aljaz/hfm
1
0
Fork 0
mirror of https://github.com/aljazceru/hfm.git synced 2025-12-16 15:14:20 +01:00
Code Issues Packages Projects Releases Wiki Activity
4 Commits 1 Branch 0 Tags
main
Go to file
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE
Aljaz Ceru 0912aec78e verification and duplicated outgoing rules fixy
2025-09-08 16:42:52 +02:00
.env.example
hetzner firewall manager
2025-09-08 14:59:34 +02:00
.gitignore
Initial commit
2025-09-07 18:29:33 +02:00
hfm.py
verification and duplicated outgoing rules fixy
2025-09-08 16:42:52 +02:00
LICENSE
Add LICENSE file
2025-09-08 10:55:28 +02:00
README.md
hetzner firewall manager
2025-09-08 14:59:34 +02:00

README.md

Hetzner Firewall Manager

A Python tool to manage Hetzner Robot Firewall configurations via the API.

Features

  • Import existing firewall configurations from all your Hetzner servers
  • Add your current public IP to all servers with one command
  • Add/remove specific IPs across all servers
  • Verify that changes are actually applied
  • Maintain a local configuration file for easy management

Installation

  1. Install dependencies:
pip install requests python-dotenv
  1. Create a .env file with your Hetzner Robot credentials:
HETZNER_USER=your_username
HETZNER_PASS=your_password

Quick Start

  1. Import existing firewall configurations:
python3 hfw.py bootstrap
  1. Add your current IP to all servers:
python3 hfw.py whitelist-current --comment "Home office"
  1. Verify the IP was added:
python3 hfw.py whitelist-current --comment "Home office" --verify

Usage

Commands

Bootstrap - Import existing configurations

python3 hfw.py bootstrap

Imports all existing firewall configurations from your Hetzner servers.

Whitelist Current IP

python3 hfw.py whitelist-current [options]
  --comment, -c    Comment for the IP (default: "Current location")
  --verify, -v     Verify the IP was added

Automatically detects your current public IP and adds it to all servers.

Remove Current IP

python3 hfw.py remove-current [options]
  --verify, -v     Verify the IP was removed

Automatically detects your current public IP and removes it from all servers.

Add Specific IP

python3 hfw.py add <ip> [options]
  --comment, -c    Comment for the IP
  --profile, -p    Specific profile (default: all)

Example:

python3 hfw.py add 203.0.113.10 --comment "Office"

Remove IP

python3 hfw.py remove <ip> [options]
  --profile, -p    Specific profile (default: all)

Example:

python3 hfw.py remove 203.0.113.10

List Profiles

python3 hfw.py list

Shows all configured server profiles.

List Whitelisted IPs

python3 hfw.py list-ips [options]
  --profile, -p    Specific profile (default: all)

Shows all whitelisted IPs for each server.

Verify IP

python3 hfw.py verify <ip>

Checks if an IP is whitelisted on all servers.

Configuration File

The tool maintains a firewall_config.json file with your server profiles and whitelisted IPs. This file is created automatically when you run bootstrap.

Example structure:

{
  "profiles": {
    "web-server": {
      "server_ip": "203.0.113.1",
      "server_name": "web-server",
      "permanent_whitelist": [
        {
          "ip": "198.51.100.5/32",
          "ports": [],
          "comment": "Office"
        }
      ],
      "filter_ipv6": false,
      "whitelist_hos": true
    }
  }
}

Common Workflows

Initial Setup

# 1. Set up credentials
echo "HETZNER_USER=your_username" > .env
echo "HETZNER_PASS=your_password" >> .env

# 2. Import existing configurations
python3 hfw.py bootstrap

# 3. Add your current IP
python3 hfw.py whitelist-current --comment "Home" --verify

Daily Usage - Working from Different Locations

# When working from a new location, simply run:
python3 hfw.py whitelist-current --comment "Coffee shop" --verify

# When leaving a location, remove your IP:
python3 hfw.py remove-current --verify

Managing Office IPs

# Add office IP to all servers
python3 hfw.py add 203.0.113.10 --comment "Main office"

# Remove old office IP
python3 hfw.py remove 198.51.100.5

Important Notes

  • Changes may take 20-30 seconds to apply on Hetzner servers
  • The tool preserves all existing firewall rules
  • Always maintain at least one permanent IP with SSH access as a fallback
  • The API uses URL-encoded format, not JSON

Troubleshooting

Changes not applying

  • Wait at least 30 seconds for changes to propagate
  • Use the --verify flag to confirm changes are applied
  • Check that the server has a firewall configured in the Hetzner Robot panel

Authentication issues

  • Verify your credentials in the .env file
  • Ensure you're using Robot API credentials, not Cloud API

No servers found

  • Check that your servers have firewalls configured
  • Verify your account has access to the servers

Security

  • Never commit the .env file to version control
  • Keep your firewall_config.json secure as it contains server information
  • Always test firewall changes carefully to avoid locking yourself out
  • Maintain at least one permanent IP with SSH access
Description
No description provided
Readme Unlicense 84 KiB
Languages
Python 100%