isle/docs/operator/firewalls.md

138 lines
4.1 KiB
Markdown

# Configuring Firewalls
When providing resources on your host, whether
[network](./contributing-a-public-address.md) or
[storage](./contributing-storage.md), you will need to ensure that your
host's firewall is configured correctly to do so.
To make matters even more confusing, there are actually two firewalls at play:
the host's firewall, and Isle's own VPN firewall.
Your host's firewall filters all traffic across all network interfaces, while
Isle's VPN firewall filters traffic only across the network interfaces it
creates itself. This means there is some duplication of responsibility across
the two, and so configuring both is required for providing resources.
**isle does _not_ automatically configure your host's firewall to any extent!**
## Configuring the Host Firewall
By default Isle's VPN firewall will reject all inbound traffic on VPN
interfaces. This is a safe default, and so for simplicity it is recommended to
configure the host firewall to allow all traffic on Isle networks. To do this on
Linux using iptables, for example, you would add something like this to your
iptables configuration:
```
-A INPUT --source <network CIDR> --jump ACCEPT
```
being sure to replace the network CIDR with the one for your network.
If you don't feel comfortable allowing Isle to deal with all packet filtering,
you will need to manually determine and add the ports for each service to your
host's firewall. You will need to manually specify any configured storage
allocation ports if this is the approach you take.
## Configuring the VPN Firewall
See the [Configuring Networks](./configuring-networks.md) document for notes on
how to configure Isle networks. This guide assumes configuration using the CLI.
Isle uses the [nebula][nebula] project to provide its VPN layer. Nebula ships
with its own [builtin firewall][nebulafirewall], which only applies to
connections coming in over the VPN interfaces which it creates for Isle. This
firewall can be manually configured using the `isle vpn firewall` set of
sub-commands, or using the [configuration file][configfile].
[nebula]: https://github.com/slackhq/nebula
[nebulafirewall]: https://nebula.defined.net/docs/config/firewall
[configfile]: ./configuring-networks.md
The `isle vpn firewall` sub-commands are used to configure the VPN's firewall.
Without any flags the `isle vpn firewall show` command will display the
currently active firewall.
Isle will automatically open inbound ports on its firewall for services it
provides, for example those necessary for storage allocations. When viewing open
ports using `isle vpn firewall show` these automatically opened ports will
appear separately under the `internal_inbound` section and are not configurable
by the user.
```bash
isle vpn firewall show
# outbound:
# - index: 0
# port: any
# proto: any
# host: any
# inbound:
# - index: 0
# port: any
# proto: icmp
# host: any
# - index: 1
# port: "22"
# proto: tcp
# host: my-laptop
# internal_inbound:
# - port: "3901"
# proto: tcp
# host: any
# - port: "3900"
# proto: tcp
# host: any
```
When making changes to the firewall, all changes are first applied to a staging
version of the firewall. The staged version can be viewed by adding the
`--staged` flag to the `show` sub-command.
```bash
isle vpn firewall remove --from inbound --indexes 1
isle vpn firewall show --staged
# outbound:
# - index: 0
# port: any
# proto: any
# host: any
# inbound:
# - index: 0
# port: any
# proto: icmp
# host: any
isle vpn firewall add --to inbound --port 53 --proto udp --host any
isle vpn firewall show --staged
# outbound:
# - index: 0
# port: any
# proto: any
# host: any
# inbound:
# - index: 0
# port: any
# proto: icmp
# host: any
# - index: 1
# port: "53"
# proto: udp
# host: any
```
Once the staged firewall is in the desired state, it can be applied using the
`commit` sub-command.
```bash
isle vpn firewall commit
```
If you wish to instead discard all staged changes you can use the `reset`
sub-commmand.
```bash
isle vpn firewall reset
```