isle/docs/operator/firewalls.md

# Firewalls

When providing services on your host, whether
[network](./contributing-a-lighthouse.md) or
[storage](./contributing-storage.md), you will need to ensure that your host's
firewall is configured correctly to do so.

To make matters even more confusing, there are actually two firewalls at play:
the host's firewall, and the VPN firewall.

## VPN Firewall

Isle uses the [nebula](https://github.com/slackhq/nebula) project to
provide its VPN layer. Nebula ships with its own [builtin
firewall](https://nebula.defined.net/docs/config/firewall), which only applies
to connections coming in over the virtual network interface which it creates.
This firewall can be manually configured as part of isle's
[`daemon.yml`](../user/creating-a-daemonyml-file.md) file.

Any storage instances which are defined as part of the `daemon.yml` file will
have their network ports automatically added to the VPN firewall by isle.
This means that you only need to configure the VPN firewall if you are hosting
services for your isle network besides storage.

## Host Firewall

The host you are running isle on will almost definitely have a firewall
running, separate from the VPN firewall. If you wish to provide services for
your isle network from your host, you will need to allow their ports in your
host's firewall.

**isle does _not_ automatically configure your host's firewall to any extent!**

One option is to open your host to all traffic from your isle network, and
allow the VPN firewall to be fully responsible for filtering traffic. To do this
on Linux using iptables, for example, you would add something like this to your
iptables configuration:

```
-A INPUT --source <network CIDR> --jump ACCEPT
```

being sure to replace the network CIDR with the one for you network.

If you don't feel comfortable allowing nebula to deal with all packet filtering,
you will need to manually determine and add the ports for each nebula service to
your host's firewall. It is recommended that you manually specify any storage
allocation ports defined in your `daemon.yml` if this is the approach you take.
Add documentation related to firewalls 2022-11-05 16:16:25 +00:00			`# Firewalls`

			`When providing services on your host, whether`
			`[network](./contributing-a-lighthouse.md) or`
			`[storage](./contributing-storage.md), you will need to ensure that your host's`
			`firewall is configured correctly to do so.`

			`To make matters even more confusing, there are actually two firewalls at play:`
			`the host's firewall, and the VPN firewall.`

			`## VPN Firewall`

Perform all in-code renames which don't affect actual functionality 2023-08-05 21:53:17 +00:00			`Isle uses the [nebula](https://github.com/slackhq/nebula) project to`
Add documentation related to firewalls 2022-11-05 16:16:25 +00:00			`provide its VPN layer. Nebula ships with its own [builtin`
			`firewall](https://nebula.defined.net/docs/config/firewall), which only applies`
			`to connections coming in over the virtual network interface which it creates.`
Perform all in-code renames which don't affect actual functionality 2023-08-05 21:53:17 +00:00			`This firewall can be manually configured as part of isle's`
Add documentation related to firewalls 2022-11-05 16:16:25 +00:00			[`daemon.yml`](../user/creating-a-daemonyml-file.md) file.

			Any storage instances which are defined as part of the `daemon.yml` file will
Perform all in-code renames which don't affect actual functionality 2023-08-05 21:53:17 +00:00			`have their network ports automatically added to the VPN firewall by isle.`
Add documentation related to firewalls 2022-11-05 16:16:25 +00:00			`This means that you only need to configure the VPN firewall if you are hosting`
Perform all in-code renames which don't affect actual functionality 2023-08-05 21:53:17 +00:00			`services for your isle network besides storage.`
Add documentation related to firewalls 2022-11-05 16:16:25 +00:00
			`## Host Firewall`

Perform all in-code renames which don't affect actual functionality 2023-08-05 21:53:17 +00:00			`The host you are running isle on will almost definitely have a firewall`
Add documentation related to firewalls 2022-11-05 16:16:25 +00:00			`running, separate from the VPN firewall. If you wish to provide services for`
Perform all in-code renames which don't affect actual functionality 2023-08-05 21:53:17 +00:00			`your isle network from your host, you will need to allow their ports in your`
Add documentation related to firewalls 2022-11-05 16:16:25 +00:00			`host's firewall.`

Perform all in-code renames which don't affect actual functionality 2023-08-05 21:53:17 +00:00			`isle does _not_ automatically configure your host's firewall to any extent!`
Add documentation related to firewalls 2022-11-05 16:16:25 +00:00
Perform all in-code renames which don't affect actual functionality 2023-08-05 21:53:17 +00:00			`One option is to open your host to all traffic from your isle network, and`
Add documentation related to firewalls 2022-11-05 16:16:25 +00:00			`allow the VPN firewall to be fully responsible for filtering traffic. To do this`
			`on Linux using iptables, for example, you would add something like this to your`
			`iptables configuration:`

			```
			`-A INPUT --source <network CIDR> --jump ACCEPT`
			```

			`being sure to replace the network CIDR with the one for you network.`

			`If you don't feel comfortable allowing nebula to deal with all packet filtering,`
			`you will need to manually determine and add the ports for each nebula service to`
			`your host's firewall. It is recommended that you manually specify any storage`
			allocation ports defined in your `daemon.yml` if this is the approach you take.