Quick start
-
Download and install Tempesta xFW Ubuntu package
-
Edit the Tempesta xFW management daemon configuration file
/etc/tempesta/xfw.json. Refer to management daemon configuration options, DDoS protection use cases, and the configuration examples in/opt/tempesta/examples. -
Edit the tfw_logger (a daemon responsible of sending log events to ClickHouse) configuration:
# cat /etc/tempesta/xfw_logger.json { "log_path": "/var/log/tempesta/tfw_logger.log", "xfw_events": { "plugin_path": "/opt/tempesta/lib/incident_log.so", "user": "default", "password": "", "host": "127.0.0.1", "port": 9000, "db_name": "default", "table_name": "xfw_events", "max_events": 100000 } } -
Start the Tempesta Escudo service:
# systemctl start tempesta-escudo
-
Check the status of the Tempesta Escudo service:
# /opt/tempesta/bin/xfwctl --status BPF maps: created Rules: loaded Daemon: up Daemon address: 127.0.0.1:9090 [::ffff:127.0.0.1]:50051 Daemon log last entries: [2026-01-19 10:50:45.511] [info] (:) XFW daemon is running [2026-01-19 10:50:45.512] [info] (:) All BPF maps successfully opened [2026-01-19 10:50:45.512] [info] (:) GeoDB not set, nothing to load [2026-01-19 10:50:45.512] [info] (:) Http server listening on 127.0.0.1:9090 [2026-01-19 10:50:45.512] [info] (:) Tempesta Management Server: ready [2026-01-19 10:50:45.513] [info] (:) Grpc server is listening on 127.0.0.1:50051 [2026-01-19 10:57:32.651] [info] (:) Record 0 Type: 1 [2026-01-19 10:57:32.652] [info] (:) XFWCfg: received. BPF hooks state: xdp: ens3(2) generic id 65 tc: ens3(2) clsact/egress tc.o:[tc] id 79
At this point, Tempesta xFW is running with no rules applied and therefore allows all traffic.
-
Write filtration rules using the examples in
/opt/tempesta/examplesand the documented use cases, then push the rules to the management daemon. You can start by modifying the IP addresses in the example configuration for HTTP server protection:/opt/tempesta/examples/xfw-http-rules.conf.# /opt/tempesta/bin/tfw push --conf /opt/tempesta/examples/xfw-http-rules.conf Request successfully processed by server.
Refer to the command line interface for CLI options.
-
Run an HTTP server and verify that it is accessible from the outside:
# curl http://192.168.100.4/ Hello Tempesta Escudo!
-
Run a (D)DoS emulation tool, for example MHDDoS:
MHDDoS$ ./start.py tcp 192.168.100.4:80 6 100 MHDDoS/./start.py:53: DeprecationWarning: ssl.OP_NO_SSL*/ssl.OP_NO_TLS* options are deprecated ctx.options |= ssl.OP_NO_TLSv1 MHDDoS/./start.py:55: DeprecationWarning: ssl.OP_NO_SSL*/ssl.OP_NO_TLS* options are deprecated ctx.options |= ssl.OP_NO_TLSv1_1 [14:10:34 - INFO] Attack Started to 192.168.100.4 with TCP method for 100 seconds, threads: 6!
-
Observe traffic-blocking events in ClikHouse:
:) SELECT timestamp, address, hex(reason), packets, bytes FROM xfw_events ORDER BY packets DESC LIMIT 10 ┌───────────────timestamp─┬─address──────────────┬─hex(reason)─┬─packets─┬─bytes─┐ │ 2026-01-19 13:11:21.202 │ ::ffff:192.168.100.1 │ 0100 │ 52 │ 58800 │ │ 2026-01-19 13:11:05.082 │ ::ffff:192.168.100.1 │ 0100 │ 50 │ 56196 │ │ 2026-01-19 13:11:54.441 │ ::ffff:192.168.100.1 │ 0100 │ 48 │ 54016 │ │ 2026-01-19 13:10:48.965 │ ::ffff:192.168.100.1 │ 0100 │ 47 │ 50454 │ │ 2026-01-19 13:10:34.602 │ ::ffff:192.168.100.1 │ 0100 │ 47 │ 53774 │ │ 2026-01-19 13:12:14.672 │ ::ffff:192.168.100.1 │ 0100 │ 43 │ 45326 │ │ 2026-01-19 13:12:04.514 │ ::ffff:192.168.100.1 │ 0100 │ 39 │ 44630 │ │ 2026-01-19 13:11:03.216 │ ::ffff:192.168.100.1 │ 0100 │ 39 │ 44206 │ │ 2026-01-19 13:11:31.269 │ ::ffff:192.168.100.1 │ 0100 │ 39 │ 44630 │ │ 2026-01-19 13:12:10.644 │ ::ffff:192.168.100.1 │ 0100 │ 38 │ 41516 │ └─────────────────────────┴──────────────────────┴─────────────┴─────────┴───────┘