isle/docs/operator/firewalls.md
2022-11-05 17:16:25 +01:00

2.1 KiB

Firewalls

When providing services on your host, whether network or storage, you will need to ensure that your host's firewall is configured correctly to do so.

To make matters even more confusing, there are actually two firewalls at play: the host's firewall, and the VPN firewall.

VPN Firewall

cryptic-net uses the nebula project to provide its VPN layer. Nebula ships with its own builtin firewall, which only applies to connections coming in over the virtual network interface which it creates. This firewall can be manually configured as part of cryptic-net's daemon.yml file.

Any storage instances which are defined as part of the daemon.yml file will have their network ports automatically added to the VPN firewall by cryptic-net. This means that you only need to configure the VPN firewall if you are hosting services for your cryptic network besides storage.

Host Firewall

The host you are running cryptic-net on will almost definitely have a firewall running, separate from the VPN firewall. If you wish to provide services for your cryptic network from your host, you will need to allow their ports in your host's firewall.

cryptic-net does not automatically configure your host's firewall to any extent!

One option is to open your host to all traffic from your cryptic network, and allow the VPN firewall to be fully responsible for filtering traffic. To do this on Linux using iptables, for example, you would add something like this to your iptables configuration:

-A INPUT --source <network CIDR> --jump ACCEPT

being sure to replace the network CIDR with the one for you network.

If you don't feel comfortable allowing nebula to deal with all packet filtering, you will need to manually determine and add the ports for each nebula service to your host's firewall. It is recommended that you manually specify any storage allocation ports defined in your daemon.yml if this is the approach you take.