Firewall configuration


#1

Hi!

Is there a way to configure the Host firewall to drop all in/out connections except whitelisted ones such as connections to *.resion.io and *.pubnub.com ?

Thanks!


#2

I don’t think there’s a firewall running on the host, by default the application has full access to the networking. If you need to run a firewall, you might need to install one within the application container, I’m guessing… Don’t think we have an example project for this yet, but would be interesting to add!

Can you tell a bit more about what use case you have in mind? What sort of deployment would need to restrict the application running on the device? It would help us getting a better context. :slight_smile:


#3

We want to setup a firewall to :

  • avoid malicious remote access to the device by dropping all incoming connections (except resin ssh access)
  • restrict device access to only a whitelisted list of domains through whitelisted port :
    • 443 TCP *.resion.io/*.pubnub.com/*.company.com : https & resin vpn
    • 123 UDP : NTP time synchronisation
    • 53 UDP : DNS name resolution

Our application will be deployed on a companion robot.


#4

Hi @MatthieuLemoine, you can use iptables from the container, and since it works at the kernel level it will affect the whole device. Keep in mind that we already add some rules to block unwanted traffic to the Resin Supervisor’s API.
Not sure how you’d implement the whitelisted firewall for outbound traffic, as I’ve never tried it, but I suspect it’d be the same as if you did it without Resin - if you have an approach in mind and running it in a container is a problem let’s discuss it, maybe we can find a workaround!


#5

I was thinking this might be also doable with the Uncomplicated Fireall (ufw)? Here’s a Debian wiki entry on using ufw.

I’m guessing either create a sensible minimal .rules file, or apply the firewall rules on container startup (and possibly catch container shutdown to remove the rules? not sure if that’s really needed). This would be a good candidate for a template project, I guess? :tools:

Direct iptables is good and lightweight, though for mortals (like me) are more error prone :angel:


#6

Thanks for the replies.

I will try ufw for port filtering.
For domains filtering, I think I have to use a proxy such as squid as iptables only support ip filtering.