# Configuring Firewalls When providing resources on your host, whether [network](./contributing-a-public-address.md) or [storage](./contributing-storage.md), you will need to ensure that your host's firewall is configured correctly to do so. To make matters even more confusing, there are actually two firewalls at play: the host's firewall, and the VPN firewall. ## Host Firewall The host you are running isle on will almost definitely have a firewall running, separate from the VPN firewall. If you wish to provide services for your Isle network from your host, you will need to allow their ports in your host's firewall. **isle does _not_ automatically configure your host's firewall to any extent!** One option is to open your host to all traffic from your Isle network, and allow the VPN firewall to be fully responsible for filtering traffic. To do this on Linux using iptables, for example, you would add something like this to your iptables configuration: ``` -A INPUT --source --jump ACCEPT ``` being sure to replace the network CIDR with the one for your network. If you don't feel comfortable allowing Isle to deal with all packet filtering, you will need to manually determine and add the ports for each service to your host's firewall. You will need to manually specify any configured storage allocation ports if this is the approach you take. ## VPN Firewall Isle uses the [nebula][nebula] project to provide its VPN layer. Nebula ships with its own [builtin firewall][nebulafirewall], which only applies to connections coming in over the virtual network interface which it creates. This firewall can be manually configured using the `isle vpn firewall` set of sub-commands, or using the [configuration file][configfile]. Any storage allocations which are defined will have their network ports automatically added to the VPN firewall by Isle. This means that you only need to configure the VPN firewall if you are hosting services for your isle network besides storage. [nebula]: https://github.com/slackhq/nebula [nebulafirewall]: https://nebula.defined.net/docs/config/firewall [configfile]: ./configuring-networks.md ### Configuring the VPN Firewall See the [Configuring Networks](./configuring-networks.md) document for notes on how to configure Isle networks. This guide assumes configuration using the CLI. The `isle vpn firewall` sub-commands are used to configure the VPN's firewall. Without any flags the `isle vpn firewall show` command will display the currently active firewall. ```bash isle vpn firewall show # outbound: # - index: 0 # port: any # proto: any # host: any # inbound: # - index: 0 # port: any # proto: icmp # host: any # - index: 1 # port: "22" # proto: tcp # host: my-laptop ``` When making changes to the firewall, all changes are first applied to a staging version of the firewall. The staged version can be viewed by adding the `--staged` flag to the `show` sub-command. ```bash isle vpn firewall remove --from inbound --indexes 1 isle vpn firewall show --staged # outbound: # - index: 0 # port: any # proto: any # host: any # inbound: # - index: 0 # port: any # proto: icmp # host: any isle vpn firewall add --to inbound --port 53 --proto udp --host any isle vpn firewall show --staged # outbound: # - index: 0 # port: any # proto: any # host: any # inbound: # - index: 0 # port: any # proto: icmp # host: any # - index: 1 # port: "53" # proto: udp # host: any ``` Once the staged firewall is in the desired state, it can be applied using the `commit` sub-command. ```bash isle vpn firewall commit ``` If you wish to instead discard all staged changes you can use the `reset` sub-commmand. ```bash isle vpn firewall reset ```