Limiting exposure of SSH on port 22222

We’re looking to deploy devices with multiple network interfaces to client sites, some of those interfaces will be exposed to the client’s network and we would not ever expect to need to SSH to the device over them. Is there a way in which we can configure balenaOS to only expose SSH on specific network interfaces?

Devices will be connecting to our own VPN endpoint for data transfer, so ideally we would expose SSH only to that, and in an ideal world be able to push configuration to the device to expose it on one of the ethernet ports in case of situations where we have no other way of communicating with the device.

Hi, sorry for the delay and welcome to the forums. To achieve what you describe your application would need to setup interface specific firewall rules. The 22222 SSH port would still be accessible after boot until your application has finished applying the new rules.

Hi @jonwood just wanted to follow up and see if you had managed to check out my colleagues recommendation?

I’ve not had a chance to yet, but its bubbling up to the top of my todo list, especially as we’re now looking at running another service with exposed ports which absolutely can’t be accessible from the client’s network.

From what I’ve seen it definitely looks doable via a container, but it would be fantastic if there were support for applying firewall rules at the host OS level as currently there’s a bit of a race condition on reboot where SSH will be up but the container which firewalls off the ports hasn’t yet started.