Skip to main content

MCP server for Firegex — CTF regex/proxy firewall

Project description

firegex-mcp

MCP server that exposes Firegex — a CTF regex/proxy firewall — to LLM tooling like Claude Desktop or Claude Code.

Features

  • 49 tools across system, nfregex (kernel-side PCRE2 filter), nfproxy (Python inline proxy), firewall (nftables rules), and porthijack (port redirection).
  • Auto-managed JWT lifecycle: log in on first use, transparently re-login on 401 / secret rotation, single asyncio.Lock to avoid login storms.
  • Plain-text regex on the tool boundary; base64 is handled inside the client.
  • Two ways to push nfproxy Python filters: inline code: str or local path: str (≤ 1 MiB).
  • Pure async httpx client + pydantic v2 DTOs.
  • stdio transport — drop into Claude Desktop or Claude Code as a subprocess.

Install

uvx firegex-mcp        # ephemeral, recommended
# or
pip install firegex-mcp

Configure

All settings are env vars with the FIREGEX_MCP_ prefix:

Env var Default Description
FIREGEX_MCP_BASE_URL http://localhost:4444 Firegex base URL
FIREGEX_MCP_PASSWORD (required) Used at /api/login
FIREGEX_MCP_TIMEOUT_SECONDS 30 HTTP request timeout
FIREGEX_MCP_LOG_LEVEL INFO DEBUG/INFO/WARNING/ERROR/CRITICAL

See .env.example for a starter template.

Claude Desktop

Edit ~/Library/Application Support/Claude/claude_desktop_config.json (macOS) or %AppData%\Claude\claude_desktop_config.json (Windows):

{
  "mcpServers": {
    "firegex": {
      "command": "uvx",
      "args": ["firegex-mcp"],
      "env": {
        "FIREGEX_MCP_BASE_URL": "http://localhost:4444",
        "FIREGEX_MCP_PASSWORD": "..."
      }
    }
  }
}

Restart Claude Desktop fully (Cmd+Q / tray → Quit), then look for the connector under the + menu.

Claude Code

claude mcp add firegex uvx firegex-mcp --env FIREGEX_MCP_PASSWORD=...

Tools

Grouped by Firegex module. See the design spec for the full catalogue.

  • system (6): get_firegex_status, set_password, change_password, list_interfaces, reset_firegex, login_probe.
  • nfregex (15): services CRUD + regex CRUD/toggle + Prometheus metrics.
  • nfproxy (14): services CRUD + pyfilter toggle + get_pyfilter_code, set_pyfilter_code, set_pyfilter_code_from_file.
  • firewall (6): get_firewall_settings, set_firewall_settings, enable_firewall, disable_firewall, list_firewall_rules, replace_firewall_rules.
  • porthijack (8): services CRUD + rename_phj_service + change_phj_destination.

Development

git clone https://github.com/umbra2728/firegex-mcp
cd firegex-mcp
uv sync --dev
uv run pytest
uv run ruff check src tests
uv run mypy src

Manual smoke test against a real Firegex instance:

# in the firegex repo
python3 run.py start --prebuilt
# back here
FIREGEX_MCP_PASSWORD=test uv run mcp dev src/firegex_mcp/server.py

This opens the MCP Inspector in your browser; you can call every tool by hand.

Releasing

This package ships to PyPI via Trusted Publishing. The workflow runs on any v*.*.* tag.

  1. Bump version in pyproject.toml.
  2. Add a ## [X.Y.Z] - YYYY-MM-DD section to CHANGELOG.md.
  3. Commit, tag, push:
git commit -am "Release vX.Y.Z"
git tag vX.Y.Z
git push --tags

One-time setup (not in repo state):

  • PyPI → Account settings → Add a pending publisher with repo umbra2728/firegex-mcp, workflow release.yml, environment pypi.
  • GitHub → repo → Settings → Environments → create pypi.

Related

  • packmate-mcp — sibling MCP server for Packmate (CTF network traffic analyzer).
  • ad-ctf-toolkit — Claude Code plugin that combines firegex-mcp and packmate-mcp with skills and sub-agents for Attack/Defense CTF rounds.

License

MIT — see LICENSE.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

firegex_mcp-0.1.1.tar.gz (132.4 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

firegex_mcp-0.1.1-py3-none-any.whl (18.0 kB view details)

Uploaded Python 3

File details

Details for the file firegex_mcp-0.1.1.tar.gz.

File metadata

  • Download URL: firegex_mcp-0.1.1.tar.gz
  • Upload date:
  • Size: 132.4 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for firegex_mcp-0.1.1.tar.gz
Algorithm Hash digest
SHA256 2f793a9e36e3d90d1a31b8b4cfbcec8ae23b0a9a60501032ae3e48b36f56b107
MD5 d76bf64864e350526c4c65363e19e095
BLAKE2b-256 fcf3c9ba764d64e56549abac7d00c20ab3636aa098c376be8ea7d3ab85b69f0b

See more details on using hashes here.

Provenance

The following attestation bundles were made for firegex_mcp-0.1.1.tar.gz:

Publisher: release.yml on umbra2728/firegex-mcp

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file firegex_mcp-0.1.1-py3-none-any.whl.

File metadata

  • Download URL: firegex_mcp-0.1.1-py3-none-any.whl
  • Upload date:
  • Size: 18.0 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for firegex_mcp-0.1.1-py3-none-any.whl
Algorithm Hash digest
SHA256 7f048c6d43f5abd662fced37e4e0295620ede171bbdaf6f922476844a9026d19
MD5 3fcdf24fad6ba161665d614efcdc49f5
BLAKE2b-256 1c7f41813601595fc832454855eeb1be188f1bf08059e8bce5fbcfe6430b1586

See more details on using hashes here.

Provenance

The following attestation bundles were made for firegex_mcp-0.1.1-py3-none-any.whl:

Publisher: release.yml on umbra2728/firegex-mcp

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page