'eth1'

6
package/secubox/secubox-app-cs-firewall-bouncer/Makefile
View File

@ -10,7 +10,7 @@ include $(TOPDIR)/rules.mk
PKG_NAME:=secubox-app-cs-firewall-bouncer
PKG_VERSION:=0.0.31
PKG_RELEASE:=2
PKG_RELEASE:=3
# Source from upstream CrowdSec
# Note: v0.0.31 is the last version compatible with Go 1.23 (OpenWrt 24.10 SDK)
@ -86,6 +86,10 @@ define Package/secubox-app-cs-firewall-bouncer/install
# Hotplug script to restart bouncer when firewall reloads
$(INSTALL_DIR) $(1)/etc/hotplug.d/iface
$(INSTALL_DATA) ./files/hotplug.d/99-crowdsec-bouncer $(1)/etc/hotplug.d/iface/99-crowdsec-bouncer
# UCI defaults script for auto-registration with CrowdSec LAPI
$(INSTALL_DIR) $(1)/etc/uci-defaults
$(INSTALL_BIN) ./files/crowdsec-bouncer.defaults $(1)/etc/uci-defaults/99_crowdsec-bouncer
endef
$(eval $(call GoBinPackage,secubox-app-cs-firewall-bouncer))

0
package/secubox/secubox-app-crowdsec-bouncer/files/crowdsec-bouncer.defaults → package/secubox/secubox-app-cs-firewall-bouncer/files/crowdsec-bouncer.defaults
View File