Skip to content
This repository has been archived by the owner on Jan 19, 2022. It is now read-only.

Latest commit

 

History

History
97 lines (64 loc) · 3.03 KB

README.md

File metadata and controls

97 lines (64 loc) · 3.03 KB
Raw

packetnet-fw-agent

Build Status

Inspired by droplan.

This package configures your Packet host firewalls. This will limit network traffic only to those hosts.

Either project-wide, or to a tag-based subset of hosts running the agent, modes available. It will periodically update lists from the Packet API.

Ideal uses might be highly-network dependent frameworks like:

Cronjobs can be used to update rules dynamically.

This repository is Experimental meaning that it's based on untested ideas or techniques and not yet established or finalized or involves a radically new and innovative style! This means that support is best effort (at best!) and we strongly encourage you to NOT use this in production.

Setup

This package is supported on arm64 and amd64 servers.

packetnet-fw-agent requires 3 configuration variables:

PACKET_AUTH_TOKEN: read-only key

PACKET_PROJECT_ID: the project the hosts will reside in.

PACKET_SEEK_TAG (Optional): if set, hosts tagged with this value will be targetted.

PUBLIC (Optional): if set, will include Public IP addresses in ruleset. These hosts will be inaccessible, except from other hosts in the network).

Usage

The package can be built for arm64 and amd64 hosts using the Makefile:

make build
make build-arm

and then run:

PACKET_AUTH_TOKEN=<ro token> \
PACKET_SEEK_TAG="capsule" \
PACKET_PROJECT_ID=<id> ./packetnet-fw-agent

or using the Docker images (on Docker Hub):

jmarhee/packetnet-fw-agent.amd64

jmarhee/packetnet-fw-agent.arm64

as in:

docker run -d --restart=always --net=host --cap-add=NET_ADMIN \
--name packetnet-fw-agent \
-e PACKET_AUTH_TOKEN=$PACKET_AUTH_TOKEN \
-e PACKET_PROJECT_ID=$PACKET_PROJECT_ID \
-e PACKET_SEEK_TAG=$PACKET_SEEK_TAG \
-e PUBLIC=$PUBLIC \
-e CHECK_INTERVAL=300 jmarhee/packetnet-fw-agent.amd64:latest

You can build the Docker images using the Makefile:

make TAG=$(date +%F%H%M%S) docker-arm64
make TAG=$(date +%F%H%M%S) docker-amd64

which will build new binaries as well for the desired architecture.

Example

In example/, you can use Terraform to spin-up a test environment.

export TF_VAR_auth_token=<your RW API key>
export TF_VAR_packet_ro_token=<your RO API key>
export TF_VAR_packet_public_network="true"

terraform apply

This example creates two hosts running packetnet-fw-agent. The tagged node will be inaccessible from outside the network.