From 5388616b9bbba8d7ca520933acc3d56760d2462f Mon Sep 17 00:00:00 2001 From: Ralph Soika Date: Mon, 3 Jun 2024 20:36:05 +0200 Subject: [PATCH] docu --- doc/FIREWALL.md | 22 +++++++++++++++++++--- scripts/setup_debian_bookworm.sh | 2 +- scripts/setup_ufw.sh | 7 ++++++- 3 files changed, 26 insertions(+), 5 deletions(-) diff --git a/doc/FIREWALL.md b/doc/FIREWALL.md index a2eee3c..6ccecb8 100644 --- a/doc/FIREWALL.md +++ b/doc/FIREWALL.md @@ -22,8 +22,11 @@ As we want to allow communication only internally we need to restrict public acc worker-2 ii.jj.kk.ll worker-3 mm.nn.oo.pp -you can do run the following script on each node to protect access from outside: +you can do run the following `setup_ufw.sh` bash script on each node to protect access from outside: + $ ./setup_ufw.sh + +This is an example script with a rule set with a example rule set. ufw allow ssh comment 'allow ssh access form anywhere' ufw allow 443 comment 'allow https only' @@ -39,9 +42,9 @@ you can do run the following script on each node to protect access from outside: ufw default deny incoming ufw enable -See also the `setup_ufw.sh` bash script in the /scripts directory. +See the `setup_ufw.sh` bash script in the /scripts directory. -After actiating your firewall, you can verify the status with: +After activating your firewall, you can verify the status with: $ sudo ufw status verbose @@ -51,3 +54,16 @@ To disable the firewall run: $ sudo ufw disable +## Changing Rule Set + +To change the rules (e.g. adding a new cluster node) you simply need to edit your `setup_ufw.sh` bash script and run the setup once again. + +**Note:** Adding a new role can be done easily with the `ufw allow` command. But to remove all old rules you need to run `ufw reset` first and than add all rules once again. The `setup_ufw.sh` bash script does this automatically. + + # Remove all existing rules + $ sudo ufw reset + # Rebuild all rules + $ ./setup_ufw.sh + # Verify rules + $ sudo ufw status verbose + diff --git a/scripts/setup_debian_bookworm.sh b/scripts/setup_debian_bookworm.sh index e1c8a39..3a29fc0 100755 --- a/scripts/setup_debian_bookworm.sh +++ b/scripts/setup_debian_bookworm.sh @@ -25,7 +25,7 @@ echo "#############################################" echo " adding k8s repositories ..." apt-get update # apt-transport-https may be a dummy package; if so, you can skip that package -apt-get install -y apt-transport-https ca-certificates gnupg curl +apt-get install -y apt-transport-https ca-certificates gnupg curl ufw # Add kubernetes repository KUBERNETES_VERSION=v1.29 diff --git a/scripts/setup_ufw.sh b/scripts/setup_ufw.sh index 3b240b2..ae3e721 100755 --- a/scripts/setup_ufw.sh +++ b/scripts/setup_ufw.sh @@ -17,6 +17,10 @@ if [ "$EUID" -ne 0 ] exit 1 fi +echo "=====> reset existing rules..." +ufw reset + +echo "=====> rebuild new rule set..." ufw allow ssh comment 'allow ssh access form anywhere' # the https rule is only needed on master node ufw allow 443 comment 'allow https only' @@ -32,8 +36,9 @@ ufw allow from 10.0.0.0/8 ufw default allow outgoing ufw default deny incoming ufw enable - ufw reload +echo "=====> New rule set:" +ufw status verbose # setup finished #############################################################