Back to Docs Hub

Technical Specifications

Firewall State Machine & Engine Hierarchy

CLI commands operate on a strict "Single Source of Truth" model. They securely write to local persistence files (/etc/syswarden/*.txt), universally purge memory conflicts, and trigger the orchestrator to completely rebuild the firewall safely across all OS backends.

Nftables Ingress Hook (L2/L3)

Leverages the ingress hook on the netdev family for hardware-level drops before conntrack allocation (Zero-CPU). Dynamically falls back to the inet family for stateful filtering on kernels lacking netdev support.

Firewalld Persistence (RHEL)

Generates native XML files to ensure persistence across reboots. Utilizes high-priority ipset hash:ip tables to manage massive lists without impacting routing table latency.

Legacy Raw PREROUTING

For older or minimal distributions (Alpine), SysWarden injects highly optimized rules directly into the Netfilter raw table. This ensures malicious packets are dropped instantaneously before the kernel tracks them.

Hermetic Docker Isolation & Stateful Bypass

Docker natively bypasses standard firewall rules by manipulating iptables. SysWarden securely intercepts this behavior.

It automatically secures exposed containers by injecting specialized enforcement rules directly into the DOCKER-USER chain. Furthermore, a strict Priority 0 ESTABLISHED,RELATED bypass ensures outbound traffic (like S3 uploads) never times out, guaranteeing that containers are shielded from global threats without breaking internal bridge networking.

Strict SSH Cloaking & Anti-Pivoting

SysWarden enforces a mathematically absolute policy for SSH. Access is exclusively restricted to the WireGuard VPN (wg0) and Loopback (lo) interfaces.

An immediate, top-priority kernel DROP rule explicitly prevents any public access, ensuring that even locally whitelisted IPs cannot bypass the VPN requirement for SSH.

Anti-Pivoting: SysWarden strictly disables TCP Forwarding (AllowTcpForwarding no) in the SSH daemon to prevent attackers from using compromised low-privilege accounts to pivot through the firewall.

Continuous Compliance & Idempotency Audit

The integrated audit engine (syswarden-audit.sh) performs surgical checks to guarantee the integrity of the defense matrix.

  • Idempotency Verification: Ensures no ghost rules or uncontrolled duplicates exist post-update, guaranteeing a clean and predictable network stack.
  • Log Isolation: Validates that log file permissions (600 / 640) strictly adhere to CIS Benchmarks, preventing data exfiltration by non-privileged users.
  • Injector Health Check: Tests the actual presence of IP sets within the active Kernel memory (via nft list sets or ipset list) rather than relying solely on static configuration files.

Enterprise DevSecOps: SOC & Cluster Integrations

SysWarden v2.10 introduces native enterprise capabilities tailored for ISO 27001 and NIS2 compliance, ensuring your infrastructure is monitored, auditable, and highly available.

  • Exclusive L7 SIEM Forwarding: Integrates natively with rsyslog and syslogd to forward strictly Layer 7 behavioral bans (Fail2ban) to your external SOC. Hardware-level drops (Layer 2/3) are explicitly filtered out to prevent index saturation and licensing bloat.
  • High Availability (HA) Cluster Sync: Securely replicates threat intelligence states, VIP whitelists, and firewall configurations to a standby node via an automated, SSH-encrypted tunnel.
  • Wazuh HIDS Zero-Touch Deployment: Automatically identifies the host OS, securely fetches official GPG keys, installs the agent, injects your Manager IP, and enforces high-priority bypass rules for ports 1514/1515.

The 51 Dynamic Layer 7 Jails

SysWarden orchestrates exactly 51 Fail2ban jails dynamically based on the active services detected on your node. These jails monitor application logs to catch advanced evasion techniques, exploiting a strict zero-trust policy. Bans are handled by Fail2ban and reported to AbuseIPDB.

Web Scanners & AI Bots

  • 1. nginx/apache-scanner
  • 2. syswarden-apimapper
  • 3. syswarden-secretshunter
  • 4. syswarden-aibots
  • 5. syswarden-silent-scanner
  • 6. syswarden-badbots

Web Exploits & L7 DDoS

  • 7. syswarden-sqli-xss
  • 8. syswarden-lfi-advanced
  • 9. syswarden-ssrf
  • 10. syswarden-jndi-ssti
  • 11. syswarden-webshell
  • 12. syswarden-revshell
  • 13. syswarden-httpflood
  • 14. syswarden-idor-enum

Auth & CMS (Brute-Force)

  • 15. nginx/apache-auth
  • 16. syswarden-generic-auth
  • 17. wordpress-auth
  • 18. drupal-auth
  • 19. nextcloud
  • 20. phpmyadmin-custom
  • 21. laravel-auth
  • 22. syswarden-sso
  • 23. syswarden-odoo
  • 24. syswarden-prestashop
  • 25. syswarden-atlassian

Databases & DevOps

  • 26. mariadb-auth
  • 27. mongodb-guard
  • 28. syswarden-redis
  • 29. syswarden-rabbitmq
  • 30. proxmox-custom
  • 31. grafana-auth
  • 32. zabbix-auth
  • 33. gitea-custom
  • 34. cockpit-custom
  • 35. syswarden-vaultwarden
  • 36. syswarden-jenkins
  • 37. syswarden-gitlab

Network, VPN & Proxy

  • 38. syswarden-portscan
  • 39. syswarden-proxy-abuse
  • 40. squid-custom
  • 41. haproxy-guard
  • 42. wireguard
  • 43. openvpn-custom
  • 44. asterisk
  • 45. syswarden-telnet (IoT Botnets)

System, Mail & Persistence

  • 46. sshd
  • 47. syswarden-privesc (PAM/Su)
  • 48. syswarden-auditd
  • 49. vsftpd
  • 50. postfix/dovecot/sendmail
  • 51. syswarden-recidive (Global Persistent Ban)