Skip to main content

Firewall

The Configuration reference provides the full configuration reference and the sections following after describe the most relevant firewall configuration sections with more elaborated examples.

Configuration reference

v0.40v0.39v0.38next

Anapaya appliance configuration (firewall only)

firewall object

The necessary configuration data for firewalling the Anapaya appliance.

modestring

The firewall mode declares how the appliance handles firewall rules. Depending on the mode, the appliance either generates a default set of rules, prepends some custom rules, or uses only the specified custom rules.

Possible values: [AUTO, PREPEND, CUSTOM, UNMANAGED]

tables object[]

The list of nftables tables on the Anapaya appliance. The usage of the list depends on the firewall mode.

  • Array [
    • chains object[]

    Chains defined within the nftables table.

  • Array [
    • chaintypestring

    The type and usage of the chain. This must be set for base chains and unset for regular chains.

    Possible values: [FILTER, ROUTE, NAT]

    hookstring

    The packet processing step during which the chain should be executed. This must be set for base chains and unset for regular chains. For more information on the chain hooks, please refer to https://wiki.nftables.org/wiki-nftables/index.php/Configuring_chains#Base_chain_hooks.

    Possible values: [PREROUTING, INPUT, FORWARD, OUTPUT, POSTROUTING]

    namestringrequired

    The name of the chain.

    policystring

    The default policy that will be applied to packets that reach the end of the chain. For more information on chain policies, please refer to https://wiki.nftables.org/wiki-nftables/index.php/Configuring_chains#Base_chain_policy.

    Possible values: [ACCEPT, DROP]

    priorityinteger<int32>

    The priority of the chain. This must be set for base chains and unset for regular chains.

    rules object[]

    Rules defined as part of a chain within a firewall table.

  • Array [
    • commentstring

    Description, or comment, for the firewall rule.

    rulestringrequired

    The rule definition consists of expressions and statements in string format. The expressions are evaluated from left to right and if the packet matches the expressions the statement is executed. For information on the supported syntax for expressions and statements, please refer to https://wiki.nftables.org/wiki-nftables/index.php/Main_Page#Expressions:_Matching_packets and https://wiki.nftables.org/wiki-nftables/index.php/Main_Page#Statements:_Acting_on_packet_matches.

    sequence_idinteger<uint32>required

    The sequence ID determines the order in which sequence the firewall rules are applied. The sequence ID must be unique for each entry. Target devices apply the rules in order of ascending sequence ID (low to high).

    Example: 1
  • ]
  • ]
    • counters object[]

    Optional named counters defined within the nftables table.

  • Array [
    • namestringrequired

    The name of the counter.

  • ]
    • familystring

    The family type of the nftables. For more information on table families, please refer to https://wiki.nftables.org/wiki-nftables/index.php/Nftables_families.

    Possible values: [IP, IP6, INET]

    namestringrequired

    Name of the nftables table.

  • ]

    • Automatic firewall rule generation

    In AUTO and PREPEND mode, the appliance generates a set of firewall rules based on the other sections of the appliance configuration. The following traffic is allowed by default:

    • All established and related connections, i.e., connections that are initiated from the appliance itself.
    • Traffic on the default loopback interface lo.
    • Traffic on wireguard interfaces.
    • Traffic for port 22 (SSH) and the port of the management API (443 by default) on the management addresses.
    • Traffic for the configured telemetry endpoints.
    • SCION control plane and appliance cluster synchronization traffic.
    • BGP traffic for the configured BGP peers.
    • ICMP echo and neighbor discovery traffic.
    • Traffic to the management API over the shuttle interface, if a shuttle interface is specified in the interfaces section.
    • Traffic is forwarded to/from the shuttle interface for allowed_destinations when a shuttle server is configured.

    Any other traffic that is not explicitly allowed by the rules above is dropped.

    Limitations

    As the appliance firewall is tightly coupled to nftables, the following limitations apply:

    • Similar to the counters, nftables supports sets. However, the appliance firewall does not support named sets but only anonymous sets. So if you want to use sets (e.g. tcp dport { 22, 23 }), you have to define them within the rule.

    Examples of firewall configuration in different modes

    PREPEND

    The example below shows how to configure the Anapaya appliance firewall in PREPEND mode by defining a custom rule that gets executed before the generated rules for the default_input and default_forward chains. Furthermore, it defines a base chain for the POSTROUTING hook and a regular chain that can be reached via a jump statement.

    Loading...

    CUSTOM

    The example below shows how to configure the appliance firewall in CUSTOM mode.

    Loading...

    Named counters

    Each rule can include a non-verdict counter statement. Nftables distinguishes between anonymous and named counters. Named counters are defined on the table level and can be referenced in rules by their name (e.g. counter name "my_counter"). Anonymous counters are defined within the rule and can only be used in this rule.