diff --git a/README.md b/README.md index 5751792..8616421 100644 --- a/README.md +++ b/README.md @@ -73,6 +73,7 @@ Documentation for operators: * [Contributing Storage](docs/operator/contributing-storage.md) * [Contributing a Lighthouse](docs/operator/contributing-a-lighthouse.md) * [Managing garage](docs/operator/managing-garage.md) +* [Firewalls](doc/operator/firewall.md) [ddns]: https://www.cloudflare.com/learning/dns/glossary/dynamic-dns/ diff --git a/docs/operator/contributing-storage.md b/docs/operator/contributing-storage.md index 20e0705..0240b87 100644 --- a/docs/operator/contributing-storage.md +++ b/docs/operator/contributing-storage.md @@ -41,6 +41,11 @@ storage: capacity: 100 ``` +## Set Up Your Firewall + +See the doc on [Firewalls](./firewalls.md), to be sure that your host's firewall +is properly set up for providing storage. + ## Restart the Daemon With the `daemon.yml` configured, you should restart your `cryptic-net daemon` diff --git a/docs/operator/firewalls.md b/docs/operator/firewalls.md new file mode 100644 index 0000000..4debc5b --- /dev/null +++ b/docs/operator/firewalls.md @@ -0,0 +1,49 @@ +# Firewalls + +When providing services on your host, whether +[network](./contributing-a-lighthouse.md) or +[storage](./contributing-storage.md), you will need to ensure that your host's +firewall is configured correctly to do so. + +To make matters even more confusing, there are actually two firewalls at play: +the host's firewall, and the VPN firewall. + +## VPN Firewall + +cryptic-net uses the [nebula](https://github.com/slackhq/nebula) project to +provide its VPN layer. Nebula ships with its own [builtin +firewall](https://nebula.defined.net/docs/config/firewall), which only applies +to connections coming in over the virtual network interface which it creates. +This firewall can be manually configured as part of cryptic-net's +[`daemon.yml`](../user/creating-a-daemonyml-file.md) file. + +Any storage instances which are defined as part of the `daemon.yml` file will +have their network ports automatically added to the VPN firewall by cryptic-net. +This means that you only need to configure the VPN firewall if you are hosting +services for your cryptic network besides storage. + +## Host Firewall + +The host you are running cryptic-net on will almost definitely have a firewall +running, separate from the VPN firewall. If you wish to provide services for +your cryptic network from your host, you will need to allow their ports in your +host's firewall. + +**cryptic-net does _not_ automatically configure your host's firewall to any +extent!** + +One option is to open your host to all traffic from your cryptic network, and +allow the VPN firewall to be fully responsible for filtering traffic. To do this +on Linux using iptables, for example, you would add something like this to your +iptables configuration: + +``` +-A INPUT --source --jump ACCEPT +``` + +being sure to replace the network CIDR with the one for you network. + +If you don't feel comfortable allowing nebula to deal with all packet filtering, +you will need to manually determine and add the ports for each nebula service to +your host's firewall. It is recommended that you manually specify any storage +allocation ports defined in your `daemon.yml` if this is the approach you take.