docu

imixs · Jun 3, 2024 · 5388616 · 5388616
1 parent fa9289c
commit 5388616
Show file tree

Hide file tree

Showing 3 changed files with 26 additions and 5 deletions.
diff --git a/doc/FIREWALL.md b/doc/FIREWALL.md
@@ -22,8 +22,11 @@ As we want to allow communication only internally we need to restrict public acc
 	worker-2	ii.jj.kk.ll
 	worker-3	mm.nn.oo.pp
 
-you can do run the following script on each node to protect access from outside:
+you can do run the following `setup_ufw.sh` bash script on each node to protect access from outside:
 
+	$ ./setup_ufw.sh
+
+This is an example script with a rule set with a example rule set.  
 
 	ufw allow ssh comment 'allow ssh access form anywhere'
 	ufw allow 443 comment 'allow https only'
@@ -39,9 +42,9 @@ you can do run the following script on each node to protect access from outside:
 	ufw default deny incoming
 	ufw enable
 
-See also the `setup_ufw.sh` bash script in the /scripts directory.
+See the `setup_ufw.sh` bash script in the /scripts directory.
 
-After actiating your firewall, you can verify the status with:
+After activating your firewall, you can verify the status with:
 
 	$ sudo ufw status verbose
 
@@ -51,3 +54,16 @@ To disable the firewall run:
 
 	$ sudo ufw disable
 
+## Changing Rule Set
+
+To change the rules (e.g. adding a new cluster node) you simply need to edit your `setup_ufw.sh` bash script and run the setup once again.
+
+**Note:** Adding a new role can be done easily with the `ufw allow` command. But to remove all old rules you need to run `ufw reset` first and than add all rules once again. The `setup_ufw.sh` bash script does this automatically.
+
+	# Remove all existing rules
+	$ sudo ufw reset
+	# Rebuild all rules
+	$ ./setup_ufw.sh
+	# Verify rules
+	$ sudo ufw status verbose
+
diff --git a/scripts/setup_debian_bookworm.sh b/scripts/setup_debian_bookworm.sh
@@ -25,7 +25,7 @@ echo "#############################################"
 echo " adding k8s repositories ..."
 apt-get update
 # apt-transport-https may be a dummy package; if so, you can skip that package
-apt-get install -y apt-transport-https ca-certificates gnupg curl
+apt-get install -y apt-transport-https ca-certificates gnupg curl ufw
 
 # Add kubernetes repository 
 KUBERNETES_VERSION=v1.29

diff --git a/scripts/setup_ufw.sh b/scripts/setup_ufw.sh
@@ -17,6 +17,10 @@ if [ "$EUID" -ne 0 ]
     exit 1
 fi
 
+echo "=====> reset existing rules..."
+ufw reset
+
+echo "=====> rebuild new rule set..."
 ufw allow ssh comment 'allow ssh access form anywhere'
 # the https rule is only needed on master node
 ufw allow 443 comment 'allow https only'
@@ -32,8 +36,9 @@ ufw allow from 10.0.0.0/8
 ufw default allow outgoing
 ufw default deny incoming
 ufw enable
-
 ufw reload
 
+echo "=====> New rule set:"
+ufw status verbose
 # setup finished
 #############################################################