ExternalVendorCode/balena-supervisor
1
0
Fork 0
mirror of https://github.com/balena-os/balena-supervisor.git synced 2024-12-19 13:47:54 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
8d0954db75
balena-supervisor/docs/firewall.md
Vipul Gupta (@vipulgupta2048) 277ab39dab Replace application --> fleet 
Signed-off-by: Vipul Gupta (@vipulgupta2048) <vipul@balena.io>
2022-01-20 18:17:30 +05:30

1.5 KiB
Raw Blame History

Firewall

Disclaimer: Firewall control in the Supervisor is still an experimental feature, so expect changes to come.

Starting with Supervisor v11.9.1, the balena Supervisor comes with the ability to control the device's firewall through the iptables package. The Supervisor manipulates the filter table to control network traffic.

Firewall Modes

To switch between firewall modes, the HOST_FIREWALL_MODE (with BALENA_ or legacy RESIN_ prefix) configuration variable may be defined on a fleet or device level through the dashboard, and has three valid settings: on, off, and auto, with off being the default mode.

Note: Configuration variables defined in the dashboard will not apply to devices in local mode.

Mode Description
on Only traffic for core services provided by balena and containers on the host network are allowed.
off All network traffic is allowed.
auto If there are host network services, behaves as if FIREWALL_MODE = on. If there aren't host network services, behaves as if FIREWALL_MODE = off.

Issues

The Supervisor's implementation of BALENA_HOST_FIREWALL_MODE is not yet ideal. As such, please feel free to raise an issue. There is one notable issue where manually-set firewall rules to the filter table will be overwritten by the Supervisor (read more here). The current workaround is to set these rules in the raw table.