[PR #2409] [CLOSED] Add application-level firewall with IP and GeoIP blocking #1936

New issue

Closed

opened 2026-03-02 02:25:21 +03:00 by kerem · 0 comments

kerem commented

2026-03-02 02:25:21 +03:00

Owner

📋 Pull Request Information

Original PR: https://github.com/amidaware/tacticalrmm/pull/2409
Author: @staticgroup
Created: 2/10/2026
Status: ❌ Closed

Base: develop ← Head: claude/explain-codebase-mlf1g7iq0horr3sf-8TkJq

📝 Commits (5)

70b99c3 Add firewall, fail2ban, and GeoIP features (adapted from HuduGlue)
aa14afe Add Let's Encrypt and monitoring bypass to firewall middleware
5ae0adb Fix 7 security vulnerabilities in firewall app
1003d5b Bump version to 1.5.0
8a907f3 Update update.sh for fork: point to staticgroup/tacticalrmm, add fail2ban sudoers

📊 Changes

17 files changed (+1359 additions, -7 deletions)

View changed files

➕ api/tacticalrmm/accounts/migrations/0041_role_can_view_firewall_role_can_manage_firewall.py (+21 -0)
📝 api/tacticalrmm/accounts/models.py (+4 -0)
➕ api/tacticalrmm/firewall/__init__.py (+0 -0)
➕ api/tacticalrmm/firewall/apps.py (+6 -0)
➕ api/tacticalrmm/firewall/middleware.py (+240 -0)
➕ api/tacticalrmm/firewall/migrations/0001_initial.py (+189 -0)
➕ api/tacticalrmm/firewall/migrations/__init__.py (+0 -0)
➕ api/tacticalrmm/firewall/models.py (+144 -0)
➕ api/tacticalrmm/firewall/permissions.py (+17 -0)
➕ api/tacticalrmm/firewall/serializers.py (+100 -0)
➕ api/tacticalrmm/firewall/urls.py (+31 -0)
➕ api/tacticalrmm/firewall/views.py (+573 -0)
📝 api/tacticalrmm/tacticalrmm/constants.py (+6 -0)
📝 api/tacticalrmm/tacticalrmm/settings.py (+3 -1)
📝 api/tacticalrmm/tacticalrmm/urls.py (+1 -0)
➕ deploy/tacticalrmm-fail2ban-sudoers (+10 -0)
📝 update.sh (+14 -6)

📄 Description

Summary

This PR introduces a comprehensive application-level firewall system to Tactical RMM, enabling administrators to block or allow requests based on IP addresses and geographic location (country). The firewall includes IP-based rules (supporting CIDR notation), country-based rules, detailed logging, and integration with fail2ban for additional protection.

Key Changes

Core Firewall System

New firewall Django app with models for firewall settings, IP rules, country rules, and request logs
FirewallMiddleware that intercepts HTTP requests and enforces rules before reaching application logic
- Supports blocklist and allowlist modes for both IP and GeoIP filtering
- Configurable bypasses for staff users and API endpoints (agent communication)
- Uses ip-api.com for GeoIP lookups (free, no API key required)
- Fail-closed behavior in allowlist mode for GeoIP (blocks on lookup failure)

Database Models

FirewallSettings: Singleton configuration model with toggles for IP/GeoIP firewalls, bypass options, and logging
FirewallIPRule: Supports single IPs and CIDR notation (e.g., 192.168.1.0/24)
FirewallCountryRule: ISO 3166-1 alpha-2 country codes with validation
FirewallLog: Comprehensive logging of blocked requests with IP, country, reason, request details, and timestamp

API Endpoints

Settings management (GET/PUT)
IP rule CRUD operations with toggle activation
Country rule CRUD operations with toggle activation
Firewall log retrieval and analytics (top blocked IPs, countries, daily trends)
GeoIP lookup utility endpoint
Common countries list for quick UI population

fail2ban Integration

Status monitoring (installed, running, jail details, banned IP counts)
IP unbanning (single IP or all IPs from a jail)
IP ban checking across all jails
Service management (start, install via apt-get)
Sudoers configuration file for passwordless execution

Role-Based Access Control

Added can_view_firewall and can_manage_firewall permissions to the Role model
Custom FirewallPerms and Fail2BanPerms permission classes
GET requests require view permission, modifications require manage permission

Configuration

Registered firewall app in Django settings
Added FirewallMiddleware to middleware stack (after authentication)
Included firewall URL patterns in main URL configuration

Implementation Details

Middleware placement after AuthenticationMiddleware allows staff bypass checks
IP extraction uses existing python-ipware library (already a TRMM dependency)
Serializers include validation for IP addresses (single/CIDR) and country codes
fail2ban commands executed via sudo with timeout protection
Comprehensive error handling and logging throughout
Sudoers file provided for secure fail2ban integration without password prompts

https://claude.ai/code/session_01HLnvu6mEsUaDabZsZZMSoF

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/amidaware/tacticalrmm/pull/2409 **Author:** [@staticgroup](https://github.com/staticgroup) **Created:** 2/10/2026 **Status:** ❌ Closed **Base:** `develop` ← **Head:** `claude/explain-codebase-mlf1g7iq0horr3sf-8TkJq` --- ### 📝 Commits (5) - [`70b99c3`](https://github.com/amidaware/tacticalrmm/commit/70b99c3eacdbadd2ccb94356b03cb3677ace2456) Add firewall, fail2ban, and GeoIP features (adapted from HuduGlue) - [`aa14afe`](https://github.com/amidaware/tacticalrmm/commit/aa14afe0bd2e6934f175f2db9fa321dfec49d0fd) Add Let's Encrypt and monitoring bypass to firewall middleware - [`5ae0adb`](https://github.com/amidaware/tacticalrmm/commit/5ae0adbc9da3852e4e4e713f9e292d8597672d3b) Fix 7 security vulnerabilities in firewall app - [`1003d5b`](https://github.com/amidaware/tacticalrmm/commit/1003d5bc945271677f63d43c3bf371609855c424) Bump version to 1.5.0 - [`8a907f3`](https://github.com/amidaware/tacticalrmm/commit/8a907f35b7d3d0343e593bb8f058e6b4597870e9) Update update.sh for fork: point to staticgroup/tacticalrmm, add fail2ban sudoers ### 📊 Changes **17 files changed** (+1359 additions, -7 deletions) <details> <summary>View changed files</summary> ➕ `api/tacticalrmm/accounts/migrations/0041_role_can_view_firewall_role_can_manage_firewall.py` (+21 -0) 📝 `api/tacticalrmm/accounts/models.py` (+4 -0) ➕ `api/tacticalrmm/firewall/__init__.py` (+0 -0) ➕ `api/tacticalrmm/firewall/apps.py` (+6 -0) ➕ `api/tacticalrmm/firewall/middleware.py` (+240 -0) ➕ `api/tacticalrmm/firewall/migrations/0001_initial.py` (+189 -0) ➕ `api/tacticalrmm/firewall/migrations/__init__.py` (+0 -0) ➕ `api/tacticalrmm/firewall/models.py` (+144 -0) ➕ `api/tacticalrmm/firewall/permissions.py` (+17 -0) ➕ `api/tacticalrmm/firewall/serializers.py` (+100 -0) ➕ `api/tacticalrmm/firewall/urls.py` (+31 -0) ➕ `api/tacticalrmm/firewall/views.py` (+573 -0) 📝 `api/tacticalrmm/tacticalrmm/constants.py` (+6 -0) 📝 `api/tacticalrmm/tacticalrmm/settings.py` (+3 -1) 📝 `api/tacticalrmm/tacticalrmm/urls.py` (+1 -0) ➕ `deploy/tacticalrmm-fail2ban-sudoers` (+10 -0) 📝 `update.sh` (+14 -6) </details> ### 📄 Description ## Summary This PR introduces a comprehensive application-level firewall system to Tactical RMM, enabling administrators to block or allow requests based on IP addresses and geographic location (country). The firewall includes IP-based rules (supporting CIDR notation), country-based rules, detailed logging, and integration with fail2ban for additional protection. ## Key Changes ### Core Firewall System - **New `firewall` Django app** with models for firewall settings, IP rules, country rules, and request logs - **FirewallMiddleware** that intercepts HTTP requests and enforces rules before reaching application logic - Supports blocklist and allowlist modes for both IP and GeoIP filtering - Configurable bypasses for staff users and API endpoints (agent communication) - Uses `ip-api.com` for GeoIP lookups (free, no API key required) - Fail-closed behavior in allowlist mode for GeoIP (blocks on lookup failure) ### Database Models - `FirewallSettings`: Singleton configuration model with toggles for IP/GeoIP firewalls, bypass options, and logging - `FirewallIPRule`: Supports single IPs and CIDR notation (e.g., `192.168.1.0/24`) - `FirewallCountryRule`: ISO 3166-1 alpha-2 country codes with validation - `FirewallLog`: Comprehensive logging of blocked requests with IP, country, reason, request details, and timestamp ### API Endpoints - Settings management (GET/PUT) - IP rule CRUD operations with toggle activation - Country rule CRUD operations with toggle activation - Firewall log retrieval and analytics (top blocked IPs, countries, daily trends) - GeoIP lookup utility endpoint - Common countries list for quick UI population ### fail2ban Integration - Status monitoring (installed, running, jail details, banned IP counts) - IP unbanning (single IP or all IPs from a jail) - IP ban checking across all jails - Service management (start, install via apt-get) - Sudoers configuration file for passwordless execution ### Role-Based Access Control - Added `can_view_firewall` and `can_manage_firewall` permissions to the Role model - Custom `FirewallPerms` and `Fail2BanPerms` permission classes - GET requests require view permission, modifications require manage permission ### Configuration - Registered `firewall` app in Django settings - Added `FirewallMiddleware` to middleware stack (after authentication) - Included firewall URL patterns in main URL configuration ## Implementation Details - Middleware placement after `AuthenticationMiddleware` allows staff bypass checks - IP extraction uses existing `python-ipware` library (already a TRMM dependency) - Serializers include validation for IP addresses (single/CIDR) and country codes - fail2ban commands executed via `sudo` with timeout protection - Comprehensive error handling and logging throughout - Sudoers file provided for secure fail2ban integration without password prompts https://claude.ai/code/session_01HLnvu6mEsUaDabZsZZMSoF --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>