Skip to main content

firewall

The default state of the Nebula interface host firewall is deny all for all inbound and outbound traffic. Firewall rules can be added to allow traffic for specified ports and protocols, but it is not possible to explicitly define a deny rule.

Firewall rules consist of one or more ports, a protocol, and one or more Nebula certificate properties denoting which hosts the rule should apply to. The Groups section of a Nebula certificate is particularly useful in this context. For example, by issuing certificates for use on employee laptops with the group user-endpoint, that group could then be referenced to allow inbound web traffic to a Nebula host:

inbound:
  - port: 443
    proto: tcp
    group: user-endpoint

  - port: 80
    proto: tcp
    group: user-endpoint

Continuing with that example, you could write another rule to allow an employee who also belongs to the ops group to access that same webserver using SSH. This would be added inside the inbound: section.

- port: 22
  proto: tcp
  groups:
    - user-endpoint
    - ops

When the plural groups property is specified, the rule only applies to hosts that have a certificate with each of the groups listed.

The possible fields of a firewall rule are:

  • port: Takes 0 or any as any, a single number (e.g. 80), a range (e.g. 200-901), or fragment to match second and further fragments of fragmented packets (since there is no port available).

  • proto: One of any, tcp, udp, or icmp

  • ca_name: An issuing CA name

  • ca_sha: An issuing CA shasum

  • host: Can be any or a literal hostname, ie test-host

  • group: Can be any or a literal group name, ie default-group

  • groups: Same as group but accepts a list of values. Multiple values are AND'd together and a certificate must contain all groups to pass.

  • cidr: a CIDR, 0.0.0.0/0 is any. This restricts which Nebula IP addresses the rule allows.

  • local_cidr: a local CIDR, 0.0.0.0/0 is any. This restricts which destination IP addresses, when using unsafe_routes, the rule allows. If unset, the rule will only allow access to the port on the local node, not the unsafe_routes it serves, unless default_local_cidr_any is true.

note

Logical evaluation of these rules changed in Nebula v1.9.0. Previously, a match on local_cidr meant that a rule did not need to also pass host, group, groups, or cidr checks. This is almost never what uers want - local_cidr generally refers to a specific segment of an unsafe_routes configuration that is being accessed, while the latter options relate to the connecting host's identity.

Since Nebula v1.9.0, rules are evaluated as: port AND proto AND (ca_sha OR ca_name) AND (host OR group OR groups OR cidr) AND local_cidr.

Prior to Nebula v1.9.0, rules were evaluated as: port AND proto AND (ca_sha OR ca_name) AND (host OR group OR groups OR cidr OR local_cidr).

# Nebula security group configuration

firewall:
  outbound_action: drop
  inbound_action: drop

  default_local_cidr_any: false # false since v1.10.0, see notes below

  conntrack:
    tcp_timeout: 12m
    udp_timeout: 3m
    default_timeout: 10m

  outbound:
    # Allow all outbound traffic from this node
    - port: any
      proto: any
      host: any

  inbound:
    # Allow icmp between any nebula hosts
    - port: any
      proto: icmp
      host: any

    # Allow tcp/443 from any host with BOTH laptop and home group
    - port: 443
      proto: tcp
      groups:
        - laptop
        - home

firewall.outbound

Reloadable

It is quite common to allow any outbound traffic to flow from a host. This simply means that the host can use any port or protocol to attempt to connect to any other host in the overlay network. (Whether or not those other hosts allow that inbound traffic is up to them.)

outbound:
  - port: any
    proto: any
    host: any

firewall.inbound

Reloadable

At a minimum, it is recommended to enable ICMP so that ping can be used to verify connectivity. Additionally, if enabling the built-in Nebula SSH server, you may wish to grant access over the Nebula network via firewall rules.

firewall.default_local_cidr_any

Default: False Reloadable

This setting was introduced in Nebula v1.9.0 set to true for backwards compatibility purposes. The default was changed to false in Nebula v1.10.0 and the config option is now deprecated.

When set to true, any firewall rules which do not explicitly set local_cidr are interpreted as if they were set to 0.0.0.0/0. In other words, firewall rules which do not explicitly configure local_cidr will apply both to ports on the local machine as well as ports on any hosts accessible via unsafe_routes.

When set to false, firewall rules which do not explicitly set local_cidr will only apply to the local host. To permit access to machines accessible via unsafe_routes, define a firewall rule which explicitly references those routes in the local_cidr field.

firewall.conntrack

Reloadable

Settings for the Connection Tracker.

conntrack:
  tcp_timeout: 12m
  udp_timeout: 3m
  default_timeout: 10m

outbound_action, inbound_action

Default: drop Reloadable

Action to take when a packet is not allowed by the firewall rules.

Can be one of:

  • drop: silently drop the packet.
  • reject: send a reject reply.
    • For TCP, this will be a RST "Connection Reset" packet.
    • For other protocols, this will be an ICMP port unreachable packet.