2024-12-18 20:54:15 +00:00
|
|
|
# Configuring Firewalls
|
2022-11-05 16:16:25 +00:00
|
|
|
|
2024-12-17 19:42:47 +00:00
|
|
|
When providing resources on your host, whether
|
|
|
|
|
[network](./contributing-a-public-address.md) or
|
|
|
|
|
[storage](./contributing-storage.md), you will need to ensure that your
|
|
|
|
|
host's firewall is configured correctly to do so.
|
2022-11-05 16:16:25 +00:00
|
|
|
|
|
|
|
|
To make matters even more confusing, there are actually two firewalls at play:
|
2024-12-31 10:46:49 +00:00
|
|
|
the host's firewall, and Isle's own VPN firewall.
|
2022-11-05 16:16:25 +00:00
|
|
|
|
2024-12-31 10:46:49 +00:00
|
|
|
Your host's firewall filters all traffic across all network interfaces, while
|
|
|
|
|
Isle's VPN firewall filters traffic only across the network interfaces it
|
|
|
|
|
creates itself. This means there is some duplication of responsibility across
|
|
|
|
|
the two, and so configuring both is required for providing resources.
|
2022-11-05 16:16:25 +00:00
|
|
|
|
2023-08-05 21:53:17 +00:00
|
|
|
**isle does _not_ automatically configure your host's firewall to any extent!**
|
2022-11-05 16:16:25 +00:00
|
|
|
|
2024-12-31 10:46:49 +00:00
|
|
|
## Configuring the Host Firewall
|
|
|
|
|
|
|
|
|
|
By default Isle's VPN firewall will reject all inbound traffic on VPN
|
|
|
|
|
interfaces. This is a safe default, and so for simplicity it is recommended to
|
|
|
|
|
configure the host firewall to allow all traffic on Isle networks. To do this on
|
|
|
|
|
Linux using iptables, for example, you would add something like this to your
|
2022-11-05 16:16:25 +00:00
|
|
|
iptables configuration:
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
-A INPUT --source <network CIDR> --jump ACCEPT
|
|
|
|
|
```
|
|
|
|
|
|
2024-12-17 19:42:47 +00:00
|
|
|
being sure to replace the network CIDR with the one for your network.
|
2022-11-05 16:16:25 +00:00
|
|
|
|
2024-12-18 20:54:15 +00:00
|
|
|
If you don't feel comfortable allowing Isle to deal with all packet filtering,
|
|
|
|
|
you will need to manually determine and add the ports for each service to your
|
|
|
|
|
host's firewall. You will need to manually specify any configured storage
|
2024-12-17 19:42:47 +00:00
|
|
|
allocation ports if this is the approach you take.
|
|
|
|
|
|
2024-12-31 10:46:49 +00:00
|
|
|
## Configuring the VPN Firewall
|
|
|
|
|
|
|
|
|
|
See the [Configuring Networks](./configuring-networks.md) document for notes on
|
|
|
|
|
how to configure Isle networks. This guide assumes configuration using the CLI.
|
2024-12-18 20:54:15 +00:00
|
|
|
|
|
|
|
|
Isle uses the [nebula][nebula] project to provide its VPN layer. Nebula ships
|
|
|
|
|
with its own [builtin firewall][nebulafirewall], which only applies to
|
2024-12-31 10:46:49 +00:00
|
|
|
connections coming in over the VPN interfaces which it creates for Isle. This
|
2024-12-18 20:54:15 +00:00
|
|
|
firewall can be manually configured using the `isle vpn firewall` set of
|
|
|
|
|
sub-commands, or using the [configuration file][configfile].
|
|
|
|
|
|
|
|
|
|
[nebula]: https://github.com/slackhq/nebula
|
|
|
|
|
[nebulafirewall]: https://nebula.defined.net/docs/config/firewall
|
2024-12-17 19:42:47 +00:00
|
|
|
[configfile]: ./configuring-networks.md
|
2024-12-18 20:54:15 +00:00
|
|
|
|
|
|
|
|
The `isle vpn firewall` sub-commands are used to configure the VPN's firewall.
|
|
|
|
|
Without any flags the `isle vpn firewall show` command will display the
|
|
|
|
|
currently active firewall.
|
|
|
|
|
|
2024-12-31 10:46:49 +00:00
|
|
|
Isle will automatically open inbound ports on its firewall for services it
|
|
|
|
|
provides, for example those necessary for storage allocations. When viewing open
|
|
|
|
|
ports using `isle vpn firewall show` these automatically opened ports will
|
|
|
|
|
appear separately under the `internal_inbound` section and are not configurable
|
|
|
|
|
by the user.
|
|
|
|
|
|
2024-12-18 20:54:15 +00:00
|
|
|
```bash
|
|
|
|
|
isle vpn firewall show
|
|
|
|
|
# outbound:
|
|
|
|
|
# - index: 0
|
|
|
|
|
# port: any
|
|
|
|
|
# proto: any
|
|
|
|
|
# host: any
|
|
|
|
|
# inbound:
|
|
|
|
|
# - index: 0
|
|
|
|
|
# port: any
|
|
|
|
|
# proto: icmp
|
|
|
|
|
# host: any
|
|
|
|
|
# - index: 1
|
|
|
|
|
# port: "22"
|
|
|
|
|
# proto: tcp
|
|
|
|
|
# host: my-laptop
|
2024-12-31 10:46:49 +00:00
|
|
|
# internal_inbound:
|
|
|
|
|
# - port: "3901"
|
|
|
|
|
# proto: tcp
|
|
|
|
|
# host: any
|
|
|
|
|
# - port: "3900"
|
|
|
|
|
# proto: tcp
|
|
|
|
|
# host: any
|
2024-12-18 20:54:15 +00:00
|
|
|
```
|
|
|
|
|
|
|
|
|
|
When making changes to the firewall, all changes are first applied to a staging
|
|
|
|
|
version of the firewall. The staged version can be viewed by adding the
|
|
|
|
|
`--staged` flag to the `show` sub-command.
|
|
|
|
|
|
|
|
|
|
```bash
|
|
|
|
|
isle vpn firewall remove --from inbound --indexes 1
|
|
|
|
|
|
|
|
|
|
isle vpn firewall show --staged
|
|
|
|
|
# outbound:
|
|
|
|
|
# - index: 0
|
|
|
|
|
# port: any
|
|
|
|
|
# proto: any
|
|
|
|
|
# host: any
|
|
|
|
|
# inbound:
|
|
|
|
|
# - index: 0
|
|
|
|
|
# port: any
|
|
|
|
|
# proto: icmp
|
|
|
|
|
# host: any
|
|
|
|
|
|
|
|
|
|
isle vpn firewall add --to inbound --port 53 --proto udp --host any
|
|
|
|
|
|
|
|
|
|
isle vpn firewall show --staged
|
|
|
|
|
# outbound:
|
|
|
|
|
# - index: 0
|
|
|
|
|
# port: any
|
|
|
|
|
# proto: any
|
|
|
|
|
# host: any
|
|
|
|
|
# inbound:
|
|
|
|
|
# - index: 0
|
|
|
|
|
# port: any
|
|
|
|
|
# proto: icmp
|
|
|
|
|
# host: any
|
|
|
|
|
# - index: 1
|
|
|
|
|
# port: "53"
|
|
|
|
|
# proto: udp
|
|
|
|
|
# host: any
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
Once the staged firewall is in the desired state, it can be applied using the
|
|
|
|
|
`commit` sub-command.
|
|
|
|
|
|
|
|
|
|
```bash
|
|
|
|
|
isle vpn firewall commit
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
If you wish to instead discard all staged changes you can use the `reset`
|
|
|
|
|
sub-commmand.
|
|
|
|
|
|
|
|
|
|
```bash
|
|
|
|
|
isle vpn firewall reset
|
|
|
|
|
```
|
