Skip to content
Snippets Groups Projects
  • McConahy, Renee Margaret's avatar
    266da402
    Add working firewall configuration. · 266da402
    McConahy, Renee Margaret authored
    As I noted in an earlier commit, restricting Docker's ingress traffic is
    more complicated than adding a few rules to the filter table's INPUT
    chain. I had thought that relying on LOCKSS's "LOCKSS_ACCESS_SUBNET"
    variable would be sufficient; unfortunately, that is not the case:
    LOCKSS sees all of its traffic as coming from the Docker overlay network
    (by default, 10.0.0.0/8), regardless of its true origin.
    
    Fortunately for us, Docker provides us with a chain, DOCKER-USER, called
    by Docker's rules from the FORWARD chain in the filter table, that is
    suitable for filtering Docker's ingress traffic.
    
    Accordingly, this commit:
    
    - Removes the misleadingly ineffective 'lockss_trusted_ips' variable and
      provides new variables 'lockss_network_ips' and 'lockss_admin_ips'.
    
    - Replaces ufw or firewalld with ferm. Neither ufw nor firewalld is
      capable of satisfying this use case without employing significant
      violence; ferm is elegant and has beautiful configuration files.
      Beauty over bloodshed.
    
    - Adds tasks to configure a local firewall that denies inbound and
      forwarded traffic by default, permits ssh from anywhere, and permits
      access to LOCKSS's data and configuration ports from
      'lockss_network_ips' and 'lockss_admin_ips' respectively.
    
      Said firewall cooperates with Docker: Docker and the firewall can be
      started in any order, and restarting either preserves rules created by
      the other.
    
                                    *  *  *
    
    I got the suggestion of using ferm for this, as well as the bulk of the
    Docker-related rules, from a blog post: Ben Chavet, Convincing Docker
    and Iptables to Play Nicely, Aug. 8, 2019,
    <https://www.lullabot.com/articles/convincing-docker-and-iptables-play-nicely>.
    266da402
    History
    Add working firewall configuration.
    McConahy, Renee Margaret authored
    As I noted in an earlier commit, restricting Docker's ingress traffic is
    more complicated than adding a few rules to the filter table's INPUT
    chain. I had thought that relying on LOCKSS's "LOCKSS_ACCESS_SUBNET"
    variable would be sufficient; unfortunately, that is not the case:
    LOCKSS sees all of its traffic as coming from the Docker overlay network
    (by default, 10.0.0.0/8), regardless of its true origin.
    
    Fortunately for us, Docker provides us with a chain, DOCKER-USER, called
    by Docker's rules from the FORWARD chain in the filter table, that is
    suitable for filtering Docker's ingress traffic.
    
    Accordingly, this commit:
    
    - Removes the misleadingly ineffective 'lockss_trusted_ips' variable and
      provides new variables 'lockss_network_ips' and 'lockss_admin_ips'.
    
    - Replaces ufw or firewalld with ferm. Neither ufw nor firewalld is
      capable of satisfying this use case without employing significant
      violence; ferm is elegant and has beautiful configuration files.
      Beauty over bloodshed.
    
    - Adds tasks to configure a local firewall that denies inbound and
      forwarded traffic by default, permits ssh from anywhere, and permits
      access to LOCKSS's data and configuration ports from
      'lockss_network_ips' and 'lockss_admin_ips' respectively.
    
      Said firewall cooperates with Docker: Docker and the firewall can be
      started in any order, and restarting either preserves rules created by
      the other.
    
                                    *  *  *
    
    I got the suggestion of using ferm for this, as well as the bulk of the
    Docker-related rules, from a blog post: Ben Chavet, Convincing Docker
    and Iptables to Play Nicely, Aug. 8, 2019,
    <https://www.lullabot.com/articles/convincing-docker-and-iptables-play-nicely>.
Code owners
Assign users and groups as approvers for specific file changes. Learn more.