Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

secure farmer lan #2520

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

secure farmer lan #2520

wants to merge 3 commits into from

Conversation

Omarabdul3ziz
Copy link
Contributor

@Omarabdul3ziz Omarabdul3ziz commented Jan 8, 2025
edited
Loading

Description

apply implemented nft rules for farmer lan security in zos4, PRs:

Related issues

@Omarabdul3ziz Omarabdul3ziz marked this pull request as draft January 8, 2025 13:47
@Omarabdul3ziz
enhance the lan security logic
ede0811 
- apply the nft rules if only the default gw is private
- explicitly allow traffic to all ips except the default gw network
- except the router from the lan block
- create a buffer with rules instead of executing commands
- use the nft.Apply function for executing the buffer
@Omarabdul3ziz Omarabdul3ziz marked this pull request as ready for review January 15, 2025 12:14
@Omarabdul3ziz Omarabdul3ziz changed the title drop traffic to peers in same lan secure farmer lan Jan 15, 2025
delandtj
delandtj reviewed Jan 21, 2025
View reviewed changes
Copy link
Contributor

@delandtj delandtj left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

added a few comments

pkg/network/nft/nft.go

var buf bytes.Buffer
buf.WriteString("table inet filter {\n")
buf.WriteString(" chain forward {\n")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

you're missing the type here
type filter hook forward priority filter; policy accept;

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this is already handled in the initial nft setup

pkg/network/nft/nft.go
buf.WriteString(" }\n")
buf.WriteString("}\n")

return Apply(&buf, namesapce)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

namesapce ?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

also, where do you apply the new table ?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

in ndmz namespace

@Omarabdul3ziz
Copy link
Contributor Author

Omarabdul3ziz commented Jan 27, 2025
edited
Loading

update:
in zos4, we noticed a problem with ssh communication in a time where myc was working. i guess we need to allow the ssh port as well. but can't verify because myc doesn't work now. threefoldtech/mycelium#515

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@delandtj delandtj delandtj left review comments

@muhamadazmy muhamadazmy Awaiting requested review from muhamadazmy muhamadazmy is a code owner

@ashraffouda ashraffouda Awaiting requested review from ashraffouda ashraffouda is a code owner

@rawdaGastan rawdaGastan Awaiting requested review from rawdaGastan rawdaGastan is a code owner

@xmonader xmonader Awaiting requested review from xmonader xmonader is a code owner

@Eslam-Nawara Eslam-Nawara Awaiting requested review from Eslam-Nawara Eslam-Nawara is a code owner

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@Omarabdul3ziz @delandtj