Hi,
am I correct that once the Firewall allows the outbound connections (TCP and UDP) then applications running inside the connections are not visible to the Firewall? I mean, can the firewall for example be aware that there is a tunnelled SSH session?
Best,
Antonio
Hi there @banto_78, what firewall are you talking about? A firewall running deep-packet-inspection is able to see what sort of traffic is moving through it. Making an assumption that you’re meaning ‘can the firewall on my network see my tunnelled balenaCloud traffic’, then it cannot. The traffic to/from the device in this case is carried via a VPN connection, so the firewall would be able to see that there is VPN traffic but not the encrypted packets contained within it. This of course changes if you start receiving/transmitting data outside of the VPN tunnel. I hope that answers your question!
For further reading there’s an interesting SO thread here: https://security.stackexchange.com/questions/155057/my-isp-uses-deep-packet-inspection-what-can-they-observe
@chrisys thanks. I mean a Firewall or DMZ in front of a device internal network (LAN) or segment (VLAN).
So if I correctly understand you, on top of the outbound TCP 443 connection there is a VPN connection which tunnels SSH in it?
thanks
@banto_78 78 that’s right, SSH connections to the device travel over a VPN tunnel that runs on port 443, so they will be hidden. Be aware though that the device also makes HTTPS requests to API endpoints on the same port.
Edit: you can read more about this in the docs here: https://www.balena.io/docs/learn/manage/ssh-access/
Specifically:
balena sshmakes use of the balena VPN connection to access a device. This allows you to access and test devices wherever they are. If you want to SSH only on the internal network, you can install an SSH server in your container, as we show in the balena-openssh project.
And also networking requirements here: https://www.balena.io/docs/reference/OS/network/2.x/#network-requirements