Firewall (UFW) #107
No reviewers
valberg
Labels
No labels
Blocked
Existing Service
Infrastructure Issue
Refactor
Security Hardening
Security Issue
Service Idea
Service Removal
Upgrade service
No milestone
No project
No assignees
3 participants
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference: data.coop/ansible#107
Loading…
Reference in a new issue
No description provided.
Delete branch ":main"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Add firewall setup using UFW
86589ad065to731b3f8877731b3f8877tofcfb13dcef(rebased onto latest main)
fcfb13dceftod597a956ffI have bad experience with using nftables and docker on the same host. Maybe ufw works better?
@ -0,0 +6,4 @@- name: Allow necessary portscommunity.general.ufw:rule: allowport: "{{ item }}"Udp? Tcp? Both?
Do any of the services need UDP? Otherwise I can set them all to allow TCP only.
I think we may need UDP to receive responses to DNS requests. Otherwise I don't think we use UDP. My question was also what protocol(s) this covers.
Default is both.
No, firewall is only for blocking incoming requests. Responses to outgoing requests are not affected.
Yes, but you need to listen for the response :-)
Still, DNS requests work even if UFW blocks UDP, since it only blocks incoming requests. A DNS response is not a request ;)
Well, UDP is connectionless and doesn't know about requests and responses. The reply is sent to the sender on the sending port. It may be that the rule generated by ufw tracks the state and allows replies, but it is not immediately obvious from these invocations.
For other UDP uses it may not be desirable: for example, if the datagrams are metrics reports we don't expect a reply and it would be undesirable to allow incoming packets in that case.
You're right, perhaps I wasn't clear enough. Yes, Iptables/Nftables (which is UFW's backend(s)) tracks the state, and thus allows replies. It will only block clients trying to connect to the denied port on the host, even if a service is listening on the port (but not in the case of Docker described below). Unless you deny outgoing traffic, DNS lookups will work fine.
Also, I've never had problems with UFW blocking DNS lookups with this configuration.
I've changed it such that it only allows TCP on the specified ports.
@ -0,0 +11,4 @@- 22 # Gitea SSH- 80 # HTTP- 443 # HTTPS- 389 # OpenLDAPI'm not sure we actually want to expose ldap
Why is that? Do we only need it to be reachable internally on the host? If so, we should then also prefix the ports with
127.0.0.1:in the container config. Or if the only thing that needs to communicate with it isphpldapadmin, it shouldn't expose ports at all since they're on the same Docker network. If that's the case, I can fix it in another PR.Yes, I think it's only used internally. Whether we have configured things correctly to use internal networks is another question. I don't know all that much about LDAP, and especially regarding security considerations, but I think we probably don't want to expose it. Maybe @valberg has an opinion.
From my own experience, UFW works perfectly fine with Docker. Just be aware, that exposing container ports like
80:80omits the firewall, so if you don't want it to do that you need to prefix it with localhost like so:127.0.0.1:80:80.What does "omits the firewall" mean?
If we can undo the change and won't lock ourselves out I think we should try it.
It means that if UFW denies port 80, but a Docker container exposes
80:80, it won't be blocked. This is due to Docker interacting with iptables/nftables directly (which is UFW's backend).That should be possible. We can also keep an SSH session open in another terminal while we test.
Ah, that's a little disappointing. Then we can't rely on the firewall rules alone to work :(
Yes, unfortunately. But it still works in all other cases, so it's better than nothing.