balena-supervisor/docs/firewall.md

# Firewall

Starting with `Supervisor v11.9.1`, the balena Supervisor comes with the ability to control the device's firewall through the [`iptables` package](https://linux.die.net/man/8/iptables). The Supervisor manipulates the `filter` table to control network traffic.

## Firewall Modes

To switch between firewall modes, the `HOST_FIREWALL_MODE` (with `BALENA_` or legacy `RESIN_` prefix) configuration variable may be defined on a fleet or device level through the dashboard, and has three valid settings: `on`, `off`, and `auto`, with `off` being the default mode.

> [!NOTE] Configuration variables defined in the dashboard will not apply to devices in local mode.

| Mode | Description                                                                                                                                                 |
| ---- | ----------------------------------------------------------------------------------------------------------------------------------------------------------- |
| on   | Only traffic for core services provided by balena and containers on the host network are allowed.                                                           |
| off  | All network traffic is allowed.                                                                                                                             |
| auto | If there _are_ host network services, behaves as if `FIREWALL_MODE` = `on`. If there _aren't_ host network services, behaves as if `FIREWALL_MODE` = `off`. |

## Issues

Before [v14.9.2](https://github.com/balena-os/balena-supervisor/blob/master/CHANGELOG.md#v1492) manually-set firewall rules to the `filter` table will be overwritten by the Supervisor ([related issue](https://github.com/balena-os/balena-supervisor/issues/1482)). Please update your supervisor if you observe this behavior.
Document the current state of HOST_FIREWALL_MODE This set of docs can provide info for support agents until issue 1482 is resolved. Expect this document to change as firewall implementation is improved. Connects-to: #1482 Connects-to: #1525 Change-type: patch Signed-off-by: Christina Wang <christina@balena.io> 2021-06-09 07:51:50 +00:00			`# Firewall`

			Starting with `Supervisor v11.9.1`, the balena Supervisor comes with the ability to control the device's firewall through the [`iptables` package](https://linux.die.net/man/8/iptables). The Supervisor manipulates the `filter` table to control network traffic.

			`## Firewall Modes`

Replace application --> fleet Signed-off-by: Vipul Gupta (@vipulgupta2048) <vipul@balena.io> 2021-11-12 10:13:20 +00:00			To switch between firewall modes, the `HOST_FIREWALL_MODE` (with `BALENA_` or legacy `RESIN_` prefix) configuration variable may be defined on a fleet or device level through the dashboard, and has three valid settings: `on`, `off`, and `auto`, with `off` being the default mode.
Document the current state of HOST_FIREWALL_MODE This set of docs can provide info for support agents until issue 1482 is resolved. Expect this document to change as firewall implementation is improved. Connects-to: #1482 Connects-to: #1525 Change-type: patch Signed-off-by: Christina Wang <christina@balena.io> 2021-06-09 07:51:50 +00:00
Update firewall documentation Removes experimental warning and updates issues Change-type: patch 2024-11-07 14:04:32 +00:00			`> [!NOTE] Configuration variables defined in the dashboard will not apply to devices in local mode.`
Document the current state of HOST_FIREWALL_MODE This set of docs can provide info for support agents until issue 1482 is resolved. Expect this document to change as firewall implementation is improved. Connects-to: #1482 Connects-to: #1525 Change-type: patch Signed-off-by: Christina Wang <christina@balena.io> 2021-06-09 07:51:50 +00:00
Update firewall documentation Removes experimental warning and updates issues Change-type: patch 2024-11-07 14:04:32 +00:00			`\| Mode \| Description \|`
			`\| ---- \| ----------------------------------------------------------------------------------------------------------------------------------------------------------- \|`
			`\| on \| Only traffic for core services provided by balena and containers on the host network are allowed. \|`
			`\| off \| All network traffic is allowed. \|`
Document the current state of HOST_FIREWALL_MODE This set of docs can provide info for support agents until issue 1482 is resolved. Expect this document to change as firewall implementation is improved. Connects-to: #1482 Connects-to: #1525 Change-type: patch Signed-off-by: Christina Wang <christina@balena.io> 2021-06-09 07:51:50 +00:00			\| auto \| If there _are_ host network services, behaves as if `FIREWALL_MODE` = `on`. If there _aren't_ host network services, behaves as if `FIREWALL_MODE` = `off`. \|

			`## Issues`

Update firewall documentation Removes experimental warning and updates issues Change-type: patch 2024-11-07 14:04:32 +00:00			Before [v14.9.2](https://github.com/balena-os/balena-supervisor/blob/master/CHANGELOG.md#v1492) manually-set firewall rules to the `filter` table will be overwritten by the Supervisor ([related issue](https://github.com/balena-os/balena-supervisor/issues/1482)). Please update your supervisor if you observe this behavior.