CWD Gate AIO Appliance

class CWD_GATE():
    
  def __init__(self):
    self.name = "cwd";
    self.username = "cwdsystems";
    self.location = "Global";
    self.protonmail = "@cwdsystems";
    self.web = "https://cwd.systems & https://0kn.io";
    self.languages ="Python,C,PHP,HTML,Bash,Assembly";
  
  def __str__(self):
    return self.name

if __name__ == '__main__':
    me = CWD_GATE()

CWD GATE appliance serves as a crucial component in an organization's cybersecurity infrastructure, providing proactive defense against a wide range of cyber threats in today's increasingly complex threat landscape.

The CWD GATE appliance integrates Unbound DNS SEC validation alongside its robust security features. Unbound DNS SEC validation enhances the security and integrity of DNS resolution by verifying digital signatures attached to DNS responses, thereby mitigating risks associated with DNS spoofing and cache poisoning attacks.

CWD Systems' release of Pi-hole is pre-configured and installed within the CWD GATE appliance, constituting a vital component of its privacy package. Pi-hole acts as a network-wide ad blocker and DNS sinkhole, preventing unwanted ads and tracking domains from infiltrating your network. All that's required is to enable your network to leverage its capabilities.

Moreover, for those seeking to utilize TOR for enhanced anonymity and privacy, configuration involves directing client-side proxies to utilize the CWD GATE appliance's IP address and port respectively. This configuration can be achieved through various means, such as utilizing plug-ins like FoxyProxy, or by overriding system-wide proxy declarations via Bash in Linux or Internet Settings in Windows.

In essence, the CWD GATE appliance not only safeguards your network against cyber threats with its advanced security measures but also offers tools for enhancing privacy and anonymity, making it a comprehensive solution for modern cybersecurity needs.

Once the installer has been run, you will need to configure your router to have DHCP clients use Pi-hole as their DNS server. This router configuration will ensure that all devices connecting to your network will have content blocked without any further intervention.

If your router does not support setting the DNS server, you can use Pi-hole's built-in DHCP server; be sure to disable DHCP on your router first (if it has that feature available).

As a last resort, you can manually set each device to use CWD Gate as their DNS server.

TOR , Wireguard and Routing come pre-configured and ready to use out of box as well.

If you'd rather not donate (which is okay!), there are other ways you can help support us:

• GitHub Sponsors
• Patreon
• Hetzner Cloud affiliate link
• Digital Ocean affiliate link
• Stickermule earn a $10 credit after your first purchase
• Amazon US affiliate link
• Spreading the word about our software and how you have benefited from it

We welcome everyone to contribute to issue reports, suggest new features, and create pull requests.

If you have something to add - anything from a typo through to a whole new feature, we're happy to check it out! Just make sure to fill out our template when submitting your request; the questions it asks will help the volunteers quickly understand what you're aiming to achieve.

You'll find that the install script and the debug script have an abundance of comments, which will help you better understand how Pi-hole works. They're also a valuable resource to those who want to learn how to write scripts or code a program! We encourage anyone who likes to tinker to read through it and submit a pull request for us to review.

FTLDNS is a lightweight, purpose-built daemon used to provide statistics needed for the Web Interface, and its API can be easily integrated into your own projects. As the name implies, FTLDNS does this all very quickly!

Some of the statistics you can integrate include:

• Total number of domains being blocked
• Total number of DNS queries today
• Total number of ads blocked today
• Percentage of ads blocked
• Unique domains
• Queries forwarded (to your chosen upstream DNS server)
• Queries cached
• Unique clients
• Current default limit set to 4000 DNS queries per second per client. Can be raised safely to 9500 queries per second per client.
• CWD GATE with daily ultimate blacklist host updates. Almost 900000 bad websites loaded in database.

Access the API via telnet, the Web (admin/api.php) and Command Line (pihole -c -j). You can find out more details over here.

The pihole command has all the functionality necessary to fully administer the Pi-hole, without the need for the Web Interface. It's fast, user-friendly, and auditable by anyone with an understanding of bash.

Some notable features include:

• Whitelisting, Blacklisting, and Regex
• Debugging utility
• Viewing the live log file
• Updating Ad Lists
• Querying Ad Lists for blocked domains
• Enabling and Disabling Pi-hole
• ... and many more!

You can read our Core Feature Breakdown for more information.

This optional dashboard allows you to view stats, change settings, and configure your Pi-hole. It's the power of the Command Line Interface, with none of the learning curve!

Some notable features include:

• Mobile-friendly interface
• Password protection
• Detailed graphs and doughnut charts
• Top lists of domains and clients
• A filterable and sortable query log
• Long Term Statistics to view data over user-defined time ranges
• The ability to easily manage and configure Pi-hole features
• ... and all the main features of the Command Line Interface!

There are two ways to access the dashboard:

1. http://cwd.gate/admin/ (when using FTL as your DNS server)
2. http://<IP_ADDRESS_OF_YOUR_PI_HOLE>/admin/

Assuming your LAN network is 192.168.1.x and the appliance is on a public IP address Firewall Reference

Every network is different and TOR Router needs to listen to specified interface and IP address. Edit the /etc/tor/torrc file and enter the assigned static IP address with port 9050. This assigned IP and port will be used as a TOR proxy on your network proxy settings or browser proxy settings.

SocksPort 9050 # Default: Bind to localhost:9050 for local connections.

SocksPort 192.168.1.203:9050 # Bind to this address:port too.

SocksPolicy accept 192.168.1.0/24

Once you have made your configuration changes, you can restart the TOR daemon with /etc/init.d/tor restart.

The file setupVars.conf located in /etc/pivpn/wireguard allows you to assign listening LAN and WAN IP addresses. There are only two entries that you have to modify:

• IPv4addr

Change this to the LAN IP address with a /24 CIDR. For example, IPv4addr=192.168.2.103/24

• pivpnHOST

This is the public/internet IP address that you have assigned to your WAN port of CWD Blade Appliance. By default WireGuard uses this IP and its default port for all generated users. For example, pivpnHOST=93.143.102.63. The WireGuard profiles will use this public IP Address endpoint to perform all handshakes.

::: Connected Clients List ::: Name Remote IP Virtual IP Bytes Received Bytes Sent Last Seen test (none) 10.172.10.2,fd11:5ee:bad:c0de::2/128 0B 0B (not yet) ::: Disabled clients :::

CWD Gate uses only 6 service ports which are 22 (Inbound SSH), 53 (DNS frontend), 9050 and 9051 (TOR Router) and 4711 (FTL DNS). These ports are only accessible from LAN sid eand not WAN but also depends on how you have configured your firewall and router. This can be confirmed with ss -tunpl

Note: Firewall filtering is only required if your CWD GATE is exposed on the internet with direct IP assignment. If it is behind CWD Blade or another firewall then the below commands will not be reuquired.

iptables -A INPUT -p tcp --dport 22 -s 192.168.2.0/24 -j ACCEPT && iptables -A INPUT -p tcp --dport 22 -j DROP

• Allow Web Access only from LAN

iptables -A INPUT -p tcp --dport 80 -s 192.168.2.0/24 -j ACCEPT && iptables -A INPUT -p tcp --dport 80 -j DROP

• Restrict FTL Access to LAN only

iptables -A INPUT -p tcp --dport 53 -s 192.168.2.0/24 -j ACCEPT && iptables -A INPUT -p tcp --dport 53 -j DROP