Closed siddarthkay closed 1 month ago
I initially attempted to get sample services json via curl like this :
curl -v https://docs.infra.status.im/team/recruitment/firewall/services.json
but was greeted with a github authentication, so I decided to for the time being keep the data inside : testdata/services.json
I also set up a basic nix-shell
so that the code could be executed as is without compiling to a binary for the time being.
In the basic nix-shell
I pull in golang
and nftables
Assuming this curl request works
curl -sSf --get 'localhost:8500/v1/catalog/service/wireguard' \
--data-urlencode filter="NodeMeta.env==metrics and NodeMeta.stage==prod" \
| jq '.[] | { Node, NodeMeta, ServiceMeta }'
where this tool will be used and based off of what I can see
here : https://developer.hashicorp.com/consul/api-docs/catalog#list-services
I wrote a simple client implementation in go which tries to get services from consul and construct our services list similar to services.json
we placed in testdata
folder.
I also added a cute retry mechanism which fails after 3 attempts and waits 2 second between every failed attempt.
I also assume that NodeMeta.env
will be be one of the following :
and that NodeMeta.stage
will be either "prod" or "test"
Decided to take a little break from nftables
and strengthen my firewall fundamentals first.
Played around with a few rules using ufw
on Ubuntu and then iptables
.
I realised that ufw
is a wrapper around iptables
and that iptables
gives you a more granular control on the firewall rules.
There could be two ways to automatically apply these rules :
iptables
command line approach and executing these commands via any scripting or programming language ( my choice would be Go)
ORiptables.rules
file and then restarting the firewall for the rules to come in effect.I shall evaluate both approaches to figure out which one is more reliable.
I finally went ahead with the nftables
implementation because this would help us in the future when we migrate from iptables
to nftables
.
The detailed usage of the tool is captured in Readme.MD
In a nutshell this tool pings consul to retrieve the list of services and first generates a nftables.rule
file which is then applied on the system with nft -f path/to/rules/file
.
I also flush existing rulesets before I do this to ensure rules are not applied twice.
The current makefile and nix implementation are pretty raw and may not work as expected. The original intent was to ensure this tool could be compiled on any linux box that does not have golang installed.
For the timebeing I am assuming that the executable would be called via crontab.
This issue is created to log my progress while building -> https://docs.infra.status.im/team/recruitment/firewall/index.html
nftables
rule documentation -> https://wiki.nftables.org/wiki-nftables/index.php/Simple_rule_managementI know that the point of the task is to not get a perfect production-ready solution but I will try my best to do what I can.