Tell me how you are using FW-GUI! File a Usage Report
The FW-GUI project is not affiliated with VyOS in any way. It is a wholly separate project to build a community tool that helps to visually build and manage firewall specific configurations for VyOS firewalls. This project is not owned by VyOS.io, or Sentrium S.L., nor does it seek to appear to be an official project, product or partner of the aforementioned.
VyOS Release | FW-GUI Testing | FW-GUI Support (no SLA) |
---|---|---|
VyOS 1.3.x Equuleus | Untested | No support (do not open issues) |
VyOS 1.4.x Sagiitta | Designed for and heavily tested. | Open GitHub issues for all errors. Functionality issues will be prioritized. |
VyOS 1.5.x Circinus (rolling release) |
Minimal testing but no known issues. | Open GitHub issues for all errors. Some issues may be deprioritized as feature requests for future support. |
VyOS Stream | TBD (waiting for release) |
The web-based FW-GUI allows the user to visually:
- Create and manage group objects
- Create and manage firewall chains
- Create and manage filters of chains
- Create and manage flowtables
- Support for managing multiple firewall configurations
- Create and compare (diff) snapshots of firewall configurations
- Push the created policy configurations to the firewall(s) via SSH connectivity from the web interface
- Import/export a JSON file of the fw-gui configuration for backup and to move between instances of the GUI
(Only manages configurations under 'set firewall' in the command line syntax.)
Source Code | https://github.com/ibehren1/fw-gui | |
Docker Hub | https://hub.docker.com/repository/docker/ibehren1/fw-gui/general | |
Working Demo | https://fw-gui.com |
Deploy via Docker on a server/VM that will be used to manage multiple VyOS Firewall instances. Use Nginx Proxy Manager (also via Docker) on the same host to provide LetsEncrypt TLS encrytion between client (web browser) and FW-GUI. Recommend adding proxy_read_timeout 30m;
as a custom Nginx configuration.
See Deployment section below for configuration commands.
When deployed behind HAProxy (VyOS load-balancing reverse-proxy) timeouts can prevent diffs and commits for firewalls with large configurations. Issue is not obeserved connecting directly to app when hosted in Docker or behind Nginx proxy.
Resolution: TBD
Connections to the firewall are made using the Napalm-VyOS library via SSH. Napalm for VyOS only allows merging configurations (changes with existing) and does not allow for replacing configuriations (new replacing existing). As such, by default, if you remove an item from the config and push, it will not be removed from the firewall as the configs are merged. To work around this, the View Diffs and Commit interface has the option to preface the firewall configuration with a 'delete firewall' command. This causes the configuration to remove all firewall configuration and then add the specified configuration settings so that the net configuration is a replacement of the existing configuration. You will NOT want to use this feature unless you are managing ALL firewall configurations via the GUI.
There is no initial username and password. After starting the application, use the "Register as a new user" link to create your username and password. Once you have registered your user(s), you can disable user registration by updating the environment variable in Docker configuration to DISABLE_REGISTRATION=True
. Doing this will remove the link to the registration page and stop any POSTS to the route /user_registration from being processed. This can be reenabled anytime you need to setup users.
Future releases may include administration and user management features.
You can provide an Amazon S3 bucket name and user credentials as environment variables to enable offsite storage of backups in the S3 bucket. Backups are created in the Admin Settings page. Backups are always kept locally and uploaded if the S3 settings are provided. Only Amazon S3 is supported.
Access to the backup files is not provided via the web interface as it contains configurations of all users. Access to the backup is on the Docker host in the FW-GUI volume or via the S3 bucket (if configured).
FW-GUI v1.4.0+ uses a separate MongoDB database to store configurations. If you first deployed with a version lower than 1.4.0, you will need to update your deployment to connect to either an external MongoDB database or deploy a second container to host MongoDB.
See below for updated Docker Compose configuration settings.
+ Lines highlighted in green are the additions for v1.4.0+ to add MongoDB.
version: '3.7'
services:
fw-gui:
image: ibehren1/fw-gui:latest
container_name: fw-gui
+ depends_on:
+ - mongodb
environment:
- APP_SECRET_KEY='This is the secret key.'
- DISABLE_REGISTRATION=<True|False>
- SESSION_TIMEOUT=<number-of-minutes> # Default 120 minutes
+ - MONGODB_URI=mongodb
- BUCKET_NAME=<bucket-name>
- AWS_ACCESS_KEY_ID=<access-key>
- AWS_SECRET_ACCESS_KEY=<secret-access-key>
ports:
- 8080:8080/tcp
restart: unless-stopped
volumes:
- fwgui-data:/opt/fw-gui/data
nginx:
restart: always
image: 'jc21/nginx-proxy-manager:latest'
ports:
- '80:80'
- '81:81'
- '443:443'
environment:
DB_MYSQL_HOST: "db"
DB_MYSQL_PORT: 3306
DB_MYSQL_USER: "npm"
DB_MYSQL_PASSWORD: "npm"
DB_MYSQL_NAME: "npm"
volumes:
- nginx-data:/data
- letsencrypt:/etc/letsencrypt
db:
restart: always
image: 'jc21/mariadb-aria:latest'
environment:
MYSQL_ROOT_PASSWORD: 'npm'
MYSQL_DATABASE: 'npm'
MYSQL_USER: 'npm'
MYSQL_PASSWORD: 'npm'
volumes:
- mysql-data:/var/lib/mysql
+ mongodb:
+ container_name: mongodb
+ image: mongo:latest
+ restart: always
+ volumes:
+ - mongo-data:/data/db
+ - mongo-config:/data/configdb
volumes:
fwgui-data:
nginx-data:
mysql-data:
letsencrypt:
+ mongo-data:
+ mongo-config:
No longer recommended with additional MongoDB container needed.
version: '3.7'
services:
fw-gui:
image: ibehren1/fw-gui:latest
container_name: fw-gui
depends_on:
- mongodb
environment:
- APP_SECRET_KEY='This is the secret key.'
- DISABLE_REGISTRATION=False
- SESSION_TIMEOUT=120
- MONGODB_URI=mongodb
- BUCKET_NAME=
- AWS_ACCESS_KEY_ID=
- AWS_SECRET_ACCESS_KEY=
ports:
- 8080:8080/tcp
restart: unless-stopped
volumes:
- data:/opt/fw-gui/data
mongodb:
container_name: mongodb
image: mongo:latest
restart: always
volumes:
- mongo-data:/data/db
- mongo-config:/data/configdb
volumes:
data:
mongo-data:
mongo-config: