Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Pin niroco to port 55184 and open it to incoming VPN traffic #52

Merged
merged 1 commit into from
Dec 16, 2024
Merged

Pin niroco to port 55184 and open it to incoming VPN traffic #52

merged 1 commit into from
Dec 16, 2024

Conversation

rtollert
Copy link
Contributor

By default, niroco allocates an ephemeral server port, which cannot be effectively firewalled. We can force it to use a specific port with an INI fragment installed to /usr/share/niroco.d, so that _firewall_config.py can allow incoming traffic to that port.

We choose port 55184 more or less entirely arbitrarily, but placing it firmly in the ephemeral range more or less demands that this cannot be the long-term static port decision.

Testing

nilrt-snac configure succeeds and makes the require changes to the firewalld config. New config file added under /usr/share/niroco.d.

Procedure

  • This PR: changes user-visible behavior, fixes a bug, or impacts the project's security profile; and so it includes a CHANGELOG note.
  • I certify that the contents of this pull request complies with the Developer Certificate of Origin.

@AlexHearnNI AlexHearnNI requested a review from a team December 16, 2024 22:42
amstewart
amstewart requested changes Dec 16, 2024
View reviewed changes
Makefile Outdated Show resolved Hide resolved
amstewart
amstewart requested changes Dec 16, 2024
View reviewed changes
Copy link
Collaborator

@amstewart amstewart left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See PR error about leftover uninstall files.

https://github.com/ni/nilrt-snac/actions/runs/12362346739/job/34501465747?pr=52#step:5:97

@rtollert rtollert force-pushed the dev/rtollert/firewall-roco branch from c5cbdb3 to de5ba1b Compare December 16, 2024 22:51
@rtollert
Pin niroco to port 55184 and open it to incoming VPN traffic
cd405a6 
By default, niroco allocates an ephemeral server port, which cannot be
effectively firewalled. We can force it to use a specific port with an
INI fragment installed to /usr/share/niroco.d, so that _firewall_config.py can
allow incoming traffic to that port.

We choose port 55184 more or less entirely arbitrarily, but placing it firmly in
the ephemeral range more or less demands that this cannot be the long-term
static port decision.

Signed-off-by: Richard Tollerton <[email protected]>
@rtollert rtollert force-pushed the dev/rtollert/firewall-roco branch from de5ba1b to cd405a6 Compare December 16, 2024 22:57
@rtollert rtollert requested a review from amstewart December 16, 2024 22:58
@rtollert rtollert marked this pull request as ready for review December 16, 2024 23:05
@amstewart amstewart merged commit 71afe21 into ni:master Dec 16, 2024
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@amstewart amstewart amstewart approved these changes

@AlexHearnNI AlexHearnNI Awaiting requested review from AlexHearnNI AlexHearnNI is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@rtollert @amstewart