Where to specify firewall rules in code?

jrr · December 19, 2023, 9:05pm

I’m looking into enabling the firewall and customizing the rules.

balena-os/balena-supervisor/blob/master/docs/firewall.md

# Firewall

> Disclaimer: Firewall control in the Supervisor is still an experimental feature, so expect changes to come.

Starting with `Supervisor v11.9.1`, the balena Supervisor comes with the ability to control the device's firewall through the [`iptables` package](https://linux.die.net/man/8/iptables). The Supervisor manipulates the `filter` table to control network traffic.


## Firewall Modes

To switch between firewall modes, the `HOST_FIREWALL_MODE` (with `BALENA_` or legacy `RESIN_` prefix) configuration variable may be defined on a fleet or device level through the dashboard, and has three valid settings: `on`, `off`, and `auto`, with `off` being the default mode.

**Note:** Configuration variables defined in the dashboard will not apply to devices in local mode.

| Mode | Description | 
|------|-------------|
| on   | Only traffic for core services provided by balena and containers on the host network are allowed. |
| off  | All network traffic is allowed. |
| auto | If there _are_ host network services, behaves as if `FIREWALL_MODE` = `on`. If there _aren't_ host network services, behaves as if `FIREWALL_MODE` = `off`. |

This file has been truncated. show original

I expect that I’ll be able to manually experiment by running iptables commands on the host. Once the experimentation phase is over, I’ll have a set of rules I want to apply to every device in my fleet. Is there a place I can put that in code, in the dashboard, or maybe in the supervisor API?

(or today is it only possible to run iptables manually, one device at a time?)

jrr · December 22, 2023, 5:29pm

After experimenting further, it’s looking like the answer to “where do I put my iptables commands?” is “in a container with network_mode: host and privileged: true”.

Note also that you may need to use iptables-legacy, which can be aliased to iptables with update-alternatives --set iptables /usr/sbin/iptables-legacy (which is important if you access iptables via another tool like ufw).

Topic		Replies	Views
Configuring balenaOS firewall. balenaOS	2	1469	March 2, 2023
configuring the firewall Product support raspberrypi4	7	235	August 29, 2024
Help needed: Persist iptables Rule on the Host OS [Network Requirements] balenaOS network , pendinguserresponse	11	2344	May 8, 2019
Default Balena firewall accept everything balenaOS	6	724	March 2, 2023
UDEV rules and forwarding rules balenaOS	7	2153	December 3, 2019

Where to specify firewall rules in code?

Related topics