diff --git a/README.md b/README.md new file mode 100644 index 0000000..5100398 --- /dev/null +++ b/README.md @@ -0,0 +1,15 @@ +# IoT Firewall on ESP8266/ESP32 + +### [ESP32 Example](https://gitlab.hs-esslingen.de/toheer/iot-security-tools/-/tree/main/esp32example) + +### [ESP8266 Example](https://gitlab.hs-esslingen.de/toheer/iot-security-tools/-/tree/main/esp8266example) + +# Maintainer + +Student: Florian Hoss + +[flhoit00@hs-esslingen.de](mailto:flhoit00@hs-esslingen.de) + +Professor: Prof. Dr. rer. nat. Tobias Heer + +[tobias.heer@hs-esslingen.de](mailto:tobias.heer@hs-esslingen.de) diff --git a/esp32example/README.md b/esp32example/README.md new file mode 100644 index 0000000..a4c0952 --- /dev/null +++ b/esp32example/README.md @@ -0,0 +1,172 @@ +# ESP32 Firewall with API + +## Example + +Clone this repository and open the folder `esp32example` in Visual Studio Code. + +### Arduino as an ESP-IDF component + +To compile Arduino as an ESP-IDF component please execute following commands to include then necessary core inside the components folder ([Arduino as an ESP-IDF component](https://docs.espressif.com/projects/arduino-esp32/en/latest/esp-idf_component.html)): + +``` +mkdir -p components && \ +cd components && \ +git clone https://github.com/espressif/arduino-esp32.git arduino && \ +cd arduino && \ +git submodule update --init --recursive && \ +cd ../.. +``` + +### Credentials + +After git is finished, add the WiFi credentials, username and password for basic auth by creating a `theSecrets.h` file based on the example that can be found in the `include` folder. + +### Compile and upload + +Finally compile and upload with the [official platformIO plugin](https://marketplace.visualstudio.com/items?itemName=platformio.platformio-ide) + +## API + +Following endpoints can be used with the firewall (see `http://:8080/api`): + +```json +[ + { + "endpoint": "http://10.93.0.246:8080/api/firewall/rules", + "description": "Get all Firewall Rules", + "method": "GET" + }, + { + "endpoint": "http://10.93.0.246:8080/api/firewall/rules/", + "description": "Get Firewall Rule by key", + "method": "GET" + }, + { + "endpoint": "http://10.93.0.246:8080/api/firewall/rules", + "description": "Create Firewall Rule", + "method": "POST" + }, + { + "endpoint": "http://10.93.0.246:8080/api/firewall/rules/", + "description": "Update Firewall Rule by key", + "method": "PUT" + }, + { + "endpoint": "http://10.93.0.246:8080/api/firewall/rules/", + "description": "Delete Firewall Rule by key", + "method": "DELETE" + } +] +``` + +Endpoints that show the rules and that can modify the rules are protected by basic auth. Username and password need to be set as described [here](https://github.com/flohoss/esp32_firewall_api#credentials). + +### Get rules + +```sh +curl -u username:password \ +http://10.93.0.246:8080/api/firewall/rules +``` + +```json +// HTTP/1.1 200 OK +// Content-Type: application/json; charset=utf-8 +// Content-Length: 109 +[ + { + "key": "1", + "ip": "10.93.0.211", + "port_from": "8080", + "port_to": "8080", + "protocol": "TCP", + "target": "ACCEPT" + } +] +``` + +### Get rule + +```sh +curl -u username:password \ +http://10.93.0.246:8080/api/firewall/rules/1 +``` + +```json +// HTTP/1.1 200 OK +// Content-Type: application/json; charset=utf-8 +// Content-Length: 107 +{ + "key": "1", + "ip": "10.93.0.211", + "port_from": "8080", + "port_to": "8080", + "protocol": "TCP", + "target": "ACCEPT" +} +``` + +### Create rule + +```sh +curl -X POST -u username:password \ +http://10.93.0.246:8080/api/firewall/rules?ip=10.93.0.200&port_from=10&port_to=50&protocol=UDP&target=ACCEPT +``` + +```json +// HTTP/1.1 201 Created +// Content-Type: application/json; charset=utf-8 +// Content-Length: 104 +{ + "key": "2", + "ip": "10.93.0.200", + "port_from": "10", + "port_to": "50", + "protocol": "UDP", + "target": "ACCEPT" +} +``` + +Available protocols are TCP, UDP & ALL + +Available targets are ACCEPT & DROP + +### Update rule + +```sh +curl -X PUT -u username:password \ +http://10.93.0.246:8080/api/firewall/rules/2?ip=10.93.0.100&port_from=20&port_to=100&protocol=ALL&target=DROP +``` + +```json +// HTTP/1.1 200 OK +// Content-Type: application/json; charset=utf-8 +// Content-Length: 103 +{ + "key": "2", + "ip": "10.93.0.100", + "port_from": "20", + "port_to": "100", + "protocol": "ALL", + "target": "DROP" +} +``` + +Available protocols are TCP, UDP & ALL + +Available targets are ACCEPT & DROP + +### Delete rule + +```sh +curl -X DELETE -u username:password \ +http://10.93.0.246:8080/api/firewall/rules/2 +``` + +```json +// HTTP/1.1 200 OK +// Content-Type: application/json; charset=utf-8 +// Content-Length: 36 +{ + "message": "firewall rule deleted" +} +``` diff --git a/esp8266example/README.md b/esp8266example/README.md new file mode 100644 index 0000000..17ce4ab --- /dev/null +++ b/esp8266example/README.md @@ -0,0 +1,169 @@ +# ESP8266 Firewall with API + +## Example + +Clone this repository and open the folder `example` in Visual Studio Code. + +### Credentials + +After git is finished, add the WiFi credentials, username and password for basic auth by creating a `theSecrets.h` file based on the example that can be found in the `include` folder. + +### Compile and upload + +Finally compile and upload with the [official platformIO plugin](https://marketplace.visualstudio.com/items?itemName=platformio.platformio-ide) + +## API + +Following endpoints can be used with the firewall (see `https://:8080/api`): + +```json +[ + { + "endpoint": "https://10.93.0.246:8080/api/firewall/rules", + "description": "Get all Firewall Rules", + "method": "GET" + }, + { + "endpoint": "https://10.93.0.246:8080/api/firewall/rules/", + "description": "Get Firewall Rule by key", + "method": "GET" + }, + { + "endpoint": "https://10.93.0.246:8080/api/firewall/rules", + "description": "Create Firewall Rule", + "method": "POST" + }, + { + "endpoint": "https://10.93.0.246:8080/api/firewall/rules/", + "description": "Update Firewall Rule by key", + "method": "PUT" + }, + { + "endpoint": "https://10.93.0.246:8080/api/firewall/rules/", + "description": "Delete Firewall Rule by key", + "method": "DELETE" + } +] +``` + +Endpoints that show the rules and that can modify the rules are protected by basic auth. Username and password need to be set as described [here](https://github.com/flohoss/esp8266_firewall_api#credentials). + +### Get rules + +```sh +curl -u username:password \ +https://10.93.0.246:8080/api/firewall/rules +``` + +```json +// HTTP/1.1 200 OK +// Content-Type: application/json; charset=utf-8 +// Content-Length: 109 +// Connection: keep-alive +// Keep-Alive: timeout=2000 +[ + { + "key": "1", + "ip": "10.93.0.211", + "port_from": "8080", + "port_to": "8080", + "protocol": "TCP", + "target": "ACCEPT" + } +] +``` + +### Get rule + +```sh +curl -u username:password \ +https://10.93.0.246:8080/api/firewall/rules/1 +``` + +```json +// HTTP/1.1 200 OK +// Content-Type: application/json; charset=utf-8 +// Content-Length: 107 +// Connection: keep-alive +// Keep-Alive: timeout=2000 +{ + "key": "1", + "ip": "10.93.0.211", + "port_from": "8080", + "port_to": "8080", + "protocol": "TCP", + "target": "ACCEPT" +} +``` + +### Create rule + +```sh +curl -X POST -u username:password \ +https://10.93.0.246:8080/api/firewall/rules?ip=10.93.0.200&port_from=10&port_to=50&protocol=UDP&target=ACCEPT +``` + +```json +// HTTP/1.1 201 Created +// Content-Type: application/json; charset=utf-8 +// Content-Length: 104 +// Connection: keep-alive +// Keep-Alive: timeout=2000 +{ + "key": "2", + "ip": "10.93.0.200", + "port_from": "10", + "port_to": "50", + "protocol": "UDP", + "target": "ACCEPT" +} +``` + +Available protocols are TCP, UDP & ALL + +Available targets are ACCEPT & DROP + +### Update rule + +```sh +curl -X PUT -u username:password \ +https://10.93.0.246:8080/api/firewall/rules/2?ip=10.93.0.100&port_from=20&port_to=100&protocol=ALL&target=DROP +``` + +```json +// HTTP/1.1 200 OK +// Content-Type: application/json; charset=utf-8 +// Content-Length: 103 +// Connection: keep-alive +// Keep-Alive: timeout=2000 +{ + "key": "2", + "ip": "10.93.0.100", + "port_from": "20", + "port_to": "100", + "protocol": "ALL", + "target": "DROP" +} +``` + +Available protocols are TCP, UDP & ALL + +Available targets are ACCEPT & DROP + +### Delete rule + +```sh +curl -X DELETE -u username:password \ +https://10.93.0.246:8080/api/firewall/rules/2 +``` + +```json +// HTTP/1.1 200 OK +// Content-Type: application/json; charset=utf-8 +// Content-Length: 36 +// Connection: keep-alive +// Keep-Alive: timeout=2000 +{ + "message": "firewall rule deleted" +} +```