Firewall example with nftables

[p5]

Hey FCOS team!

Currently the only example you have for configuring a firewall is with Ansible, which brings in a bunch of unwanted dependencies.

It would be great if you could provide some examples of layering firewall rules (ideally in a .d directory) to demonstrate some of the common configurations someone may want to do on a FCOS system.

For example, the OpenVPN setup scripts include the following, but it's not obvious how we can create an image with this configuration in a declarative manor at build time.

# Configure NAT
sudo firewall-cmd --permanent --add-masquerade
sudo firewall-cmd --permanent --direct --add-rule ipv4 nat POSTROUTING 0 -j MASQUERADE
sudo firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD 0 -j ACCEPT
sudo firewall-cmd --permanent --direct --add-rule ipv6 nat POSTROUTING 0 -j MASQUERADE
sudo firewall-cmd --permanent --direct --add-rule ipv6 filter FORWARD 0 -j ACCEPT
sudo systemctl restart firewalld

The title mentions nftables, but any file-based declarative approach would be appreciated.

Thank you
Robert

[miabbott]

One option using the ansible-firewalld example is to adapt it to a multi-stage build, where the firewall rules are configured and then copied to the destination image.

FROM registry.fedoraproject.org/fedora:40 AS builder
ADD configure-firewall-playbook.yml .
RUN dnf -y install firewalld ansible && \
    ansible-playbook configure-firewall-playbook.yml

FROM quay.io/fedora/fedora-coreos:stable
RUN rpm-ostree install firewalld
COPY --from=builder /etc/firewalld /etc/firewalld
RUN ostree container commit

It's not as elegant as a truly declarative approach, but could work.

If you are interested in using nftables, they have scripting support which would probably be a better way forward - https://wiki.nftables.org/wiki-nftables/index.php/Scripting