Keep a Hetzner Cloud firewall up to date with your dynamic public IP address.

Overview

hcloud-firewall-controller

hcloud-firewall-controller determines the current public IP and creates or updates a Hetzner Cloud firewall with this IP.

Some internet service providers dynamically change the IP addresses of their customers, especially after router restarts. This makes it hard to use Hetzner Cloud firewalls to limit access to specific ports to your dynamic personal home IP address. This controller periodically determines your current public IP and updates a Hetzner Cloud firewall with this IP. This can be useful for SSH, Kubernetes API servers, other internal APIs or just all non-public services.

Please be aware that IP based firewalling alone is not a sufficient method to secure your infrastructure, especially not with dynamic IP addresses. Connections to all servers should still be encrypted and authenticated to provide proper security. Nevertheless, IP based firewalling can offer a nice additional layer of security by hiding non-public services and blocking bad actors at the edge of your infrastructure.

Usage

By default the controller creates a new firewall hcloud-firewall-controller with the defined rules without applying the firewall to any servers. You can apply the firewall to servers manually or with an infastructure provisioning tool like Terraform based on the firewall ID. The controller prints the firewall ID each reconciliation loop.

Usage: hcloud-firewall-controller [OPTIONS]

Options:
  -1, --run-once
          Run only once and exit, useful if run by cron or other tools [env: HFC_RUN_ONCE=]
  -t, --hcloud-token <HCLOUD_TOKEN>
          Hetzner Cloud API token with read and write permissions, can be specified multiple times or passed as comma separated list to manage several projects [env: HFC_HCLOUD_TOKEN]
  -f, --firewall-name <FIREWALL_NAME>
          Name of the firewall to create [env: HFC_FIREWALL_NAME=] [default: hcloud-firewall-controller]
      --tcp <PORT | PORT RANGE>
          Comma separated list of TCP ports or port ranges to allow traffic for, e.g. '80', '80,443', '80-85' or 80,443-450'. Alternatively the parameter can be specified multiple times. [env: HFC_TCP=]
      --udp <PORT | PORT RANGE>
          Comma separated list of UDP ports or port ranges to allow traffic for, see --tcp for examples. Alternatively the parameter can be specified multiple times. [env: HFC_UDP=]
      --icmp
          Allow ICMP traffic [env: HFC_ICMP=]
      --gre
          Allow GRE traffic [env: HFC_GRE=]
      --esp
          Allow ESP traffic [env: HFC_ESP=]
      --ip <STATIC IP>
          Comma separated list of static IP addresses in CIDR notation to add to all firewall rules in addition to dynamically discovered IP addresses. Alternatively the parameter can be specified multiple times. The Hetzner Cloud API requires that the IP is the network id of the specified network, so 127.0.0.0/24 would work while 127.0.0.1/24 would fail. [env: HFC_IP=]
      --disable-ipv4
          Disable the detection of the public IPv4 address [env: HFC_DISABLE_IPV4=]
      --disable-ipv6
          Disable the detection of the public IPv6 address [env: HFC_DISABLE_IPV6=]
  -r, --reconciliation-interval <RECONCILIATION_INTERVAL>
          Reconciliation interval in seconds [env: HFC_RECONCILIATION_INTERVAL=] [default: 60]
  -i, --ip-endpoint <IP_ENDPOINT>
          Endpoint to query your public IP from [env: HFC_IP_ENDPOINT=] [default: https://ip.fotoallerlei.com]
  -h, --help
          Print help
  -V, --version
          Print version

Planned Features

  • Add IP addresses based on dynamic DNS records
  • Pagination in case there are many firewalls in the Hetzner Cloud project

Disclaimer

I am using this project to learn rust, so naturally the code might be filled with beginners mistakes. Especially in the beginning I will break the config format without any notice.

License

This software is in no way officially associated with Hetzner or Hetzner Cloud.

Comments
  • Update Rust crate clap to 4.1.8

    Update Rust crate clap to 4.1.8

    Mend Renovate

    This PR contains the following updates:

    | Package | Type | Update | Change | |---|---|---|---| | clap | dependencies | patch | 4.1.6 -> 4.1.8 |


    Release Notes

    clap-rs/clap

    v4.1.8

    Compare Source

    Fixes
    • (derive) Don't deny lints on the users behalf

    v4.1.7

    Compare Source

    Fixes
    • (derive) Hide some nightly clippy warnings

    Configuration

    πŸ“… Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

    🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

    β™» Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

    πŸ”• Ignore: Close this PR and you won't be reminded about this update again.


    • [ ] If you want to rebase/retry this PR, check this box

    This PR has been generated by Mend Renovate. View repository job log here.

    opened by renovate[bot] 0
  • Update Rust crate clap to 4.1.6

    Update Rust crate clap to 4.1.6

    Mend Renovate

    This PR contains the following updates:

    | Package | Type | Update | Change | |---|---|---|---| | clap | dependencies | patch | 4.1.5 -> 4.1.6 |


    Release Notes

    clap-rs/clap

    v4.1.6

    Compare Source

    Fixes
    • (help) Don't show long help for --help just because hidden possible values include a description

    Configuration

    πŸ“… Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

    🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

    β™» Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

    πŸ”• Ignore: Close this PR and you won't be reminded about this update again.


    • [ ] If you want to rebase/retry this PR, check this box

    This PR has been generated by Mend Renovate. View repository job log here.

    opened by renovate[bot] 0
  • Update Rust crate clap to 4.1.5

    Update Rust crate clap to 4.1.5

    Mend Renovate

    This PR contains the following updates:

    | Package | Type | Update | Change | |---|---|---|---| | clap | dependencies | patch | 4.1.4 -> 4.1.5 |


    Release Notes

    clap-rs/clap

    v4.1.5

    Fixes
    • (help) Don't show long help for --help just because a hidden arg has a possible value with a description

    Configuration

    πŸ“… Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

    🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

    β™» Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

    πŸ”• Ignore: Close this PR and you won't be reminded about this update again.


    • [ ] If you want to rebase/retry this PR, check this box

    This PR has been generated by Mend Renovate. View repository job log here.

    opened by renovate[bot] 0
  • Update rust Docker tag to v1.67.1

    Update rust Docker tag to v1.67.1

    Mend Renovate

    This PR contains the following updates:

    | Package | Type | Update | Change | |---|---|---|---| | rust | stage | patch | 1.67.0 -> 1.67.1 |


    Configuration

    πŸ“… Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

    🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

    β™» Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

    πŸ”• Ignore: Close this PR and you won't be reminded about this update again.


    • [ ] If you want to rebase/retry this PR, check this box

    This PR has been generated by Mend Renovate. View repository job log here.

    opened by renovate[bot] 0
  • Update Rust crate serde_json to 1.0.93

    Update Rust crate serde_json to 1.0.93

    Mend Renovate

    This PR contains the following updates:

    | Package | Type | Update | Change | |---|---|---|---| | serde_json | dependencies | patch | 1.0.92 -> 1.0.93 |


    Release Notes

    serde-rs/json

    v1.0.93

    Compare Source

    • Support 128-bit integers in serde_json::to_value (#​982)

    Configuration

    πŸ“… Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

    🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

    β™» Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

    πŸ”• Ignore: Close this PR and you won't be reminded about this update again.


    • [ ] If you want to rebase/retry this PR, check this box

    This PR has been generated by Mend Renovate. View repository job log here.

    opened by renovate[bot] 0
  • Update Rust crate serde_json to 1.0.92

    Update Rust crate serde_json to 1.0.92

    Mend Renovate

    This PR contains the following updates:

    | Package | Type | Update | Change | |---|---|---|---| | serde_json | dependencies | patch | 1.0.91 -> 1.0.92 |


    Release Notes

    serde-rs/json

    v1.0.92

    Compare Source

    • Documentation improvements

    Configuration

    πŸ“… Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

    🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

    β™» Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

    πŸ”• Ignore: Close this PR and you won't be reminded about this update again.


    • [ ] If you want to rebase/retry this PR, check this box

    This PR has been generated by Mend Renovate. View repository job log here.

    opened by renovate[bot] 0
  • Update docker/build-push-action action to v4

    Update docker/build-push-action action to v4

    Mend Renovate

    This PR contains the following updates:

    | Package | Type | Update | Change | |---|---|---|---| | docker/build-push-action | action | major | v3 -> v4 |


    Release Notes

    docker/build-push-action

    v4

    Compare Source


    Configuration

    πŸ“… Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

    🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

    β™» Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

    πŸ”• Ignore: Close this PR and you won't be reminded about this update again.


    • [ ] If you want to rebase/retry this PR, check this box

    This PR has been generated by Mend Renovate. View repository job log here.

    opened by renovate[bot] 0
  • Update rust Docker tag to v1.67.0

    Update rust Docker tag to v1.67.0

    Mend Renovate

    This PR contains the following updates:

    | Package | Type | Update | Change | |---|---|---|---| | rust | stage | minor | 1.66.1 -> 1.67.0 |


    Configuration

    πŸ“… Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

    🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

    β™» Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

    πŸ”• Ignore: Close this PR and you won't be reminded about this update again.


    • [ ] If you want to rebase/retry this PR, check this box

    This PR has been generated by Mend Renovate. View repository job log here.

    opened by renovate[bot] 0
  • Update Rust crate clap to 4.1.4

    Update Rust crate clap to 4.1.4

    Mend Renovate

    This PR contains the following updates:

    | Package | Type | Update | Change | |---|---|---|---| | clap | dependencies | patch | 4.1.1 -> 4.1.4 |


    Release Notes

    clap-rs/clap

    v4.1.4

    Compare Source

    Fixes
    • (help) Respect disable_colored_help when using arg_required_else_help
    Performance
    • Speed up compiling arg! macro

    v4.1.3

    Compare Source

    Fixes
    • (error) Improve suggested flag/value/subcommand when two share a long preifx
    • (error) When suggesting one of several subcommands, use the plural subcommands, rather than subcommand

    v4.1.2

    Compare Source

    Fixes
    • In documentation, refer to get_flag, rather than get_one::<bool>

    Configuration

    πŸ“… Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

    🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

    β™» Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

    πŸ”• Ignore: Close this PR and you won't be reminded about this update again.


    • [ ] If you want to rebase/retry this PR, check this box

    This PR has been generated by Mend Renovate. View repository job log here.

    opened by renovate[bot] 0
  • Update Rust crate reqwest to 0.11.14

    Update Rust crate reqwest to 0.11.14

    Mend Renovate

    This PR contains the following updates:

    | Package | Type | Update | Change | |---|---|---|---| | reqwest | dependencies | patch | 0.11.13 -> 0.11.14 |


    Release Notes

    seanmonstar/reqwest

    v0.11.14

    Compare Source

    • Adds Proxy::no_proxy(url) that works like the NO_PROXY environment variable.
    • Adds multipart::Part::headers(headers) method to add custom headers.
    • (wasm) Add Response::bytes_stream().
    • Perf: several internal optimizations reducing copies and memory allocations.

    Configuration

    πŸ“… Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

    🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

    β™» Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

    πŸ”• Ignore: Close this PR and you won't be reminded about this update again.


    • [ ] If you want to rebase/retry this PR, check this box

    This PR has been generated by Mend Renovate. View repository job log here.

    opened by renovate[bot] 0
  • Configure Renovate

    Configure Renovate

    Mend Renovate

    Welcome to Renovate! This is an onboarding PR to help you understand and configure settings before regular Pull Requests begin.

    🚦 To activate Renovate, merge this Pull Request. To disable Renovate, simply close this Pull Request unmerged.


    Detected Package Files

    • Cargo.toml (cargo)

    Configuration Summary

    Based on the default config's presets, Renovate will:

    • Start dependency updates only once this onboarding PR is merged
    • Enable Renovate Dependency Dashboard creation.
    • If Renovate detects semantic commits, it will use semantic commit type fix for dependencies and chore for all others.
    • Ignore node_modules, bower_components, vendor and various test/tests directories.
    • Autodetect whether to pin dependencies or maintain ranges.
    • Rate limit PR creation to a maximum of two per hour.
    • Limit to maximum 10 open PRs at any time.
    • Group known monorepo packages together.
    • Use curated list of recommended non-monorepo package groupings.
    • A collection of workarounds for known problems with packages.

    πŸ”‘ Would you like to change the way Renovate is upgrading your dependencies? Simply edit the renovate.json in this branch with your custom config and the list of Pull Requests in the "What to Expect" section below will be updated the next time Renovate runs.


    What to Expect

    It looks like your repository dependencies are already up-to-date and no Pull Requests will be necessary right away.


    ❓ Got questions? Check out Renovate's Docs, particularly the Getting Started section. If you need any further assistance then you can also request help here.


    This PR has been generated by Mend Renovate. View repository job log here.

    opened by renovate[bot] 0
  • Update Rust crate serde_json to 1.0.94

    Update Rust crate serde_json to 1.0.94

    Mend Renovate

    This PR contains the following updates:

    | Package | Type | Update | Change | |---|---|---|---| | serde_json | dependencies | patch | 1.0.93 -> 1.0.94 |


    Release Notes

    serde-rs/json

    v1.0.94

    Compare Source


    Configuration

    πŸ“… Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

    🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

    β™» Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

    πŸ”• Ignore: Close this PR and you won't be reminded about this update again.


    • [ ] If you want to rebase/retry this PR, check this box

    This PR has been generated by Mend Renovate. View repository job log here.

    opened by renovate[bot] 0
  • Dependency Dashboard

    Dependency Dashboard

    This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.

    Open

    These updates have all been created already. Click a checkbox below to force a retry/rebase of any.

    Detected dependencies

    cargo
    Cargo.toml
    • clap 4.1.8
    • env_logger 0.10.0
    • ipnet 2.7.1
    • log 0.4.17
    • reqwest 0.11.14
    • serde 1.0.152
    • serde_json 1.0.93
    dockerfile
    Dockerfile
    • rust 1.67.1
    • debian 11.6-slim
    github-actions
    .github/workflows/docker.yml
    • actions/checkout v3
    • docker/login-action v2
    • docker/metadata-action v4
    • docker/build-push-action v4
    .github/workflows/rust.yml
    • actions/checkout v3
    • actions/checkout v3

    • [ ] Check this box to trigger a request for Renovate to run again on this repository
    opened by renovate[bot] 0
Owner
Max Rosin
I'm full-stack IT. If there's some crap to do, it gets stacked on my desk and I have to take care of it.
Max Rosin
Fast and simple datetime, date, time and duration parsing for rust.

speedate Fast and simple datetime, date, time and duration parsing for rust. speedate is a lax† RFC 3339 date and time parser, in other words, it pars

Samuel Colvin 43 Nov 25, 2022
Make a .scratch directory to keep random scribbles in

mkscratch Creates a directory named .scratch in your current working directory which will be ignored by Git. Useful for keeping around miscellaneous f

Kayla 3 Oct 21, 2022
rust channel benchmarks to keep stat of performance of Kanal library in comparison with other competitors.

Rust Channel Benchmarks This is a highly modified fork of the crossbeam-channel benchmarks. to keep track of Kanal library stats in comparison with ot

Khashayar Fereidani 14 Dec 21, 2022
Public aircraft & flightroute api Built in Rust for Docker, using PostgreSQL & Redis

api.adsbdb.com public aircraft & flightroute api Built in Rust for Docker, using PostgreSQL & Redis See typescript branch for original typescript vers

Jack Wills 66 Dec 22, 2022
A cloud-native distributed serverless workers platform.

rusty-workers A cloud-native distributed serverless workers platform. Features JavaScript and WebAssembly engine powered by V8 Fetch API Highly scalab

Heyang Zhou 1.8k Jan 2, 2023
Connects to Woodpecker CI and dynamically creates an agent in the cloud.

Picus Picus connects to a Woodpecker CI server and creates an agent in the cloud when there are pending jobs. The agent will be shutdown when there ar

Holger Dormann 13 Dec 17, 2022
Safe Rust bindings to the DynamoRIO dynamic binary instrumentation framework.

Introduction The dynamorio-rs crate provides safe Rust bindings to the DynamoRIO dynamic binary instrumentation framework, essentially allowing you to

S.J.R. van Schaik 17 Nov 21, 2022
Oxido is a dynamic interpreted programming language basing most of its syntax on Rust.

Oxido Table of Contents: Oxido Installation Uninstallation Usage Syntax Data types Variables Reassignments Printing If statements Loop statements Func

Oxido 6 Oct 6, 2022
A simple path traversal checker made with Rust. Useful for APIs that serve dynamic files.

Path trav A simple path traversal checker made with Rust. Useful for APIs that serve dynamic files. Note: this is a security tool. If you see somethin

GΓ‘tomo 3 Nov 21, 2022
A pure-rust(with zero dependencies) fenwick tree, for the efficient computation of dynamic prefix sums.

indexset A pure-rust(with zero dependencies, no-std) fenwick tree, for the efficient computation of dynamic prefix sums. Background Did you ever have

Bruno Rucy Carneiro Alves de Lima 2 Jul 13, 2023
A cli tool to write your idea in terminal

Ideas ideas is a cli tools to write your idea in your terminal. Demo Features tagged idea, contains tips, idea, todo status switch ascii icon write yo

ηŽ‹η₯Ž 12 Jun 22, 2022
Take your first step in writing a compiler. Implemented in Rust.

first-step-rust Take your first step in writing a compiler, using Rust. Building from Source Make sure the Rust toolchain is installed on your compute

PKU Compiler Course 13 Aug 28, 2022
Some UwU and OwO for your Rust code

UwU Types Some UwU and OwO for your Rust code This is a Rust crate inspired by this tweet from @thingskatedid / @katef. Credits Some extra functionali

Evan Pratten 12 Feb 8, 2022
Notifications for your Argo Workflows.

Hermes -- notifications for Argo Workflows Hermes aims to provide a streamlined way of sending notifications to various messaging services from your A

Krzysztof JagieΕ‚Ε‚o 24 Nov 26, 2022
A complicated eso-lang written in Rust that doesn't limit your creativity!

Documentation for mott Introduction mott (from french "mot" = word) is (maybe) the first programming language, that doesn't limit your creativity to p

Lars 1 Feb 1, 2022
qfetch is a tool that fetches info about your linux install.

qfetch qfetch is a tool that fetches info about your linux install. Status Dependencies /proc/meminfo with the following fields: MemTotal in the 1st l

Demir Yerli 2 Nov 16, 2022
TypeRust - simple Rust playground where you can build or run your Rust code and share it with others

Rust playground Welcome to TypeRust! This is a simple Rust playground where you can build or run your Rust code and share it with others. There are a

Kirill Vasiltsov 28 Dec 12, 2022
Goodname is a tool to assist you with cool naming of your methods and software

Goodname is a tool to assist you with cool naming of your methods and software. Given a brief description of your method or software, this tool enumerates name candidates forming subsequences of the description (i.e., abbreviation).

Shunsuke Kanda 118 Dec 28, 2022
A webapp that reads your articles to you while you're on the subway

ReadToMyShoe Video Demo A website that reads articles to you, even when you're offline. Still in early development. This is a full-stack Rust webapp,

Michael Rosenberg 20 Dec 10, 2022