Closed siddarthkay closed 1 month ago
siddarthkay
commented
6 months ago I initially attempted to get sample services json via curl like this :
curl -v https://docs.infra.status.im/team/recruitment/firewall/services.jsonbut was greeted with a github authentication, so I decided to for the time being keep the data inside : testdata/services.json
siddarthkay
commented
6 months ago I also set up a basic nix-shell so that the code could be executed as is without compiling to a binary for the time being.
In the basic nix-shell I pull in golang and nftables
siddarthkay
commented
6 months ago Assuming this curl request works
curl -sSf --get 'localhost:8500/v1/catalog/service/wireguard' \
--data-urlencode filter="NodeMeta.env==metrics and NodeMeta.stage==prod" \
| jq '.[] | { Node, NodeMeta, ServiceMeta }'where this tool will be used and based off of what I can see
here : https://developer.hashicorp.com/consul/api-docs/catalog#list-services
I wrote a simple client implementation in go which tries to get services from consul and construct our services list similar to services.json we placed in testdata folder.
I also added a cute retry mechanism which fails after 3 attempts and waits 2 second between every failed attempt.
I also assume that NodeMeta.env will be be one of the following :
and that NodeMeta.stage will be either "prod" or "test"
siddarthkay
commented
6 months ago Decided to take a little break from nftables and strengthen my firewall fundamentals first.
Played around with a few rules using ufw on Ubuntu and then iptables.
I realised that ufw is a wrapper around iptables and that iptables gives you a more granular control on the firewall rules.
There could be two ways to automatically apply these rules :
iptables command line approach and executing these commands via any scripting or programming language ( my choice would be Go)
ORiptables.rules file and then restarting the firewall for the rules to come in effect.I shall evaluate both approaches to figure out which one is more reliable.
siddarthkay
commented
6 months ago I finally went ahead with the nftables implementation because this would help us in the future when we migrate from iptables to nftables.
The detailed usage of the tool is captured in Readme.MD
In a nutshell this tool pings consul to retrieve the list of services and first generates a nftables.rule file which is then applied on the system with nft -f path/to/rules/file.
I also flush existing rulesets before I do this to ensure rules are not applied twice.
The current makefile and nix implementation are pretty raw and may not work as expected. The original intent was to ensure this tool could be compiled on any linux box that does not have golang installed.
For the timebeing I am assuming that the executable would be called via crontab.
This issue is created to log my progress while building -> https://docs.infra.status.im/team/recruitment/firewall/index.html
nftablesrule documentation -> https://wiki.nftables.org/wiki-nftables/index.php/Simple_rule_managementI know that the point of the task is to not get a perfect production-ready solution but I will try my best to do what I can.