New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Making IIAB's firewall (iptables) understandable to newbie implementers #1677
Conversation
Tested on Raspbian, Ubuntu 16.04, Ubuntu 18.04 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@jvonau is it Ok to eliminate the "$network_mode" as "Appliance" clause, from the conditions on Lines 80 & 123 ?
(It would appear that testing for "$wan" == "none"
is sufficient.)
There is no Admin Console port. It uses the web server, so this should be http and/or https. |
If I edit /opt/iiab/iiab/roles/network/templates/gateway/iiab-gen-iptables I will not be able to do another pull without stashing and will easily lose my changes. In my view a better strategy would be to create /etc/iiab/iiab-gen-iptables.d where hand code rules can be placed and then merged by iiab-gen-iptables, possibly enabling with allow_custom_firewall_rules flag. |
FWIW https://github.com/iiab/iiab/blob/master/roles/0-init/tasks/main.yml#L87-L95 For now I'm trying not to change (Jerry's?) original framework much. This PR is really just about providing an easily understandable "firewall security knob/dial" for people who do not have the ability to navigate iptables details. PS A separate PR establishing guidelines for advanced iptables users might make sense, as you say. |
the variable gui_port does not appear in iiab-admin-console; it was introduced by Jerry. it is set to 80 or 443 in iiab. the user should be aware that if they expose 'gui_port' they are exposing the whole web server, that would include awstats for instance and anything that has an alias, like kiwix, etc. so calling it Admin Console is quite misleading. |
@jvonau @georgejhunt @tim-moody @m-anish is mDNS needed on the WAN side too? |
@jvonau @georgejhunt @jvonau @m-anish firewall (iptables) is experimentally revised adding our usual WAN-side rules to better protect Appliances: roles/network/templates/gateway/iiab-gen-iptables#L122-L190 PR #1677 seems ready to merge now (but LMK if issues remain?) |
(above pasted in from this PR's iiab/roles/network/templates/gateway/iiab-gen-iptables)
(above pasted in from this PR's local_vars files & default_vars.yml)
To be documented in https://github.com/iiab/iiab/wiki/IIAB-Networking and http://FAQ.IIAB.IO
FYI Ansible variables
services_externally_visible
andgui_wan
are intentionally deprecated, in order to make possible this big improvement in usability for new IIAB implementers.Builds on #1664, PR #1665