I want to introduce CrowdSec to my homelab and I would like some help please.
My edge router/firewall if OpenWRT and I installed firewqll-bouncer on it.
After that I have a host that runs a linuxserver.io swag container for some public facing services.
SWAG lsio container has a CrowdSec mod/plugin that essentially adds a firewall bouncer there too.
I am trying to understand where the bouncer should be if someone can help:
a) On OpenWRT only
b) On SWAG only as a plugin
c) On both OpenWRT and SWAG.
This is not quite accurate it does add a remediation to SWAG but it is not the same as the firewall remediation. The firewall remediation will completely block the connection from ever hitting the webserver, SWAG mod adds lua code that will respond with a 403 and a ban page to the user, so it will be more intensive than the firewall remediation.
For your options it depends on what you want to do, do you want just to just simply block the connection and dont care about users getting feedback such as a ban page, then option A will be fine, but if you want to provide users some information than you can do B or C with some additional configuration.
Thanks for the reply @iiAmLoz
Please bare with me as I am new to CrowdSec.
So the firewall remediation will just block the IP on the firewall, it will either drop or reject it depending on configuration, right?
How does the SWAG remediation work then? It will check the source ip then go to some lua code which will show a 403 page and a ban page?
How can SWAG remediation and firewall remediation work together?
CrowdSec main package will phone the cloud to find out which IP’s are bad and the bouncer is the one that will check the logs on the OpenWRT for the IP’s downloaded by the main package?