dog is a firewall management system

View on GitHub

Web Console: dog_park

dog_park is the primary user interface for dog.


Each agent is listed in Hosts. Agents appear as Hosts as they attach to dog_trainer. Hosts

Hosts include local, public and ec2 public addresses.



Hosts are assigned to a group, usually when the Agent is configured, but assignments can be changed in the console. Groups Group


Zones are static lists of IPs that can be referenced in Profiles.
Fairly static Zones can be updated in the console, but highly dynamic Zones like block or allow lists can be modified via the dog_trainer API.

Zones Zones can include both IPv4 and IPv6 addresses. Zone


Profiles describe the access rules.


Group are associated with a Profile. Groups, Zones and Services are references in Profile rules.

Each rule can be active or inactive.

Rule types include: basic, connlimit (connection limit), recent (rate limit)

Source can be a Group or Zone.

Inbound tables are default DROP, so anything not specifically allowed by rules will be dropped.

Outbound tables are default ACCEPT.



Ports and protocols are defines in Services. Services Multiple ports, each with a different protocol types can be defined per service

Ports are delimited with commas

A range of ports is indicated with a “:” between start and end. Service

Flan Scans

Integration with the network vulnerability scanner Flan Scan is available. Flan Scans An example of a Host with a Flan Scan discovered CVE. Flan Host

Links are the way to federate multiple dog_trainer instances.

Linked dog_trainers share Groups, Zones and Host addresses between dog_trainers, but not Profiles.

This is useful for sharing access between servers managed by different business units.


Direction can be bidirectional, inbound, or outbound.

Address Handling can be set to either Union or Prefix.

Connection information is for the other sides’ RabbitMQ. Link