Trying to understand how balenaOS works, i’ve came across these threads:
What I took away from reading the above and my own experimentation is that.
balena-supervisor has the undocumented ability to control balenaOS’ firewall.
User set firewall policies will be persistent if BALENA_HOST_FIREWALL is set. How do you set the policies in this case?
UFW in a container will make low level changes to the host. (Is this true?)
Basically we have some services that need to run as network=host, as a result we need the ability to restrict those services to just the host. While we can do it container-side, I think it’s more valid to simply block everything off on the host other than what is needed.
You’re right - the existing documentation for BALENA_HOST_FIREWALL_MODE is not very thorough. Supervisor devs have recently created a configurations doc located at balena-supervisor/configurations.md at master · balena-os/balena-supervisor · GitHub which explains in slightly more detail the valid modes for FIREWALL_MODE, which are one of on, off, or auto. We are planning on making configurations documentation more publicly available and more detailed though, and will keep you updated.
I’ll add that, currently, with Supervisor v12.8.0 being the latest Supervisor available via self-service upgrades, here are some more details about BALENA_HOST_FIREWALL_MODE:
balena Supervisor manipulates the “filter” table in the iptables module to control network traffic.
When [FIREWALL_MODE is on] or [FIREWALL_MODE is auto and there are host network containers], only traffic for core services provided by Balena is allowed. This includes any containers running on the host network.
When [FIREWALL_MODE is off] or [FIREWALL_MODE is auto and there are no host network containers], all traffic is allowed.
With regards to your question about how to set policies, per Modifications to firewall (iptables) always removed by Supervisor · Issue #1482 · balena-os/balena-supervisor · GitHub as you linked above, there is currently a bug where user modifications to the “filter” table in iptables are removed by the Supervisor. We are working on fixing this and will keep you posted. In the meantime, you may apply the workaround mentioned in that GitHub issue, which is to add rules to the “raw” table.
Finally, BALENA_HOST_FIREWALL_MODE was added in 2020 with Supervisor v11.9.1, so it’s still fairly new. Thanks for your patience as we work on increasing understanding for this config var. Let us know if this info helped to answer some of your questions!
We’ve merged a fix for the Supervisor firewall bug you may have encountered in this ticket, where the Supervisor was flushing the INPUT chain of the iptables filter table on startup, thereby removing any non-Supervisor-created rules from the INPUT chain. To get the benefits of this fix, please self-serve upgrade the Supervisor on your devices to v14.9.2. See issue and pull request for details. Let us know if there are any questions!