Skip to content
Snippets Groups Projects
Select Git revision
  • master default protected
1 result
Search by author
  • Any Author
  • Collins, Nathan Collins, Nathan colli372
  • Damien Guillaume Damien Guillaume damieng
  • Higgins, Devin Higgins, Devin higgi135
  • Laird, Devin Laird, Devin hodgso19
  • McConahy, Renee Margaret McConahy, Renee Margaret nepeta
  • ratlif19 ratlif19 ratlif19
  • Robby Robby roudonro
  • Savoie, David Savoie, David savoied1
  • Schanz, Megan Schanz, Megan schanzme
  • Schwarz, John Schwarz, John schwarz9
10 authors
  1. Mar 11, 2020
    • McConahy, Renee Margaret's avatar
      Refactor Web front-end. · 887d1eed
      McConahy, Renee Margaret authored 
      This moves most of the code into a standalone (at least in principle)
"http_frontend" role and invokes it from the main LOCKSS role.
      887d1eed
    • McConahy, Renee Margaret's avatar
      Upgrade to LOCKSS v2.0-alpha2. · f7b53a6e
      McConahy, Renee Margaret authored 
      Among other things, this version uses Docker's host-based networking
rather than the ingress network. This simplifies the networking setup,
but I'm leaving ferm in place because it is easier to configure than ufw
or firewalld, and we may need to switch back again.
      f7b53a6e
  3. Feb 28, 2020
  5. Feb 12, 2020
    • McConahy, Renee Margaret's avatar
      Add working firewall configuration. · 266da402
      McConahy, Renee Margaret authored 
      As I noted in an earlier commit, restricting Docker's ingress traffic is
more complicated than adding a few rules to the filter table's INPUT
chain. I had thought that relying on LOCKSS's "LOCKSS_ACCESS_SUBNET"
variable would be sufficient; unfortunately, that is not the case:
LOCKSS sees all of its traffic as coming from the Docker overlay network
(by default, 10.0.0.0/8), regardless of its true origin.

Fortunately for us, Docker provides us with a chain, DOCKER-USER, called
by Docker's rules from the FORWARD chain in the filter table, that is
suitable for filtering Docker's ingress traffic.

Accordingly, this commit:

- Removes the misleadingly ineffective 'lockss_trusted_ips' variable and
  provides new variables 'lockss_network_ips' and 'lockss_admin_ips'.

- Replaces ufw or firewalld with ferm. Neither ufw nor firewalld is
  capable of satisfying this use case without employing significant
  violence; ferm is elegant and has beautiful configuration files.
  Beauty over bloodshed.

- Adds tasks to configure a local firewall that denies inbound and
  forwarded traffic by default, permits ssh from anywhere, and permits
  access to LOCKSS's data and configuration ports from
  'lockss_network_ips' and 'lockss_admin_ips' respectively.

  Said firewall cooperates with Docker: Docker and the firewall can be
  started in any order, and restarting either preserves rules created by
  the other.

                                *  *  *

I got the suggestion of using ferm for this, as well as the bulk of the
Docker-related rules, from a blog post: Ben Chavet, Convincing Docker
and Iptables to Play Nicely, Aug. 8, 2019,
<https://www.lullabot.com/articles/convincing-docker-and-iptables-play-nicely>.
      266da402