-
Notifications
You must be signed in to change notification settings - Fork 63
Description
By default it seems like Fedora CoreOS leaves all ports open. I’m trying to modify this behavior by adding some firewall rules. I can’t find any documentation on this topic but my assumption is that FCOS is using iptables.
In Container Linux you could add firewall rules via the /var/lib/iptables/rules-save
file. That doesn't seem to be the case for FCOS, and I can't find out where else to do it.
Whenever I edit /etc/sysconfig/iptables
using ignition, FCOS is unable to complete booting. Doesn’t matter what the contents of the file are. Instead it goes into emergency mode. For example, if I add this to ignition, it'll fail to boot:
storage:
files:
- path: /etc/sysconfig/iptables
mode: 0600
contents:
inline: |
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
Editing iptables manually after booting doesn’t seem to be an issue, it's only an issue if I write to that file via ignition.
What’s the correct way to update firewall rules for Fedora CoreOS?