firewall
The default state of the Nebula interface host firewall is deny all for all inbound and outbound traffic. Firewall rules can be added to allow traffic for specified ports and protocols, but it is not possible to explicitly define a deny rule.
Firewall rules consist of one or more ports, a protocol, and one or more Nebula certificate properties denoting which
hosts the rule should apply to. The Groups
section of a Nebula certificate is particularly useful in this context. For
example, by issuing certificates for use on employee laptops with the group user-endpoint
, that group could then be
referenced to allow inbound web traffic to a Nebula host:
inbound:
- port: 443
proto: tcp
group: user-endpoint
- port: 80
proto: tcp
group: user-endpoint
Continuing with that example, you could write another rule to allow an employee who also belongs to the ops
group to
access that same webserver using SSH. This would be added inside the inbound:
section.
- port: 22
proto: tcp
groups:
- user-endpoint
- ops
When the plural groups
property is specified, the rule only applies to hosts that have a certificate with each of the
groups listed.
The possible fields of a firewall rule are:
-
port
: Takes0
orany
as any, a single number (e.g.80
), a range (e.g.200-901
), orfragment
to match second and further fragments of fragmented packets (since there is no port available). -
proto
: One ofany
,tcp
,udp
, oricmp
-
ca_name
: An issuing CA name -
ca_sha
: An issuing CA shasum -
host
: Can beany
or a literal hostname, ietest-host
-
group
: Can beany
or a literal group name, iedefault-group
-
groups
: Same asgroup
but accepts a list of values. Multiple values are AND'd together and a certificate must contain all groups to pass. -
cidr
: a CIDR,0.0.0.0/0
is any. This restricts which Nebula IP addresses the rule allows. -
local_cidr
: a local CIDR,0.0.0.0/0
is any. This restricts which destination IP addresses, when using unsafe_routes, the rule allows. If unset, the rule will allow access to the specified ports on both the node itself as well as any IP addresses it routes to.
Logical evaluation of these rules changed in Nebula v1.9.0. Previously, a match on local_cidr
meant that a rule did
not need to also pass host
, group
, groups
, or cidr
checks. This is almost never what uers want - local_cidr
generally refers to a specific segment of an unsafe_routes configuration that is
being accessed, while the latter options relate to the connecting host's identity.
Since Nebula v1.9.0, rules are evaluated as:
port AND proto AND (ca_sha OR ca_name) AND (host OR group OR groups OR cidr) AND local_cidr
.
Prior to Nebula v1.9.0, rules were evaluated as:
port AND proto AND (ca_sha OR ca_name) AND (host OR group OR groups OR cidr OR local_cidr)
.
# Nebula security group configuration
firewall:
outbound_action: drop
inbound_action: drop
default_local_cidr_any: false # false will become the default in Nebula v1.10.0+
conntrack:
tcp_timeout: 12m
udp_timeout: 3m
default_timeout: 10m
outbound:
# Allow all outbound traffic from this node
- port: any
proto: any
host: any
inbound:
# Allow icmp between any nebula hosts
- port: any
proto: icmp
host: any
# Allow tcp/443 from any host with BOTH laptop and home group
- port: 443
proto: tcp
groups:
- laptop
- home
firewall.outbound
ReloadableIt is quite common to allow any outbound traffic to flow from a host. This simply means that the host can use any port or protocol to attempt to connect to any other host in the overlay network. (Whether or not those other hosts allow that inbound traffic is up to them.)
outbound:
- port: any
proto: any
host: any
firewall.inbound
ReloadableAt a minimum, it is recommended to enable ICMP so that ping
can be used to verify connectivity. Additionally, if
enabling the built-in Nebula SSH server, you may wish to grant access over the Nebula network via firewall rules.
firewall.default_local_cidr_any
Default: True ReloadableThis setting was introduced in Nebula v1.9.0 for backwards compatibility purposes. The default will be changed to
false
in Nebula v1.10.0 and the config option will be deprecated.
When set to true
, any firewall rules which do not explicitly set local_cidr
will be interpreted as if they were set
to any
. In other words, firewall rules which do not explicitly configure local_cidr
will apply both to ports on the
local machine as well as ports on any hosts accessible via unsafe_routes.
When set to false
, firewall rules which do not explicitly set local_cidr
will only apply to the local host. To
permit access to machines accessible via unsafe_routes, define a firewall rule which explicitly references those routes
in the local_cidr
field.
firewall.conntrack
ReloadableSettings for the Connection Tracker.
conntrack:
tcp_timeout: 12m
udp_timeout: 3m
default_timeout: 10m
outbound_action, inbound_action
Default: drop ReloadableAction to take when a packet is not allowed by the firewall rules.
Can be one of:
drop
: silently drop the packet.reject
: send a reject reply.- For TCP, this will be a RST "Connection Reset" packet.
- For other protocols, this will be an ICMP port unreachable packet.