Add documentation related to firewalls

README.md

@@ -73,6 +73,7 @@ Documentation for operators:
 * [Contributing Storage](docs/operator/contributing-storage.md)
 * [Contributing a Lighthouse](docs/operator/contributing-a-lighthouse.md)
 * [Managing garage](docs/operator/managing-garage.md)
+* [Firewalls](doc/operator/firewall.md)
 
 [ddns]: https://www.cloudflare.com/learning/dns/glossary/dynamic-dns/
 

docs/operator/contributing-storage.md

@@ -41,6 +41,11 @@ storage:
       capacity: 100
 ```
 
+## Set Up Your Firewall
+
+See the doc on [Firewalls](./firewalls.md), to be sure that your host's firewall
+is properly set up for providing storage.
+
 ## Restart the Daemon
 
 With the `daemon.yml` configured, you should restart your `cryptic-net daemon`

docs/operator/firewalls.md

@@ -0,0 +1,49 @@
+# Firewalls
+
+When providing services on your host, whether
+[network](./contributing-a-lighthouse.md) or
+[storage](./contributing-storage.md), you will need to ensure that your host's
+firewall is configured correctly to do so.
+
+To make matters even more confusing, there are actually two firewalls at play:
+the host's firewall, and the VPN firewall.
+
+## VPN Firewall
+
+cryptic-net uses the [nebula](https://github.com/slackhq/nebula) project to
+provide its VPN layer. Nebula ships with its own [builtin
+firewall](https://nebula.defined.net/docs/config/firewall), which only applies
+to connections coming in over the virtual network interface which it creates.
+This firewall can be manually configured as part of cryptic-net's
+[`daemon.yml`](../user/creating-a-daemonyml-file.md) file.
+
+Any storage instances which are defined as part of the `daemon.yml` file will
+have their network ports automatically added to the VPN firewall by cryptic-net.
+This means that you only need to configure the VPN firewall if you are hosting
+services for your cryptic network besides storage.
+
+## Host Firewall
+
+The host you are running cryptic-net on will almost definitely have a firewall
+running, separate from the VPN firewall. If you wish to provide services for
+your cryptic network from your host, you will need to allow their ports in your
+host's firewall.
+
+**cryptic-net does _not_ automatically configure your host's firewall to any
+extent!**
+
+One option is to open your host to all traffic from your cryptic network, and
+allow the VPN firewall to be fully responsible for filtering traffic. To do this
+on Linux using iptables, for example, you would add something like this to your
+iptables configuration:
+
+```
+-A INPUT --source <network CIDR> --jump ACCEPT
+```
+
+being sure to replace the network CIDR with the one for you network.
+
+If you don't feel comfortable allowing nebula to deal with all packet filtering,
+you will need to manually determine and add the ports for each nebula service to
+your host's firewall. It is recommended that you manually specify any storage
+allocation ports defined in your `daemon.yml` if this is the approach you take.