I’m curious as to the different interfaces BalenaOS has and uses, and what would be the exception, if any, to this proxy change? Containers will circumvent this rule and connect directly I presume? Other than that, will all traffic from the device to the internet be forced through this proxy?
So as you’ll have seen, the networking requirements show all the main ports that balena requires, as well as some of the external host details. The OS will route all TCP traffic via redsocks should it be configured, including all container traffic. UDP is slightly different, redudp only deals with DNS traffic, and any other UDP traffic will still attempt to use the default interfaces.
Please let us know if this helps, or if you need any more detail!
That’s a really useful and detailed scenario, thank you for the explanation!
Whilst I think you’re right that you could use tinyproxy, due to the way the routing works out of the box you’d obviously need to use this in host network mode and rewrite some the netfilter rules to change the default route. There’s potentially a problem here. In the case that something happens to the balenaEngine or your application and the proxy isn’t present, it would potentially become impossible to access the device to recover it. Currently traffic is automatically routed via whichever NIC is currently Internet connected. This means we can usually guarantee access when a network is present. I’d be worried in this situation that in an instance where, for some reason, the application service dies (or as I say balenaEngine), you’d end in a situation where we could not remotely recover and reprovision the device (without a reboot, which would obviously reset the rules).
I don’t believe that we send any UDP traffic apart from DNS and NTP and as you’ve seen, we do allow the configuration of hosts to use for these (and if they were local to the network then of course no location information would leak).
On clarifying my comment, yes, that’s exactly right. DNS traffic will be routed through redup but no other UDP traffic (so you’d still have an issue with NTP for example). I believe there is an ability to allow UDP traffic to also get routed via a proxy, but it involves a kernel option that we don’t configure in the kernel for OS releases.
What I’m going to do is make the product manager and another couple of colleagues aware of this thread so we can throw around a few ideas. We’ll obviously let you know, but I think for now the best option to ensure recoverability of a device is to use redsocks and configure the DNS/NTP hosts to use locally.