rcooke-warwick
commented
4 months ago Checks must be made for these in the BALENA_FIREWALL chain from the host OS
~# iptables -L -vn -t filter
...
Chain BALENA-FIREWALL (1 references)
pkts bytes target prot opt in out source destination
3444 506K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
228 14017 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match src-type LOCAL
0 0 ACCEPT tcp -- resin-vpn * 0.0.0.0/0 0.0.0.0/0 tcp dpt:48484
0 0 ACCEPT tcp -- tun0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:48484
0 0 ACCEPT tcp -- docker0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:48484
0 0 ACCEPT tcp -- lo * 0.0.0.0/0 0.0.0.0/0 tcp dpt:48484
0 0 ACCEPT tcp -- supervisor0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:48484
0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:48484 reject-with icmp-port-unreachable
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22222
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:2375
439 38843 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type MULTICAST
7 588 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT udp -- balena0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
22 5010 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
To ensure issues like this don't happen again:
https://github.com/balena-os/balena-supervisor/pull/2252
As this was a problem that occured due to incompatibility between supervisor and OS this test belongs here