# Network & Firewall Configuration ## System Information - **Date**: 2025-07-16 - **Host**: nsntr.ai - **OS**: Ubuntu 24.04 - **Incus Version**: 6.14 - **Firewall**: UFW + nftables (Incus ACL) ## Network Architecture Overview ### Network Segmentation Strategy ``` ┌─────────────────────────────────────────────────────────────────────────────────┐ │ NETWORK ISOLATION ARCHITECTURE │ ├─────────────────────────────────────────────────────────────────────────────────┤ │ services-net │ 10.10.10.0/24 │ Core services (Traefik, Gitea, Drone) │ │ development-net │ 10.20.20.0/24 │ Dev containers, staging │ │ production-net │ 10.30.30.0/24 │ Production containers, client apps │ │ management-net │ 10.40.40.0/24 │ Admin, monitoring, backup │ │ incusbr0 │ 10.94.230.0/24 │ Legacy network (ubuntu01 container) │ └─────────────────────────────────────────────────────────────────────────────────┘ ``` ## Network Configuration ### Network List ``` NAME TYPE MANAGED IPV4 IPV6 STATE development-net bridge YES 10.20.20.1/24 none CREATED incusbr0 bridge YES 10.94.230.1/24 auto CREATED management-net bridge YES 10.40.40.1/24 none CREATED production-net bridge YES 10.30.30.1/24 none CREATED services-net bridge YES 10.10.10.1/24 none CREATED ``` ### Services Network (10.10.10.0/24) ```yaml name: services-net type: bridge config: ipv4.address: 10.10.10.1/24 ipv4.nat: true ipv4.dhcp: true ipv4.dhcp.ranges: 10.10.10.50-10.10.10.199 ipv6.address: none ipv6.nat: true description: Core services network used_by: - /1.0/profiles/default?project=services security: acls: services-acl ``` ### Development Network (10.20.20.0/24) ```yaml name: development-net type: bridge config: ipv4.address: 10.20.20.1/24 ipv4.nat: true ipv4.dhcp: true ipv4.dhcp.ranges: 10.20.20.50-10.20.20.199 ipv6.address: none ipv6.nat: true description: Development environment network used_by: - /1.0/profiles/default?project=development security: acls: development-acl ``` ### Production Network (10.30.30.0/24) ```yaml name: production-net type: bridge config: ipv4.address: 10.30.30.1/24 ipv4.nat: true ipv4.dhcp: true ipv4.dhcp.ranges: 10.30.30.50-10.30.30.199 ipv6.address: none ipv6.nat: true description: Production environment network used_by: - /1.0/profiles/default?project=production security: acls: production-acl ``` ### Management Network (10.40.40.0/24) ```yaml name: management-net type: bridge config: ipv4.address: 10.40.40.1/24 ipv4.nat: true ipv4.dhcp: true ipv4.dhcp.ranges: 10.40.40.50-10.40.40.199 ipv6.address: none ipv6.nat: true description: Management and monitoring network used_by: [] security: acls: management-acl ``` ## IP Address Allocation ### Static IP Ranges (Reserved) ``` Network Range Purpose services-net 10.10.10.10-49 Static services development-net 10.20.20.10-49 Static dev services production-net 10.30.30.10-49 Static prod services management-net 10.40.40.10-49 Static management ``` ### DHCP Ranges ``` Network Range Purpose services-net 10.10.10.50-199 Dynamic allocation development-net 10.20.20.50-199 Dynamic allocation production-net 10.30.30.50-199 Dynamic allocation management-net 10.40.40.50-199 Dynamic allocation ``` ### Planned Static Assignments ``` Service IP Address Network Purpose Traefik 10.10.10.10 services-net Reverse proxy Gitea 10.10.10.20 services-net Git hosting Drone CI 10.10.10.30 services-net CI/CD pipeline Monitoring 10.40.40.10 management-net System monitoring Backup Services 10.40.40.20 management-net Backup services ``` ## Network Creation Commands ### 1. Services Network ```bash incus network create services-net incus network set services-net ipv4.address=10.10.10.1/24 incus network set services-net ipv4.nat=true incus network set services-net ipv4.dhcp=true incus network set services-net ipv4.dhcp.ranges=10.10.10.50-10.10.10.199 incus network set services-net ipv6.address=none ``` ### 2. Development Network ```bash incus network create development-net incus network set development-net ipv4.address=10.20.20.1/24 incus network set development-net ipv4.nat=true incus network set development-net ipv4.dhcp=true incus network set development-net ipv4.dhcp.ranges=10.20.20.50-10.20.20.199 incus network set development-net ipv6.address=none ``` ### 3. Production Network ```bash incus network create production-net incus network set production-net ipv4.address=10.30.30.1/24 incus network set production-net ipv4.nat=true incus network set production-net ipv4.dhcp=true incus network set production-net ipv4.dhcp.ranges=10.30.30.50-10.30.30.199 incus network set production-net ipv6.address=none ``` ### 4. Management Network ```bash incus network create management-net incus network set management-net ipv4.address=10.40.40.1/24 incus network set management-net ipv4.nat=true incus network set management-net ipv4.dhcp=true incus network set management-net ipv4.dhcp.ranges=10.40.40.50-10.40.40.199 incus network set management-net ipv6.address=none ``` ## Project Network Assignments ### Network Restrictions ```bash incus project set services restricted.networks.access=services-net incus project set development restricted.networks.access=development-net incus project set production restricted.networks.access=production-net ``` ### Default Profile Updates ```bash incus profile device add default eth0 nic network=services-net name=eth0 --project services incus profile device add default eth0 nic network=development-net name=eth0 --project development incus profile device add default eth0 nic network=production-net name=eth0 --project production ``` ## Firewall Configuration ### Multi-Layer Security Architecture ``` ┌─────────────────────────────────────────────────────────────────────────────────┐ │ LAYER 1: Host Firewall (UFW) │ │ ├── SSH (22) ✅ │ │ ├── HTTP (80) ✅ │ │ ├── HTTPS (443) ✅ │ │ └── Incus API (8443) ✅ │ │ │ │ LAYER 2: Network ACLs (nftables) │ │ ├── services-acl ✅ │ │ ├── development-acl ✅ │ │ └── production-acl ✅ │ │ │ │ LAYER 3: Network Isolation │ │ ├── services-net: Full access ✅ │ │ ├── development-net: Limited access ✅ │ │ └── production-net: Strict access ✅ │ └─────────────────────────────────────────────────────────────────────────────────┘ ``` ### Host Firewall (UFW) ```bash # Enable UFW ufw --force enable # Allow essential services ufw allow ssh ufw allow 8443/tcp comment "Incus API" ufw allow 80/tcp comment "HTTP" ufw allow 443/tcp comment "HTTPS" ``` ### Current UFW Status ``` Status: active To Action From -- ------ ---- 22/tcp ALLOW Anywhere 8443/tcp ALLOW Anywhere # Incus API 80/tcp ALLOW Anywhere # HTTP 443/tcp ALLOW Anywhere # HTTPS 22/tcp (v6) ALLOW Anywhere (v6) 8443/tcp (v6) ALLOW Anywhere (v6) # Incus API 80/tcp (v6) ALLOW Anywhere (v6) # HTTP 443/tcp (v6) ALLOW Anywhere (v6) # HTTPS ``` ## Network ACL Configuration ### ACL List ``` NAME DESCRIPTION USED BY development-acl 1 production-acl 1 services-acl 1 ``` ### Services ACL (services-acl) ```yaml name: services-acl description: "" egress: - action: allow destination: 10.20.20.0/24 description: Access to development state: enabled - action: allow destination: 10.30.30.0/24 description: Access to production state: enabled ingress: - action: allow protocol: tcp destination_port: "22" description: SSH state: enabled - action: allow protocol: tcp destination_port: "80" description: HTTP state: enabled - action: allow protocol: tcp destination_port: "443" description: HTTPS state: enabled - action: allow protocol: tcp destination_port: "3000" description: Gitea state: enabled - action: allow protocol: tcp destination_port: "8000" description: Drone state: enabled ``` ### Development ACL (development-acl) ```yaml name: development-acl description: "" ingress: - action: allow protocol: tcp destination_port: "22" description: SSH state: enabled - action: allow protocol: tcp destination_port: "3000-9000" description: Dev ports state: enabled - action: allow source: 10.10.10.0/24 description: Services access state: enabled ``` ### Production ACL (production-acl) ```yaml name: production-acl description: "" ingress: - action: allow protocol: tcp destination_port: "22" description: SSH state: enabled - action: allow protocol: tcp destination_port: "80,443" description: HTTP/HTTPS state: enabled - action: allow source: 10.10.10.0/24 description: Services access only state: enabled - action: drop source: 10.20.20.0/24 description: Block development state: enabled ``` ## ACL Creation Commands ### 1. Create ACLs ```bash incus network acl create services-acl incus network acl create development-acl incus network acl create production-acl ``` ### 2. Services ACL Rules ```bash # Ingress rules incus network acl rule add services-acl ingress action=allow protocol=tcp destination_port=22 description="SSH" incus network acl rule add services-acl ingress action=allow protocol=tcp destination_port=80 description="HTTP" incus network acl rule add services-acl ingress action=allow protocol=tcp destination_port=443 description="HTTPS" incus network acl rule add services-acl ingress action=allow protocol=tcp destination_port=3000 description="Gitea" incus network acl rule add services-acl ingress action=allow protocol=tcp destination_port=8000 description="Drone" # Egress rules incus network acl rule add services-acl egress action=allow destination=10.20.20.0/24 description="Access to development" incus network acl rule add services-acl egress action=allow destination=10.30.30.0/24 description="Access to production" ``` ### 3. Development ACL Rules ```bash incus network acl rule add development-acl ingress action=allow protocol=tcp destination_port=22 description="SSH" incus network acl rule add development-acl ingress action=allow protocol=tcp destination_port=3000-9000 description="Dev ports" incus network acl rule add development-acl ingress action=allow source=10.10.10.0/24 description="Services access" ``` ### 4. Production ACL Rules ```bash incus network acl rule add production-acl ingress action=allow protocol=tcp destination_port=22 description="SSH" incus network acl rule add production-acl ingress action=allow protocol=tcp destination_port=80,443 description="HTTP/HTTPS" incus network acl rule add production-acl ingress action=allow source=10.10.10.0/24 description="Services access only" incus network acl rule add production-acl ingress action=drop source=10.20.20.0/24 description="Block development" ``` ### 5. Apply ACLs to Networks ```bash incus network set services-net security.acls=services-acl incus network set development-net security.acls=development-acl incus network set production-net security.acls=production-acl ``` ## Security Matrix ### Network Access Control ``` ┌─────────────────────────────────────────────────────────────────────────────────┐ │ SOURCE │ DESTINATION │ PORTS │ STATUS │ PURPOSE │ ├─────────────────────────────────────────────────────────────────────────────────┤ │ Internet │ Host │ 22,80,443 │ ✅ ALLOW │ Admin & Web │ │ Services │ Development │ All │ ✅ ALLOW │ CI/CD deployment │ │ Services │ Production │ All │ ✅ ALLOW │ Production deploy │ │ Development │ Production │ All │ ❌ BLOCK │ Environment isolation│ │ Development │ Internet │ All │ ✅ ALLOW │ Updates & packages │ │ Production │ Internet │ All │ ✅ ALLOW │ Updates & packages │ └─────────────────────────────────────────────────────────────────────────────────┘ ``` ### Port Access Summary ``` ┌─────────────────────────────────────────────────────────────────────────────────┐ │ NETWORK │ ALLOWED PORTS │ RESTRICTIONS │ ├─────────────────────────────────────────────────────────────────────────────────┤ │ services-net │ 22,80,443,3000,8000 │ Full access to dev/prod │ │ development-net │ 22,3000-9000 │ Services access only │ │ production-net │ 22,80,443 │ Services access only, block dev │ │ management-net │ Not configured yet │ To be configured │ └─────────────────────────────────────────────────────────────────────────────────┘ ``` ## Network Routing ### Current Routes ``` 10.10.10.0/24 dev services-net proto kernel scope link src 10.10.10.1 10.20.20.0/24 dev development-net proto kernel scope link src 10.20.20.1 10.30.30.0/24 dev production-net proto kernel scope link src 10.30.30.1 10.40.40.0/24 dev management-net proto kernel scope link src 10.40.40.1 ``` ### Gateway Configuration ``` Network Gateway NAT Status services-net 10.10.10.1 Enabled development-net 10.20.20.1 Enabled production-net 10.30.30.1 Enabled management-net 10.40.40.1 Enabled ``` ## Monitoring & Troubleshooting ### Network Diagnostics ```bash # Check network status incus network list incus network show # Check ACL configuration incus network acl list incus network acl show # Check routing ip route show ip addr show # Check firewall status ufw status verbose iptables -L -n ``` ### Log Monitoring ```bash # UFW logs tail -f /var/log/ufw.log # Incus logs journalctl -u incus -f # Network interface logs dmesg | grep -i network ``` ### Performance Monitoring ```bash # Network statistics incus network info cat /proc/net/dev ss -tuln # Bridge statistics brctl show bridge link show ``` ## Security Best Practices ### Implemented Security Measures 1. **Network Segmentation**: Isolated environments 2. **Defense in Depth**: Multiple firewall layers 3. **Principle of Least Privilege**: Minimal required access 4. **Traffic Control**: Controlled inter-network communication 5. **Attack Surface Reduction**: Limited exposed ports 6. **Audit Trail**: All firewall rules documented ### Security Enhancements (Planned) 1. **Container-level firewalls** (iptables in containers) 2. **Service mesh security** (mTLS between services) 3. **Rate limiting** (fail2ban, nginx limits) 4. **Monitoring & alerting** (firewall logs, intrusion detection) 5. **SSL/TLS certificates** (Let's Encrypt automation) 6. **VPN access** for remote administration 7. **Network monitoring** (traffic analysis, anomaly detection) ## Backup & Recovery ### Network Configuration Backup ```bash # Export network configurations incus network export > .yaml # Export ACL configurations incus network acl export > .yaml # Backup UFW rules ufw status numbered > ufw-rules-backup.txt ``` ### Recovery Procedures ```bash # Import network configuration incus network import .yaml # Restore ACL configuration incus network acl import .yaml # Restore UFW rules ufw --force reset # Then reapply rules from backup ``` ## Maintenance Commands ### Regular Maintenance ```bash # Check network health incus network list incus network acl list # Update firewall rules if needed ufw status ufw reload # Monitor network performance incus network info ``` ### Troubleshooting Commands ```bash # Test connectivity ping telnet # Check DNS resolution nslookup dig # Check routing traceroute mtr ``` --- **Generated**: 2025-07-16 02:35:52 UTC **Status**: Network and firewall configuration complete **Security Level**: Multi-layer protection active **Next**: Service container deployment with network assignments