Return Firegex global status: init (no password yet) or run.

Also reports the API version and whether the current session is logged in.

Set the initial Firegex password. Only valid while status == 'init'.

Change the Firegex password (status == 'run' only).

expire=True rotates the server JWT secret, invalidating all current sessions; the MCP client transparently re-logs in on the next call.

List the IPv4 and IPv6 interfaces visible to Firegex.

Reset Firegex's nftables state.

DANGEROUS when delete=True: this also wipes all SQLite databases (services, regexes, rules). Use delete=False to only flush nftables rules and reload the saved config.

Force the auth lifecycle and return the (now-authenticated) status.

Useful for verifying connectivity, credentials, and that the server has been initialised. Raises FiregexNotInitializedError when status='init'.

List nfregex services (one Firegex service = one TCP/UDP port being filtered).

Get a single nfregex service by id.

Register a new nfregex service.

proto must be 'tcp' or 'udp'. ip_int is the bind interface (IPv4/IPv6 literal, '0.0.0.0' for all). fail_open=True means traffic flows when the regex engine cannot start.

Start the nfregex engine for this service.

Stop the nfregex engine (traffic flows through unfiltered).

Delete a service and all its regexes.

Rename a service.

Change service settings (causes restart). Only provided fields are updated.

List regexes attached to a service. The regex field is plain text.

Get a single regex by numeric id.

Add a PCRE2 regex to a service.

regex is plain text (the client base64-encodes for the wire). mode: 'C' = client→server only, 'S' = server→client only, 'B' = both.

Enable a previously-disabled regex without deleting it.

Disable a regex (kept in DB, not applied).

Permanently delete a regex.

Prometheus-format metrics for the nfregex module (blocked_packets, active).

List nfproxy services (Python-pluggable inline proxy for TCP/HTTP).

Get a single nfproxy service by id.

Register a new nfproxy service. proto is 'tcp' or 'http'.

Start the nfproxy engine.

Stop the nfproxy engine.

Delete a service and its filter code.

Rename a service.

Change settings of an existing nfproxy service (causes restart).

List Python filters discovered in the service code.

Enable a single pyfilter by name.

Disable a single pyfilter by name.

Read the current Python filter source for a service (empty string if unset).

Replace the Python filter source for a service.

The code must import pyfilter from firegex.nfproxy and decorate one or more handlers. Firegex compiles the code server-side and returns 400 on syntax/import errors.

Load Python filter code from a local file and push it to Firegex.

The path is read on the machine running the MCP server. UTF-8 only. Files larger than 1 MiB are rejected.

Read the firewall meta-settings (loopback, established, ICMP, mDNS, ...).

Replace the firewall settings. All fields are required (no partial update).

Activate the nftables firewall ruleset.

Deactivate the nftables firewall ruleset (all rules unloaded).

Return current rules, policy ('accept'/'drop'/'reject'), and enabled state.

Atomically replace the entire rule list.

Firegex performs DELETE FROM rules; INSERT ... in one transaction — there is no per-rule CRUD. Read with list_firewall_rules, mutate, then write back.

List port-hijack rules (each redirects public_port → proxy_port on ip_dst).

Get a single porthijack rule.

Add a porthijack rule.

ip_src is the inbound bind interface; ip_dst is the new destination. public_port is what clients connect to; traffic is rewritten to ip_dst:proxy_port. Use this to plug your own proxy in front of a service.

Activate a porthijack rule.

Deactivate a porthijack rule (traffic is no longer redirected).

Remove a porthijack rule permanently.

Rename a porthijack rule.

Repoint an existing porthijack rule to a new ip_dst:proxy_port.