Fleet

Overview

The Fleet Management Engine transforms a collection of isolated, independent Linux servers into a secure, cohesive, and centrally orchestrated Cluster Mesh. Instead of an administrator manually logging into ten different servers via separate SSH sessions to configure firewalls, provision websites, or move virtual machines, the Fleet Engine treats your entire infrastructure as a single, programmable canvas. It utilizes a secure "Hub-and-Spoke" topology, where a single authorized machine (the Controller) securely commands and maintains state parity across any number of remote worker machines (Nodes or Peers).

Core Architectural Pillars

Zero-Knowledge Trust Mesh (Ansible Engine)

The Fleet Management Engine brings together several core Linux and networking primitives into a single, automated framework: At its lowest layer, Fleet leverages an embedded Ansible core to drive execution paths. It completely avoids resource-heavy agent daemons running constantly in the background of your nodes. Instead, it communicates via out-of-band SSH, passing execution directives dynamically.

  • Dynamic Private Key Rotation: Fleet manages its own regional cryptographic key matrices (id_ed25519), restricting cross-node visibility.
  • Parallel Orchestration: Commands, audits, and performance sweeps are batched asynchronously, processing changes across your entire cluster simultaneously.

Fleet Mesh:

one-click --ssh [fleet peer IP|vm name]
one-click fleet init
one-click fleet add [ip] [peer host]
one-click fleet verify
one-click update-keys

Network-Pinned Security

Security in the Fleet is tied directly to the network layer. When a node is registered into the cluster mesh, the Controller drops a permanent, highly structured net-filter rule chain directly into the host kernel via iptables.

Restore Command Example

one-click engine restore

Delete

Old backups can be safely removed using an interactive selection table.

Delete Command Example:

one-click engine 'delete firewall'

Alias

Aliases allow multiple IP addresses to be grouped under a single logical identifier. This simplifies firewall management by allowing rules to reference an alias instead of individual IP addresses.

Useful Tip:

An alias can then be used directly within firewall rules and access policies allowing groups of IP's within a single alias.

Alias Code Example
# Show all alias mapping 
<one-click engine 'view alias'> 
...
# Create named IP groups for easier rule management.
<one-click engine 'alias-create office 1.2.3.4 1.2.3.5 1.2.3.6'>
...
# Add additional IPs to an existing alias.
<one-click engine 'alias-append office 5.4.3.2'>
...
# Delete an IP from an alias
<one-click engine "alias-delete office 1.2.3.5">

# To use alias in an actual command, simply refernce the alias 
# For example to allow ssh from all IPs in the alias office
<one-click engine 'allow ssh from office'>
                                        

Features

  • Create and delete aliases
  • Add or remove IP addresses from existing aliases
  • Use aliases in firewall and routing rules
  • Persistent configuration storage
Common Use Cases Aliases are useful for grouping:
  • Office networks
  • Trusted administrator IPs
  • Blacklisted hosts
  • Monitoring systems
  • Internal infrastructure ranges
Using aliases reduces rule duplication and makes firewall configurations easier to maintain.

Named Ports

Named ports allow commonly used ports to be referenced by name instead of numeric port values making adding rules even easier and more intuitive.

    Examples:
  • ssh → 22
  • mysql → 3306
  • http → 80
  • https → 443

Named port Code Example
# Open port 22
one-click engine 'allow ssh'
....
# Drop port 3306
one-click engine 'drop mysql'
...
# Reject port 25
one-click engine 'reject smtp'
                                        

Sensitive Ports

Sensitive Port Protection helps prevent accidental disruption of critical services by requiring confirmation before modifying protected ports.

    Common examples include:
  • SSH (22)
  • MySQL (3306)
  • HTTP/HTTPS (80, 443)
Ports marked as sensitive trigger an additional confirmation step before firewall rules are applied or removed.

Sensitive Port Code Example
# View all active sensitive ports
one-click engine 'sensitive-list'
...
# Add additional ports to the sensitive ports list
one-click engine 'sensitive: 21'
...
# Remove a sensitive port
one-click engine 'sensitive-remove: 21'
                                        

Raw Entry

Raw commands provide direct access to the underlying iptables engine without abstraction or natural-language interpretation. This mode is intended for advanced firewall configurations, unsupported rule types, custom match extensions, and precise low-level control.
When using raw:, commands are passed directly to the firewall engine exactly as written.

    Common Use cases
  • Advanced match extensions
  • Custom iptables modules
  • Complex rule construction
  • Direct low-level firewall manipulation
  • Unsupported or experimental rule syntax

Raw Code Example
# Raw iptable commands
one-click engine 'raw: iptables -A INPUT -p tcp --dport 22 -j ACCEPT'
one-click engine 'raw: iptables -A INPUT -P tcp --DPORT 80 -j DROP'
                                        

Command Chaining

Raw commands can be chained together or combined with natural-language parsed input. This allows multiple operations to be executed in sequence within a single command.
Because raw: bypasses normal parsing behavior, spacing rules are strict. Incorrect spacing may cause the parser to fall back into natural-language interpretation.
Service names and aliases continue to resolve automatically during chained execution.

Chaining With comma

  • The next raw: must begin immediately after the comma
  • No leading space is allowed before raw:
Correct
one-click engine 'raw: iptables -A INPUT -p tcp --dport 22 -j ACCEPT,raw: iptables -L'
Incorrect
one-click engine 'raw: iptables -A INPUT -p tcp --dport 22 -j ACCEPT, raw: iptables -L'
A leading space before raw: will trigger natural-language parsing.

Chaining with and
  • There must be exactly one space after and
  • There must be exactly one space before raw:
Correct
one-click engine 'raw: iptables -A INPUT -p tcp --dport 22 -j ACCEPT and raw: iptables -L'
Incorrect
one-click engine 'raw: iptables -A INPUT -p tcp --dport 22 -j ACCEPT and raw: iptables -L' one-click engine 'raw: iptables -A INPUT -p tcp --dport 22 -j ACCEPT andraw: iptables -L'
Improper spacing will cause the parser to interpret the command as natural language instead of raw mode.

Chaining Code Example
# Allow ssh from office and home alias - drop from everywhere else. Also drop dovecot, snmp and smtp.
one-click engine 'allow ssh from office and home and drop ssh and nginx and smtp'
...
# Raw input, enable icmp ping and drop dovecot
one-click engine 'raw: iptables -A INPUT -p tcp --dport 22 -j ACCEPT,drop dovecot and enable icmp'
                                        

Intrusion Detection System (IDS)

The IDS (Intrusion Detection System) module provides continuous monitoring, historical visibility, and automated threat response across the RuleEngine firewall and WebHosting environment. It unifies live rule inspection, attack tracking, and mitigation history into a single security layer.

AUDITING AND VISIBILITY

The audit system provides multiple real-time and historical views of firewall and security activity.

Rule Transversal

Displays all active firewall rules across tables and chains, including:
  • Packet counters
  • Blocked traffic totals
  • Rule match statistics

Mitigation Logs

Tracks automated and manual security actions with full context:
  • Timestamp of event
  • Source IP address
  • Action taken (block, timeout, allow)
  • Duration or trigger reason

Attack Statistics

Aggregates repeated malicious behavior and highlights persistent threats:
  • Attempt counts per IP
  • Targeted services (e.g. SSH, HTTP)
  • Last-seen timestamps

Global Banlist

Unified view of all blocked IPs, including:
  • RuleEngine bans
  • Fail2Ban entries
  • External threat sources (if enabled)

Integration Layer

The IDS system integrates with external and system-level security tools:
  • Fail2Ban (jail sync and ban visibility)
  • AbuseIPDB (IP reputation lookup and reporting)
  • systemd journal / journalctl (log ingestion and correlation)

Audit Code Example
# Show general security events
one-click engine audit
...
# Show SSH brute-force attempts
one-click engine 'audit ssh'
...
# Show mitigation and block history
one-click engine 'audit history'
...
# Show all banned IPs (RuleEngine + Fail2Ban)
one-click engine 'audit banlist'
...
# Check IP reputation via AbuseIPDB
one-click engine 'audit lookup '
...
# Full filesystem and binary integrity scan
one-click engine 'audit scan --deep'
                                        
Attack Mitigation Example
# Temporarily block attacker by ID
one-click engine 'audit block <ID>'
...
# Permanently ban attacker
one-click engine 'audit block <ID> perm'
...
# Remove block from attacker
one-click engine 'audit unblock <ID>'
...
# Block attacker for 300 seconds
one-click engine 'audit block <ID> dur=300'
                                        

Dry Run & Transactional Firewall Safety

The rule-engine supports a safe execution model that allows firewall changes to be tested, staged, and validated before they are permanently applied. This prevents misconfiguration and reduces the risk of losing remote access.

Preview Mode (Dry Run)

Rules can be simulated without affecting the active firewall. This mode validates syntax, service impact, and potential connectivity risks.
one-click engine --dry-run "open https"
No changes are applied during this phase—only evaluation and preview output is generated.

Transactional Rule Application

Firewall modifications are handled using a multi-stage transactional system to ensure safe deployment.
Simulation Phase Staged Deployment Verification Window Automatic Rollback
Rules are evaluated against the current firewall state. Critical services and connectivity paths are checked for potential disruption. Validated rules are temporarily applied to the live firewall in a controlled state. A short confirmation period (15 seconds) is provided for the user to verify that connectivity remains intact. If no confirmation is received within the window, all changes are automatically reverted to the previous stable state.
This guarantees that misconfigured rules cannot permanently lock out the system.

The system enforces multiple protective layers to maintain firewall integrity and prevent accidental misconfiguration.

Rule Engine Code Example
# Basic Traffic Control
one-click rule-engine "allow ssh"
one-click rule-engine "allow http"
one-click rule-engine "allow https"
one-click rule-engine "drop smtp"
one-click rule-engine "reject ftp"
...
# Multiple Rules/Chaining
one-click rule-engine "allow http and allow https"
one-click rule-engine "allow 80, allow 443"
one-click rule-engine "allow ssh and drop smtp"
...
# Source Based Rules
one-click rule-engine "drop ssh from 1.2.3.4"
one-click rule-engine "allow http from 10.0.0.5"
one-click rule-engine "allow ssh from office"
one-click rule-engine "drop all from 192.168.1.0/24"
...
# Alias Management
one-click rule-engine "alias-create office 192.168.1.10 192.168.1.11"
one-click rule-engine "alias-append office 192.168.1.12"
one-click rule-engine "alias-prune office 192.168.1.10"
one-click rule-engine "allow ssh from office"
...
# Port & Range Control
one-click rule-engine "allow multiport 80 443 8080"
one-click rule-engine "allow range 1000-2000"
one-click rule-engine "drop range 21-23"
...
# Protocol Specific Rules
one-click rule-engine "allow dns udp"
one-click rule-engine "allow ssh tcp"
one-click rule-engine "drop icmp"
one-click rule-engine "enable icmp"
...
# Security Audit Commands
one-click rule-engine "audit"
one-click rule-engine "audit ssh"
one-click rule-engine "audit history"
one-click rule-engine "audit banlist"
one-click rule-engine "audit lookup 8.8.8.8"
one-click rule-engine "audit scan"
one-click rule-engine "audit scan --deep"
...
# Attack Mitigation
one-click rule-engine "audit block 12"
one-click rule-engine "audit block 12 perm"
one-click rule-engine "audit unblock 12"
one-click rule-engine "audit block 5 dur=300"
...
# System Management
one-click rule-engine "show"
one-click rule-engine "open all"
one-click rule-engine "flush all"
one-click rule-engine "flush filter"
one-click rule-engine "backup"
one-click rule-engine "restore"
one-click rule-engine "mask"
...
# Safety & Testing
one-click rule-engine --dry-run "allow 443"
one-click rule-engine --dry-run "drop ssh from 10.0.0.5"
one-click rule-engine "sensitive 22 3306"
...
# Complex Real World Examples
one-click rule-engine "allow ssh from office and allow https"
one-click rule-engine "allow http from office and drop all from 1.2.3.4"
one-click rule-engine "alias-create trusted 10.0.0.1 10.0.0.2 and allow ssh from trusted"
one-click rule-engine "audit ssh and audit block 7 perm"
one-click rule-engine "audit scan --deep and backup"
one-click rule-engine "allow range 1000-2000 and drop smtp"
...
# Chained Commands
one-click rule-engine "allow ssh and drop smtp and allow https"
one-click rule-engine "allow 80, allow 443, allow 22"
one-click rule-engine "drop ssh from 1.2.3.4 and audit block 1 perm"