farmer local network security

[xmonader]

TBD @delandtj

[Mik-TF]

Any progress on this one? @delandtj

[delandtj]

So in a nutshell (tested on my machine of how it behaves:) you'd want to add these nft rules in the namespace that does NAT for vms. In case of the 'light' version I assume you'd do it in the host namespace, otherwise in the ndmz namespace.

HERE are the tools and calls necessary to find the default gw mac address, as well the rules to be added to the forwarding chain for each networkd incantation (In errlang, of course)

[Mik-TF]

Great. Looks straightforward. @delandtj

@xmonader perhaps you can have a look and see how to implement this solution.

Do you guys propose host namespace or ndmz namespace?

[delandtj]

Do you guys propose host namespace or ndmz namespace? you'll have to put the rules in the one that is appropriate

[Mik-TF]

Alright great. So all we need now is to implement + test it.

[xmonader]

@delandtj How does that work in case of a farmerbot managing the farm?

[delandtj]

we'll have to learn to live with it a bit during development and testing, adding nft rules as we go. but indeed, talk a bit about what we need. so :

• local network ports allowed:
  • mycelium IPv6 ND and multicast
  • yggdrasil discovery
  • WoL packets (which are basically allowed, as they are not ip/tcp or ip/udp (or are they))
  • some other thingies ? @LeeSmet ?

[LeeSmet]

For mycelium/ygg, discovery is 1 thing, but we also need to allow connections to the default ports of those services so something can be done with the discovered peers. Other than that I think that about sums it up

[Mik-TF]

So as I understand, we are now ready to implement + test this.

@xmonader can you manage to test this with dev team? Maybe Lee and Jan can help.