/docs

bamboo firewall, firewall, iptables, firewall distributed, host base firewall

Primary LanguagePythonApache License 2.0Apache-2.0

Table of contents

What is Bamboo Firewall?

Bamboo Firewall is an opensource software firewall that supports network segmentation, Central management and rules/polices as code. It is a host base firewall, so the policy is very strict. Unlike traditional firewalls, it provides many functions for centralized policy setting as tag, label, range, annotations...

Community

You can join the following groups or channels to discuss or ask questions about Bamboo Firewall, and to keep yourself informed of the latest Bamboo Firewall updates:

Client OS Supported

OS Versions Verify by
Ubuntu Ubuntu 18.04 x64 OK in GHTK
Ubuntu 20.04 x64 OK in GHTK
Ubuntu 22.04 x64 OK in GHTK
CentOS CentOS 7 Under checking
CentOS 8 Stream Under checking
CentOS 9 Stream Under checking
RHEL RHEL 7 Under checking
RHEL 8 Under checking
RHEL 9 Under checking
Debian Debian 8 Under checking
Debian 9 Under checking
Debian 10 Under checking
FreeBSD FreeBSD 12.x Under checking
FreeBSD 13.x Under checking

Case studies

Architecture

  • etcd cluster: Where stores metadata of bamboo firewall. ex: server endpoint, network zone, policies
  • backend (be): API backend server. It provides API for frontend
  • frontend (fe): Frontend provides user interfaces via webview
  • cli: Command line provides console interface for administrator
  • Agent: Agent installed each server and connect to etcd cluster to apply policies
  • watcher: A job watch events from etcd to mongodb database (one way)

bamboofw without agents for quickly setup development env

Install

cd demo/bamboofw_without_agent
# Get current IP & sed to docker-compose 
IP=$(ip -o route get to 8.8.8.8 | sed -n 's/.*src \([0-9.]\+\).*/\1/p') \
&& sed -Ei "s|DEMO_IP|$IP|g" docker-compose.yaml \
&& docker-compose up -d
  • Login localhost:3000 with user admin and defaut password change_me

  • Overview

  • Apply policies to endpoints
# SSH to manage-aio node and run
docker exec -it cli bash 
calicoctl datastore migrate lock
calicoctl datastore migrate unlock
bash /bamboofw/demo/init.sh

How to installation

  • Step 1: Install etcd cluster

  • Step 2: Install MongoDB (stand-alone or replication)

  • Step 3: Install frontend, watcher and backend

  • Step 4: Install agent to server which you want to apply polices and rules of firewall

  • Step 5: write rules as code then apply to bamboo firewall

  • For example: We have 7 servers below Prepare demo server

No HOSTNAME IPADDR INTERFACES ROLE ZONE PROJECT NAMESPCE
1 admin01 192.168.56.5 eth1 management gray example production
2 lb[01-02] 192.168.56.[11-12] eth1 lb black example production
3 app[01-02] 192.168.56.[21-22] eth1 app green example production
4 db[01-02] 192.168.56.[31-32] eth1 db white example production
No IP SRC PORT SRC IP DST PORT DST PROTO Details
1 any any 192.168.56.[11-12] 443,80 TCP Public Internet
2 192.168.56.[11-12] any 192.168.56.[21-22] 80,443 TCP LB to APP
3 192.168.56.[21-22] any 192.168.56.[31-32] 3306 TCP APP to DB
4 all-example-servers any any 123,53 UDP/TCP DNS and NTP
5 192.168.56.5 any all-example-servers any UDP/TCP Management
  • Struct folder to store rules:
.
├── gnp
│   ├── app-example.yaml
│   ├── basic-example.yaml
│   ├── db-example.yaml
│   └── lb-example.yaml
├── gns
│   ├── black.yaml
│   ├── gray.yaml
│   ├── green.yaml
│   └── white.yaml
├── hep
│   ├── 192.168.56.11-eth1.yaml
│   ├── 192.168.56.12-eth1.yaml
│   ├── 192.168.56.21-eth1.yaml
│   ├── 192.168.56.22-eth1.yaml
│   ├── 192.168.56.31-eth1.yaml
│   ├── 192.168.56.32-eth1.yaml
│   └── 192.168.56.5-eth1.yaml
  • Detail example hostEndpoint
apiVersion: projectcalico.org/v3
kind: HostEndpoint
metadata:
  name: 192.168.56.5
  labels:
    role: management
    zone: gray
    namespace: production
    project: example
    ip: 192.168.56.5
spec:
  node: manage-aio
  interfaceName: eth1
  expectedIPs: ["192.168.56.5"]
  • Detail example globalNetworkSets
apiVersion: projectcalico.org/v3
kind: GlobalNetworkSet
metadata:
  name: black
  labels:
    zone: black
    name: black
spec:
  nets:
    - 192.168.56.11/32
    - 192.168.56.12/32
  • Detail example globalNetworkPolicy
apiVersion: projectcalico.org/v3
kind: GlobalNetworkPolicy
metadata:
  name: 'app-example'
spec:
  selector: ((role == 'app') && (project == 'example'))
  ingress:
    - action: Allow
      protocol: TCP
      source:
        selector: ((role == 'lb') && (project == 'example'))
      destination:
        ports: [80,443]    
  egress:
    - action: Allow
      protocol: TCP
      destination:
        selector: ((role == 'db') && (project == 'example'))
        ports: [3306]
  • Deploy node manage
cd demo/playbook
ansible-playbook site.yml -l manage_aio -t manage_aio
  • Check deploy node manage AIO
root@manage-aio:~# docker ps
CONTAINER ID   IMAGE                           COMMAND                  CREATED          STATUS          PORTS                                                                          NAMES
ce932a04246c   bamboofirewall/fe:v0.0.1        "docker-entrypoint.s…"   37 minutes ago   Up 37 minutes   0.0.0.0:3000->3000/tcp, :::3000->3000/tcp                                      fe
b5bd83d4ffa7   bamboofirewall/be:v0.0.1        "/app/calicobe"          37 minutes ago   Up 37 minutes   0.0.0.0:9091->9091/tcp, :::9091->9091/tcp                                      be
d4a79197e15c   bamboofirewall/watcher:v0.0.2   "/app/watcher"           37 minutes ago   Up 37 minutes                                                                                  watcher
f2ff45a711aa   bamboofirewall/cli:v0.0.1       "tail -f /dev/null"      37 minutes ago   Up 37 minutes                                                                                  cli
7d4e609807a4   mongo:6.0-jammy                 "docker-entrypoint.s…"   37 minutes ago   Up 37 minutes   27017/tcp                                                                      mongodb
0cb0005c33d7   quay.io/coreos/etcd:v3.5.9      "/usr/local/bin/etcd…"   37 minutes ago   Up 37 minutes   2379-2380/tcp, 0.0.0.0:2383-2384->2383-2384/tcp, :::2383-2384->2383-2384/tcp   etcd3
2037b456b535   quay.io/coreos/etcd:v3.5.9      "/usr/local/bin/etcd…"   37 minutes ago   Up 37 minutes   2379-2380/tcp, 0.0.0.0:2381-2382->2381-2382/tcp, :::2381-2382->2381-2382/tcp   etcd2
165da3f19ed8   quay.io/coreos/etcd:v3.5.9      "/usr/local/bin/etcd…"   37 minutes ago   Up 37 minutes   0.0.0.0:2379-2380->2379-2380/tcp, :::2379-2380->2379-2380/tcp                  etcd1
root@manage-aio:~# 
  • Deploy client
cd demo/playbook
ansible-playbook site.yml -l bamboogw_agent
  • Apply policies to endpoints
# SSH to manage-aio node and run
docker exec -it cli bash 
calicoctl datastore migrate lock
calicoctl datastore migrate unlock
bash /bamboofw/demo/init.sh
  • Check hostEndpoint and Policies
calicoctl get hep
calicoctl get gns
calicoctl get gnp
  • And view on your webview Overview

GNP

HEP

GNS

Resouces used

Development roadmap

  • Support multiOS

  • Define policy on GUI

  • View policy between servers/groups as a diagram

About us

License

Bamboo Firewall is under the Apache 2.0 license. See the LICENSE file for details.