Firewall

NS8 has a basic built-in firewall based on firewalld.

The firewall has 2 zones:

  • trusted: it includes containers and wireguard interface
  • public: everything else

Default policies:

  • SSH port is always open
  • all blocked packets are logged

Please note that rootfull containers with port mapping (DNAT) or private networking are not supported.

Configuration

To permit direct connections from the public zone to a service provided by a module, the module itself must modify the node firewall configuration.

The node firewall is configured with a simple fwadm API. A module must be authorized to use it, by adding node:fwadm to the module image label org.nethserver.authorizations. For instance, set

   org.nethserver.authorizations=node:fwadm

Then the create-module and destroy-module actions must use the agent Python package to add/remove the node firewall configuration needed by the module.

In create-module:

import os
import agent
# Raise an exception if add_public_service() returns False
agent.assert_exp(agent.add_public_service(os.environ['MODULE_ID'], ["9010/tcp", "9011/tcp"]), "Firewall service configuration has failed")

In destroy-module:

import os
import agent
# Ignore errors on service cleanup
agent.remove_public_service(os.environ['MODULE_ID'])

Function agent.add_public_service() can be later invoked with additional ports, for example during an application update that implements a new public service. The given port list is added to the existing one. For example:

import os
import agent

agent.add_public_service(os.environ['MODULE_ID'], ["9012/tcp"])

If you want to completely replace the port list, set replace_ports=True, for example:

import os
import agent

agent.add_public_service(os.environ['MODULE_ID'], ["9010/tcp","9012/tcp"], replace_ports=True)