Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

_firewall_config.py: add NI services to default firewall configuration #50

Merged
merged 4 commits into from
Dec 16, 2024
Merged

_firewall_config.py: add NI services to default firewall configuration #50

merged 4 commits into from
Dec 16, 2024

Conversation

rtollert
Copy link
Contributor

@rtollert rtollert commented Dec 16, 2024
edited
Loading

Summary of Changes

Install ni-firewall-servicedefs to expose NI services to firewalld; enable services for core NI software functionality.

Allow NTP over the public network.

Testing

nilrt-snac configure succeeds; firewall configuration verified manually.

Procedure

  • This PR: changes user-visible behavior, fixes a bug, or impacts the project's security profile; and so it includes a CHANGELOG note.
  • I certify that the contents of this pull request complies with the Developer Certificate of Origin.

@rtollert
_firewall_config.py: allow NTP through public network
840c4b9 
NTP is a basal network service on par with DHCP: if it can't be trusted, large
chunks of the remaining security infrastructure become infeasible. At the
moment, it probably needs to be permitted unencrypted.

Signed-off-by: Richard Tollerton <[email protected]>
@rtollert
_firewall_config.py: allow outbound SystemLink traffic through VPN
dca9cb4 
In addition to http/https (already added), SystemLink clients also generally
require outbound access to AMQP (ports 4505, 4506) and Salt master (port 5672)
servers. These services already exist in firewalld and should be permitted by
default to allow SystemLink traffic over VPN.

Note that the Salt master protocol possesses its own encryption and so could
conceivably be exposed over the public network; however, AMQPS is on a separate
port (5671) and I don't believe SystemLink supports that.

Discovered by code inspection.

Signed-off-by: Richard Tollerton <[email protected]>
@rtollert
_firewall_config.py: add inbound support for base NI services over VPN
9c57773 
Install the ni-firewalld-servicedefs package to gain access to NI service
definitions, then use those to open up necessary ports for inbound access to
LabVIEW RT, shared variables/network streams, and device configuration.

Signed-off-by: Richard Tollerton <[email protected]>
@rtollert
CHANGELOG.md: update for firewall features
504fa34 
Signed-off-by: Richard Tollerton <[email protected]>
@rtollert rtollert marked this pull request as ready for review December 16, 2024 18:22
@amstewart amstewart merged commit f5a7254 into ni:master Dec 16, 2024
2 checks passed
@rtollert rtollert deleted the dev/rtollert/firewall-niservices branch December 16, 2024 21:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@AlexHearnNI AlexHearnNI AlexHearnNI approved these changes

@amstewart amstewart amstewart approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@rtollert @amstewart @AlexHearnNI