devops/infra/clusters/bridge/bootstrap/files/userdata.template

#cloud-config

package_update: true
package_upgrade: true
packages:
  - firehol

write_files:
  - path: /etc/sysctl.d/99-enable-ip-forward.conf
    content: net.ipv4.ip_forward = 1
  - path: /etc/default/firehol
    content: |
      START_FIREHOL=YES
      WAIT_FOR_IFACE=""
      FIREHOL_ESTABLISHED_ACTIVATION_ACCEPT=0
  - path: /etc/firehol/firehol.conf
    content: |
      public_ip4="$(ip -4 addr show dev eth0 | grep -oP '(?<=inet\s)\d+(\.\d+){3}')"
      public_ip6="$(ip -6 addr show dev eth0 | grep -oP '(?<=inet6\s)[\da-f:]+')"

      lan_ips4="10.0.0.0/8"

      server_sieve_ports="tcp/4190"
      client_sieve_ports="4190"

      server_ssh_alt_ports="tcp/2223"
      client_ssh_alt_ports="2223"

      server_k3s_ports="tcp/6443"
      client_k3s_ports="6443"

      LAN="enp7s0"
      WAN="eth0"
      CONTAINERS="vxlan+ flannel+ cni+ cali+ docker+ podman+"

      version 6

      # use snat to outgoing ip4 address
      ipv4 snat to "${public_ip4}" outface ${WAN}

      # enable ipv6 basic stuff on all interfaces
      ipv6 interface any v6interop proto icmpv6
          client      ipv6neigh   accept
          server      ipv6neigh   accept
          client      ipv6router  accept
          server      ipv6router  accept
          client      ipv6mld     accept
          server      ipv6mld     accept

          policy                  return

      # enable dhcpv6 on all interfaces
      ipv6 interface any dhcpv6
          server      dhcpv6      accept
          client      dhcpv6      accept

          policy                  return

      # allow everything on lan, containers
      interface "${LAN} ${CONTAINERS}" lan
          policy                  accept

      # protect from the internet
      interface46 "${WAN}" internet src4 not "${UNROUTABLE_IPS}" dst4 "${public_ip4}" src6 not "${UNROUTABLE_IPS}" dst6 "${public_ip6}"
          protection       strong
          client           all         accept

          server           ident       reject with tcp-reset

          server          "ssh http https"          accept
          server          "pop3 pop3s smtp smtps imap imaps sieve ssh_alt k3s"          accept

      # Accept all traffic from the container interfaces towards the internet or towards other containers. Note that
      # This doesn't mean all traffic is allowed, since Kubernetes will have its own rules that will beat these.
      router containers inface "${LAN} ${CONTAINERS}" outface "${LAN} ${CONTAINERS} ${WAN}"
          policy                           accept

      # Connection between internet and lan
      router internet2lan inface ${WAN} outface ${LAN}
          client           all             accept            # allow all outgoing traffic, but I do think this is redundant with the containers policy

runcmd:
  - systemctl enable --now firehol