rfw tutorial - remote firewall with REST API


rfw is the RESTful server which applies iptables rules to block or allow IP addresses on request from a remote client. rfw maintains the list of blocked IP addresses which may be updated on the fly from many sources.

rfw is an open source project developed by SecurityKISS. See the rfw source and description on GitHub


This tutorial shows how to install and deploy rfw in the following setup example:

In this use case we administer two web servers in different locations: Toronto with IP and Berlin with IP Also we have the IP reputation server that collects data from various sources like IP geolocation database, IP blocklist services, spam and botnet honeypots. The purpose of the IP reputation server is to proactively prevent attacks and abuse on the two web servers.

We want the IP reputation server to be able to block on the fly the selected IP addresses or subnets which are the common source of abuse.

In order to do it we deploy rfw on the two web servers and the IP reputation server will act as a client. The rfw server expose SSL secured REST API for iptables firewall while the client can use any HTTP utility like curl. As an administrator we also want to make ad hoc firewall modifications from a laptop.


Install rfw on web servers and on admin laptop:

pip install rfw

You can also install rfw from the tarball by standard:

python setup.py install

On the trusted machine (read: admin laptop) generate necessary keys and certificates:

cd /etc/rfw/deploy/

For the detailed description see rfwgen README

Copy rfw server keys to corresponding machines:

scp /etc/rfw/deploy/server_11.11.11.11/server.key root@
scp /etc/rfw/deploy/server_11.11.11.11/server.crt root@
scp /etc/rfw/deploy/server_22.22.22.22/server.key root@
scp /etc/rfw/deploy/server_22.22.22.22/server.crt root@

Copy CA certificate to clients

scp /etc/rfw/deploy/client/ca.crt user@
cp /etc/rfw/deploy/client/ca.crt /home/me/ca.crt # assuming we are on admin laptop

Edit /etc/rfw/rfw.conf on and to configure rfw servers. Make sure that the following options are configured:

outward.server.certfile = /etc/rfw/ssl/server.crt
outward.server.keyfile = /etc/rfw/ssl/server.key
auth.username = your_username_here
auth.password = your_password_here

Edit /etc/rfw/white.list on and to whitelist clients:

Start rfw server:

rfw &

For debugging you can start rfw server in foreground in verbose mode:

rfw -v


From admin laptop

Block some bad IP for 5 minutes:

curl -i --cacert /home/me/ca.crt --user your_username_here:your_password_here -XPUT

Check if the rule is present now and not present after 5 minutes:

curl -i --cacert /home/me/ca.crt --user your_username_here:your_password_here

Make the IP reputation server issue similar requests using any HTTP client or library.