Feature request: Allow editing of inbound firewall rules

[johnmaguire]

Copied from https://github.com/slackhq/nebula/issues/628:

@ajuitar on Jan 8:

Is there a way to edit the nebula internal firewall settings in the Android app? The default setting are:

firewall:
  conntrack:
    tcp_timeout: 120h
    udp_timeout: 3m
    default_timeout: 10m
    max_connections: 100000
  outbound:
  - port: any
    proto: any
    host: any
  inbound: []

and nothing much comes in.

@m1w31l on Jul 7:

I would also be very interested in knowing that.

@brad-defined on Jul 11:

Hi @ajuitar and @m1w31l - do you mind sharing more about your use case?

What inbound access would you like to have on your Nebula mobile devices?

@m1w31l on Jul 11:

Hello @brad-defined,

I have a FTP server running on one of my Android devices that I would like to be able to reach. And a friend of mine has a remote control software that could be reached for TCP. So it would be great for me if I could configure it directly. Of course it would be great if you could upload the whole configuration at once with a QR code and not only the certificates.

@ajuitar on Jul 11:

Hello @brad-defined,

I regularly run a WebDAV server on my Android phone in order to sync some files between the phone and a laptop. If I could do so using Nebula, I woundn't need to have the phone and the laptop to be on the same network, and both my devices would have Nebula's static IPs.

Totally support this:

Of course it would be great if you could upload the whole configuration at once with a QR code and not only the certificates.

[brunoherbelin]

Hi ! Thanks for the great job with Nebula and Nebula app !

I would also like to add a rule for a group in the inbound section, e.g. :

  inbound:
    - port: any
      proto: udp
      groups:
        - mygroupname

Is it planned to add this feature to the Android app ?

[johnmaguire]

@brunoherbelin Hi Bruno, it's not currently prioritized but we're keeping it in mind for the future. Would you mind sharing your use case?

[brunoherbelin]

Thanks! I'll stay tuned! Use case: video art performance, where multiple devices are connected and stream video with SRT; mostly nebula enables to keep fixed IPs while the setup can be anywhere with internet.

[bohdantrotsenko]

I use termux on Android and there I can run "mosh-server". So, it would be great to use it via nebula.

[s-cerevisiae]

I need this to run servers on Termux. Also it would be cool if I'm able to send file between my mobile devices with Localsend and alike.

[johnmaguire]

Hi all - I don't have an update to share on configuring inbound firewall rules for Nebula OSS, but I did want to mention that if you're using a DN-managed site (defined.net), you are able to specify firewall rules for mobile devices there, which appears to be working for me with Android & nginx running in Termux.

I know this is not really a satisfactory issue to the problem at hand, but I figured I'd share this info in case it's a tenable solution for someone.

[Arkanosis]

Hello. I have another use-case for this feature, though it is very similar to the termux + mosh-server mentioned above: I frequently connect to Android phones through SSH for file transfers, backups, text editing… but for simplicity and security reasons I only do that when the phones are on the same local network as the device I'm connecting from. Being able to connect through Nebula instead would make it possible for me to connect over the Internet without having to worry about the phones' current IP addresses or having a reachable SSH port. Thanks!

[NiceGuyIT]

Another use case is Syncthing. Two phones running Syncthing cannot connect to each other because Nebula does not allow incoming connections. They can connect to a third device, and the third device can connect to both phones but they cannot talk to each other. Please note it may be possible to configure Syncthing to communicate outside of the Nebula network thus allowing two phones to directly talk to each other.