Cybersecurity-Projects/PROJECTS/beginner/firewall-rule-engine
CarterPerez-dev d277d50a93 feat: sbom generator & vulnerability matcher + docstrings across 6 projects
Add bomber CLI tool (Go) — scans dependencies across Go/Node/Python
ecosystems, generates SPDX 2.3 and CycloneDX 1.5 SBOMs, and matches
against OSV/NVD vulnerability databases with policy engine for CI/CD.

Add file-level docstrings to ai-threat-detection, firewall-rule-engine,
hash-cracker, linux-cis-hardening-auditor, binary-analysis-tool, and
credential-enumeration.
2026-04-08 23:53:40 -04:00
..
learn feat: complete project firewall-rule-engine 2026-03-26 00:41:59 -04:00
src feat: sbom generator & vulnerability matcher + docstrings across 6 projects 2026-04-08 23:53:40 -04:00
testdata feat: complete project firewall-rule-engine 2026-03-26 00:41:59 -04:00
.gitignore feat: complete project firewall-rule-engine 2026-03-26 00:41:59 -04:00
Justfile feat: complete project firewall-rule-engine 2026-03-26 00:41:59 -04:00
LICENSE feat: complete project firewall-rule-engine 2026-03-26 00:41:59 -04:00
README.md Update README.md 2026-03-26 00:46:26 -04:00
install.sh feat: complete project firewall-rule-engine 2026-03-26 00:41:59 -04:00
v.mod feat: complete project firewall-rule-engine 2026-03-26 00:41:59 -04:00

README.md

██╗   ██╗███████╗██╗    ██╗██████╗ ██╗   ██╗██╗     ███████╗
██║   ██║██╔════╝██║    ██║██╔══██╗██║   ██║██║     ██╔════╝
██║   ██║█████╗  ██║ █╗ ██║██████╔╝██║   ██║██║     █████╗
╚██╗ ██╔╝██╔══╝  ██║███╗██║██╔══██╗██║   ██║██║     ██╔══╝
 ╚████╔╝ ██║     ╚███╔███╔╝██║  ██║╚██████╔╝███████╗███████╗
  ╚═══╝  ╚═╝      ╚══╝╚══╝ ╚═╝  ╚═╝ ╚═════╝ ╚══════╝╚══════╝

Cybersecurity Projects V License: AGPLv3

Firewall rule parser, conflict detector, optimizer, and hardened ruleset generator for iptables and nftables.

This is a quick overview — security theory, architecture, and full walkthroughs are in the learn modules.

What It Does

  • Parse iptables-save and nft list ruleset formats into a unified rule model
  • Detect shadowed rules, contradictions, duplicates, and redundant entries
  • Suggest optimizations: port merging, rule reordering, missing rate limits, missing conntrack
  • Generate hardened rulesets with default-deny, anti-spoofing, ICMP rate limiting, and connection tracking
  • Export rulesets between iptables and nftables formats
  • Diff two rulesets to find what changed
  • Colored terminal output with severity-coded findings

Quick Start

./install.sh
fwrule analyze /etc/iptables.rules

[!TIP] This project uses just as a command runner. Type just to see all available commands.

Install: curl -sSf https://just.systems/install.sh | bash -s -- --to ~/.local/bin

Commands

Command Description
fwrule load <file> Parse and display a ruleset in table format
fwrule analyze <file> Run conflict detection and optimization analysis
fwrule optimize <file> Show optimization suggestions only
fwrule harden [options] Generate a hardened ruleset from scratch
fwrule export <file> -f <fmt> Convert between iptables and nftables formats
fwrule diff <file1> <file2> Compare two rulesets side by side

Harden Options

Flag Default Description
-s, --services ssh,http,https Comma-separated services to allow
-i, --iface eth0 Public-facing network interface
-f, --format iptables Output format: iptables or nftables

Examples

fwrule load testdata/iptables_basic.rules

fwrule analyze testdata/iptables_conflicts.rules

fwrule harden -s ssh,http,https,dns -f nftables

fwrule export testdata/iptables_basic.rules -f nftables

fwrule diff testdata/iptables_basic.rules testdata/nftables_basic.rules

Learn

This project includes step-by-step learning materials covering security theory, architecture, and implementation.

Module Topic
00 - Overview Prerequisites and quick start
01 - Concepts Firewall theory, netfilter, and real-world breaches
02 - Architecture System design, module layout, and data flow
03 - Implementation Code walkthrough with file references
04 - Challenges Extension ideas and exercises

License

AGPL 3.0