Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

doc/networking/firewall: add more restrictive UFW rules #12266

Merged
merged 1 commit into from
Oct 25, 2023
Merged

doc/networking/firewall: add more restrictive UFW rules #12266

merged 1 commit into from
Oct 25, 2023

Conversation

ru-fu
Copy link
Contributor

@ru-fu ru-fu commented Sep 18, 2023
edited by tomponline
Loading

Add an example for more restrictive firewall rules.

Based on @jdstrand suggestions #11824 (comment)

@ru-fu ru-fu requested a review from tomponline as a code owner September 18, 2023 09:56
@github-actions github-actions bot added the Documentation Documentation needs updating label Sep 18, 2023
@ru-fu ru-fu force-pushed the more-restrictive-fw-rules branch from 88304ed to 948abb7 Compare September 18, 2023 09:57
simondeziel
simondeziel reviewed Sep 18, 2023
View reviewed changes
Copy link
Member

@simondeziel simondeziel left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for taking care of it, I was about to do it :)

doc/howto/network_bridge_firewalld.md Show resolved Hide resolved
doc/howto/network_bridge_firewalld.md Outdated

# allow the guest to have access to outbound connections
# determine <IPv4> with: lxc network list | grep lxdbr0
sudo ufw route allow in on lxdbr0 from <IPv4>
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we should make it easy to copy and paste (as well as explain what it does):

CIDR4="$(lxc network get lxdbr0 ipv4.address | sed 's|\.[0-9]\+/|.0/|')"
CIDR6="$(lxc network get lxdbr0 ipv6.address | sed 's|:[0-9]\+/|:/|')"
sudo ufw route allow in on lxdbr0 from "${CIDR4}"
sudo ufw route allow in on lxdbr0 from "${CIDR6}"

@ru-fu ru-fu force-pushed the more-restrictive-fw-rules branch from 948abb7 to 2255e6d Compare September 19, 2023 08:34
@ru-fu
Copy link
Contributor Author

ru-fu commented Sep 19, 2023

Thanks! Updated now - but please check, not sure I understood it 100%. ;)
Do we need an IPv6 version for the "allow to resolve host names" rule?

@jdstrand
Copy link

Do we need an IPv6 version for the "allow to resolve host names" rule?

No. Those rules don't specify an ip address so they will apply to both ipv4 and ipv6 rulesets. The suggestion in #12266 (comment) was good because my initial suggestion for the route rule was ipv4 specific, so adding an ipv6 specific rule made a lot of sense.

simondeziel
simondeziel approved these changes Sep 19, 2023
View reviewed changes
Copy link
Member

@simondeziel simondeziel left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks Ruth!

@ru-fu
doc/networking/firewall: add more restrictive UFW rules
fe67eed 
Add an example for more restrictive firewall rules.

Closes canonical#11824

Signed-off-by: Ruth Fuchss <[email protected]>
@ru-fu ru-fu force-pushed the more-restrictive-fw-rules branch from 2255e6d to fe67eed Compare October 2, 2023 08:40
@tomponline tomponline merged commit af8553b into canonical:main Oct 25, 2023
24 of 26 checks passed
@ru-fu ru-fu deleted the more-restrictive-fw-rules branch October 25, 2023 15:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@simondeziel simondeziel simondeziel approved these changes

@tomponline tomponline tomponline approved these changes

Assignees
No one assigned
Labels
Documentation Documentation needs updating
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@ru-fu @jdstrand @tomponline @simondeziel