We only allow DNS requests through balena0 interface, but this is the default Docker bridge which is used for containers that don't have a custom bridge. However, the Supervisor creates a custom bridge for all containers unless another network mode is specified. This custom bridge corresponds to a br-xxxxx interface on host, and is entirely separate from balena0. Therefore when FIREWALL_MODE is enabled, DNS requests aren't actually allowed through due to them not going through balena0.
This patch allows DNS requests through br-xxxxx custom bridge interfaces, as defined by the rule:
br+ indicates that any interface beginning with br works, although I'm unsure as to the operational security of this. EDIT: After discussion, no operational security risks were brought up.
cywang117
commented
2 weeks ago
We only allow DNS requests through
balena0interface, but this is the default Docker bridge which is used for containers that don't have a custom bridge. However, the Supervisor creates a custom bridge for all containers unless another network mode is specified. This custom bridge corresponds to abr-xxxxxinterface on host, and is entirely separate frombalena0. Therefore when FIREWALL_MODE is enabled, DNS requests aren't actually allowed through due to them not going throughbalena0.This patch allows DNS requests through
br-xxxxxcustom bridge interfaces, as defined by the rule:br+indicates that any interface beginning withbrworks, although I'm unsure as to the operational security of this. EDIT: After discussion, no operational security risks were brought up.Change-type: patch