Skip to main content

Firewall

This reference guide describes the firewall system in openUC2 OS.

openUC2 OS uses firewalld as its firewall. The firewall is run as the systemd service firewalld.service.

firewalld is configured using openUC2 OS's pattern for drop-in configuration files. The drop-in configuration file system for firewalld is provided by Forklift package deployment networking/firewalld.

firewalld.conf

Configuration variables in /etc/firewalld/firewalld.conf are set with drop-in files in /etc/firewalld/firewalld.conf.d, which are controlled by Forklift package deployments and associated feature flags:

Setting...in drop-in file...from...is set by default?
DefaultZone:
nm-shared		20-default-zone.confnetworking/firewalld:
default-zone-direct
DefaultZone:
public		20-default-zone.confnetworking/firewalld:
default-zone-public		yes
DefaultZone:
block		20-default-zone.confnetworking/firewalld:
default-zone-block
StrictForwardPorts:
yes		20-strict-forward-ports.confnetworking/firewalld:
govern-docker-ports

/etc/firewalld/firewalld.conf is generated as follows:

  • The systemd service assemble-firewalld-config.service concatenates the contents of /etc/firewalld/firewalld.conf.d/ and writes the output to /run/overlays/generated/etc/firewalld/firewalld.conf.
  • /etc/firewalld/firewalld.conf is a symlink to /run/overlays/generated/etc/firewalld/firewalld.conf.

Services

firewalld is configured with the following services, some of which are controlled by Forklift package deployments and associated feature flags:

Service...from...exists by default?
dhcpfirewalldyes
dhcpv6firewalldyes
dhcpv6-clientfirewalldyes
dnsfirewalldyes
mdnsfirewalldyes
cockpitfirewalldyes
sshfirewalldyes
httpfirewalldyes
httpsfirewalldyes
http3firewalldyes
http-untrustedinfra/caddy-ingress-untrusted:
firewall-allow-direct,
firewall-allow-public		yes
esp32-ota-firmwareimswitch:
firewall-allow-direct,
firewall-allow-public		yes
imswitch-devimswitch:
firewall-allow-direct,
firewall-allow-public		yes

File locations:

  • Services from firewalld are defined in /usr/lib/firewalld/services/.
  • Services from Forklift package deployments are defined in /etc/firewalld/services/.

These services expose the following ports:

ServiceTCP PortsUDP Ports
dhcp67
dhcpv6547
dhcpv6-client546
dns5353
mdns5353
cockpit9090
ssh22
http80
https443
http3443
http-untrusted8000
esp32-ota-firmware33333232
imswitch-dev8001, 8888

Zones

firewalld is configured with the following zones, which are controlled by Forklift package deployments and associated feature flags:

Zone...from...exists by default?
nm-sharednetworking/firewalld's feature
zone-nm-shared		yes
publicnetworking/firewalld's feature
zone-public		yes
blockfirewalldyes

For an explanation of the design of firewall configurations for these zones, please refer to our explanation for exposure of software in openUC2 OS.

nm-shared

The nm-shared zone is intended to be used as the default firewall zone for NetworkManager connections with internet access sharing, such as direct connections to other devices. It is configured as a fully-privileged zone where unauthenticated administrative apps and services may be exposed.

The nm-shared zone /etc/firewalld/zones/nm-shared.xml is defined by drop-in files in /etc/firewalld/zones.d/nm-shared/, which are controlled by Forklift package deployments and associated feature flags:

Setting...in drop-in file...from...is set by default?
interface
tailscale0		20-interface-tailscale0.xmlnetworking/tailscale:
firewall-as-direct		yes
protocol
icmp		30-protocol-icmp.xmlnetworking/networkmanager/base:
firewall-allow-direct		yes
protocol
ipv6-icmp		30-protocol-icmp.xmlnetworking/networkmanager/base:
firewall-allow-direct		yes
service
dhcp		40-service-dhcp.xmlnetworking/networkmanager/base:
firewall-allow-direct		yes
service
dhcpv6		40-service-dhcp.xmlnetworking/networkmanager/base:
firewall-allow-direct		yes
service
dhcpv6-client		40-service-dhcp.xmlnetworking/networkmanager/base:
firewall-allow-direct		yes
service
dns		40-service-dns.xmlnetworking/networkmanager/base:
firewall-allow-direct		yes
service
mdns		40-service-mdns.xmlnetworking/avahi/daemon:
firewall-allow-direct		yes
service
cockpit		50-service-cockpit.xmladmin/cockpit:
firewall-allow-direct		yes
service
ssh		50-service-ssh.xmladmin/sshd:
firewall-allow-direct		yes
service
http		60-service-http.xmlinfra/caddy-ingress:
firewall-allow-direct		yes
service
https		60-service-https.xmlinfra/caddy-ingress:
firewall-allow-direct		yes
service
http3		60-service-http3.xmlinfra/caddy-ingress:
firewall-allow-direct		yes
service
http-untrusted		60-service-http-untrusted.xmlinfra/caddy-ingress-untrusted:
firewall-allow-direct		yes
service
esp32-ota-firmware		70-service-esp32-ota-firmware.xmlimswitch:
firewall-allow-direct		yes
service
imswitch-dev		70-service-imswitch-dev.xmlimswitch:
firewall-allow-direct		yes
rule (priority 32767)
reject		90-rule-default.xmlnetworking/firewalldyes

Naming conventions:

  • The numeric prefixes of any additional rules should be at least 20 and less than 90.
    • The prefix 20- is used for binding interfaces to the zone.
    • The prefix 30- is used for low-level networking protocols.
    • The prefix 40- is used for networking protocols which facilitate device connectivity & access.
    • The prefix 50- is used for administrative services.
    • The prefix 60- is used for general/infrastructural application services.
    • The prefix 70- is used for specific applications.
  • Feature flags configuring firewalld to allow access to ports should be named firewall-allow-direct.

/etc/firewalld/zones/nm-shared.xml is generated as follows:

  • The systemd service assemble-firewalld-config.service concatenates the contents of /etc/firewalld/zones.d/nm-shared/ and writes the output to /run/overlays/generated/etc/firewalld/zones/nm-shared.xml.
  • /etc/firewalld/zones/nm-shared.xml is a symlink to /run/overlays/generated/etc/firewalld/zones/nm-shared.xml.

public

The public zone is intended to be used as the default firewall zone for connections by untrusted strangers. It is configured as an unprivileged zone.

The public zone /etc/firewalld/zones/public.xml is defined by drop-in files in /etc/firewalld/zones.d/public/, which are controlled by Forklift package deployments and associated feature flags:

Setting...in drop-in file...from...is set by default?
interface
tailscale0		20-interface-tailscale0.xmlnetworking/tailscale:
firewall-as-public
protocol
icmp		30-protocol-icmp.xmlnetworking/networkmanager/base:
firewall-allow-public		yes
protocol
ipv6-icmp		30-protocol-icmp.xmlnetworking/networkmanager/base:
firewall-allow-public		yes
service
dhcp		40-service-dhcp.xmlnetworking/networkmanager/base:
firewall-allow-public		yes
service
dhcpv6		40-service-dhcp.xmlnetworking/networkmanager/base:
firewall-allow-public		yes
service
dhcpv6-client		40-service-dhcp.xmlnetworking/networkmanager/base:
firewall-allow-public		yes
service
dns		40-service-dns.xmlnetworking/networkmanager/base:
firewall-allow-public		yes
service
mdns		40-service-mdns.xmlnetworking/avahi/daemon:
firewall-allow-public		yes
service
cockpit		50-service-cockpit.xmladmin/cockpit:
firewall-allow-public		yes
service
ssh		50-service-ssh.xmladmin/sshd:
firewall-allow-public		yes
service
http		60-service-http.xmlinfra/caddy-ingress:
firewall-allow-public
service
https		60-service-https.xmlinfra/caddy-ingress:
firewall-allow-public
service
http3		60-service-http3.xmlinfra/caddy-ingress:
firewall-allow-public
service
http-untrusted		60-service-http-untrusted.xmlinfra/caddy-ingress-untrusted:
firewall-allow-public		yes
forward :80 to
127.0.0.1:8000		70-forward-http-to-http-untrusted.xmlinfra/caddy-ingress-untrusted:
firewall-forward-http-public		yes
service
esp32-ota-firmware		70-service-esp32-ota-firmware.xmlimswitch:
firewall-allow-public		yes
service
imswitch-dev		70-service-imswitch-dev.xmlimswitch:
firewall-allow-public		yes

Naming conventions:

  • The numeric prefixes of any additional rules should be at least 20 and less than 90.
    • The prefix 20- is used for binding interfaces to the zone.
    • The prefix 30- is used for low-level networking protocols.
    • The prefix 40- is used for networking protocols which facilitate device connectivity & access.
    • The prefix 50- is used for administrative services.
    • The prefix 60- is used for general/infrastructural application services.
    • The prefix 70- is used for specific applications.
  • Feature flags configuring firewalld to allow access to ports should be named firewall-allow-public.

/etc/firewalld/zones/public.xml is generated as follows:

  • The systemd service assemble-firewalld-config.service concatenates the contents of /etc/firewalld/zones.d/public/ and writes the output to /run/overlays/generated/etc/firewalld/zones/public.xml.
  • /etc/firewalld/zones/public.xml is a symlink to /run/overlays/generated/etc/firewalld/zones/public.xml.

block

The block zone can be used instead of the public zone for selected NetworkManager connection profiles. It inherits the default behavior set by firewalld to only allow network connections initiated within the openUC2 OS machine, rejecting all incoming network connections with an icmp-host-prohibited message for IPv4 and icmp6-adm-prohibited for IPv6. This implies that other computers will not be able to obtain IP addresses for connections to network interfaces in this zone.

Zone bindings

NetworkManager connection profiles are bound to firewall zones as follows:

NetworkManager connection profile...binding to zone...from...is active by default?
eth0-defaultnm-sharednetworking/networkmanager/base:
eth0-default-firewall-direct
eth0-defaultpublicnetworking/firewalld:
default-zone-public		yes
eth0-defaultblocknetworking/networkmanager/base:
eth0-default-firewall-block
eth0-staticnm-sharedNetworkManager default behavioryes
eth0-staticpublicnetworking/networkmanager/base:
eth0-static-firewall-public
eth0-staticblocknetworking/networkmanager/base:
eth0-static-firewall-block
eth1-defaultnm-sharednetworking/networkmanager/base:
eth1-default-firewall-direct
eth1-defaultpublicnetworking/firewalld:
default-zone-public		yes
eth1-defaultblocknetworking/networkmanager/base:
eth1-default-firewall-block
eth1-staticnm-sharedNetworkManager default behavioryes
eth1-staticpublicnetworking/networkmanager/base:
eth1-static-firewall-public
eth1-staticblocknetworking/networkmanager/base:
eth1-static-firewall-block
usb0-defaultnm-sharednetworking/networkmanager/base:
usb0-default-firewall-direct
usb0-defaultpublicnetworking/firewalld:
default-zone-public		yes
usb0-defaultblocknetworking/networkmanager/base:
usb0-default-firewall-block
usb0-staticnm-sharedNetworkManager default behavioryes
usb0-staticpublicnetworking/networkmanager/base:
usb0-static-firewall-public
usb0-staticblocknetworking/networkmanager/base:
usb0-static-firewall-block
usb1-defaultnm-sharednetworking/networkmanager/base:
usb1-default-firewall-direct
usb1-defaultpublicnetworking/firewalld:
default-zone-public		yes
usb1-defaultblocknetworking/networkmanager/base:
usb1-default-firewall-block
usb1-staticnm-sharedNetworkManager default behavioryes
usb1-staticpublicnetworking/networkmanager/base:
usb1-static-firewall-public
usb1-staticblocknetworking/networkmanager/base:
usb1-static-firewall-block
wlan0-hotspotnm-sharedNetworkManager default behavioryes
wlan0-hotspotpublicnetworking/networkmanager/wifi-hotspot:
wlan0-firewall-public
wlan0-hotspotblocknetworking/networkmanager/wifi-hotspot:
wlan0-firewall-block
wlan0-internetpublicnetworking/firewalld:
default-zone-public		yes
wlan1-hotspotnm-sharedNetworkManager default behavioryes
wlan1-hotspotpublicnetworking/networkmanager/wifi-hotspot:
wlan1-firewall-public
wlan1-hotspotblocknetworking/networkmanager/wifi-hotspot:
wlan1-firewall-block
wlan1-internetpublicnetworking/firewalld:
default-zone-public		yes
tailscale0nm-sharednetworking/tailscale:
firewall-as-direct		yes
tailscale0publicnetworking/firewalld:
default-zone-public

How-to guides are available for changing firewall zone bindings to limit access and increase access for particular NetworkManager connection profiles.