Add working firewall configuration.
As I noted in an earlier commit, restricting Docker's ingress traffic is more complicated than adding a few rules to the filter table's INPUT chain. I had thought that relying on LOCKSS's "LOCKSS_ACCESS_SUBNET" variable would be sufficient; unfortunately, that is not the case: LOCKSS sees all of its traffic as coming from the Docker overlay network (by default, 10.0.0.0/8), regardless of its true origin. Fortunately for us, Docker provides us with a chain, DOCKER-USER, called by Docker's rules from the FORWARD chain in the filter table, that is suitable for filtering Docker's ingress traffic. Accordingly, this commit: - Removes the misleadingly ineffective 'lockss_trusted_ips' variable and provides new variables 'lockss_network_ips' and 'lockss_admin_ips'. - Replaces ufw or firewalld with ferm. Neither ufw nor firewalld is capable of satisfying this use case without employing significant violence; ferm is elegant and has beautiful configuration files. Beauty over bloodshed. - Adds tasks to configure a local firewall that denies inbound and forwarded traffic by default, permits ssh from anywhere, and permits access to LOCKSS's data and configuration ports from 'lockss_network_ips' and 'lockss_admin_ips' respectively. Said firewall cooperates with Docker: Docker and the firewall can be started in any order, and restarting either preserves rules created by the other. * * * I got the suggestion of using ferm for this, as well as the bulk of the Docker-related rules, from a blog post: Ben Chavet, Convincing Docker and Iptables to Play Nicely, Aug. 8, 2019, <https://www.lullabot.com/articles/convincing-docker-and-iptables-play-nicely>.
Showing
- README.md 7 additions, 2 deletionsREADME.md
- dev.playbook.yml 4 additions, 2 deletionsdev.playbook.yml
- roles/ferm/handlers/main.yml 6 additions, 0 deletionsroles/ferm/handlers/main.yml
- roles/ferm/tasks/main.yml 109 additions, 0 deletionsroles/ferm/tasks/main.yml
- roles/ferm/vars/main.yml 7 additions, 0 deletionsroles/ferm/vars/main.yml
- roles/lockss/defaults/main.yml 3 additions, 0 deletionsroles/lockss/defaults/main.yml
- roles/lockss/tasks/firewall.yml 37 additions, 0 deletionsroles/lockss/tasks/firewall.yml
- roles/lockss/tasks/main.yml 5 additions, 1 deletionroles/lockss/tasks/main.yml
- roles/lockss/templates/ferm/00-defaults.ferm 16 additions, 0 deletionsroles/lockss/templates/ferm/00-defaults.ferm
- roles/lockss/templates/ferm/01-docker-head.ferm 20 additions, 0 deletionsroles/lockss/templates/ferm/01-docker-head.ferm
- roles/lockss/templates/ferm/10-in-lockss.ferm.j2 27 additions, 0 deletionsroles/lockss/templates/ferm/10-in-lockss.ferm.j2
- roles/lockss/templates/ferm/10-in-ssh.ferm 1 addition, 0 deletionsroles/lockss/templates/ferm/10-in-ssh.ferm
- roles/lockss/templates/ferm/99-docker-tail.ferm 4 additions, 0 deletionsroles/lockss/templates/ferm/99-docker-tail.ferm
- roles/lockss/vars/main.yml 3 additions, 0 deletionsroles/lockss/vars/main.yml
Loading
Please register or sign in to comment