isle/docs/operator/firewalls.md

51 lines
2.1 KiB
Markdown
Raw Normal View History

2022-11-05 16:16:25 +00:00
# Firewalls
2024-12-17 19:42:47 +00:00
When providing resources on your host, whether
[network](./contributing-a-public-address.md) or
[storage](./contributing-storage.md), you will need to ensure that your
host's firewall is configured correctly to do so.
2022-11-05 16:16:25 +00:00
To make matters even more confusing, there are actually two firewalls at play:
the host's firewall, and the VPN firewall.
## VPN Firewall
Isle uses the [nebula](https://github.com/slackhq/nebula) project to
2022-11-05 16:16:25 +00:00
provide its VPN layer. Nebula ships with its own [builtin
firewall](https://nebula.defined.net/docs/config/firewall), which only applies
to connections coming in over the virtual network interface which it creates.
2024-12-17 19:42:47 +00:00
This firewall can be manually configured using the `isle vpn firewall` set of
sub-commands, or using the [configuration file][configfile].
2022-11-05 16:16:25 +00:00
2024-12-17 19:42:47 +00:00
Any storage allocations which are defined will have their network ports
automatically added to the VPN firewall by Isle. This means that you only need
to configure the VPN firewall if you are hosting services for your isle network
besides storage.
2022-11-05 16:16:25 +00:00
## Host Firewall
The host you are running isle on will almost definitely have a firewall
2022-11-05 16:16:25 +00:00
running, separate from the VPN firewall. If you wish to provide services for
2024-12-17 19:42:47 +00:00
your Isle network from your host, you will need to allow their ports in your
2022-11-05 16:16:25 +00:00
host's firewall.
**isle does _not_ automatically configure your host's firewall to any extent!**
2022-11-05 16:16:25 +00:00
2024-12-17 19:42:47 +00:00
One option is to open your host to all traffic from your Isle network, and
2022-11-05 16:16:25 +00:00
allow the VPN firewall to be fully responsible for filtering traffic. To do this
on Linux using iptables, for example, you would add something like this to your
iptables configuration:
```
-A INPUT --source <network CIDR> --jump ACCEPT
```
2024-12-17 19:42:47 +00:00
being sure to replace the network CIDR with the one for your network.
2022-11-05 16:16:25 +00:00
If you don't feel comfortable allowing nebula to deal with all packet filtering,
you will need to manually determine and add the ports for each nebula service to
2024-12-17 19:42:47 +00:00
your host's firewall. You will need to manually specify any configured storage
allocation ports if this is the approach you take.
[configfile]: ./configuring-networks.md