New proposal types for firewall configuration

The Internet Computer node machines use a firewall to protect themselves from network attacks. Currently, all node machines use exactly the same firewall configuration, which is set in the registry via a proposal (propose-to-set-firewall-config). This firewall configuration is provided as a single string that defines the ruleset in nftables format (which is the format used by the firewall running on the guest-OS), and a list of IPv6 prefixes that is then injected into the former string. The list is updated with every new datacenter that is joining the IC.

This process is problematic for multiple reasons: first, it assumes that all IC nodes will always use nftables as their firewall. This might not be true in the future and we would like to decouple the IC protocol from specific implementation details. Second, there is no way of setting specific firewall rules to certain nodes, or certain subnets, etc. Third, the list of IP prefixes needs to be constantly updated with the onboarding of new data centers.

For these reasons we have modified the process and are introducing three new proposal types. The new proposals allow to specify the logic of the firewall rules, independent of the target platform that enforces them. These are the three new proposals:

  • propose-to-add-firewall-rules(scope, rules, positions, hash)

    • scope: scope where these rules should be applied. This can be one of:
      global - apply to all nodes (in the future also to boundary nodes)
      replica_nodes - apply to all (core) node machines
      subnet(subnet_id) - apply to all nodes that are assigned to the given subnet_id
      node(node_id) - apply to a specific node with the given node_id
    • rules: a list of rules to be added
    • positions: the positions where these rules should be added (lower position = higher priority)
    • hash: a SHA-256 of the expected ruleset for the given scope, after addition of the new rules. This is used to verify that the result ruleset is as expected by the caller.
  • propose-to-remove-firewall-rules(scope, positions, hash)
    The parameters for this proposal are similar to the ones above, where positions here are the positions to remove the rules from.

  • propose-to-update-firewall-rules(scope, rules, positions, hash)
    Again, the parameters are similar, and the positions indicate where to replace existing rules with the new given ones.

In addition to the above proposals, we are modifying the code that generates the firewall configuration on node machines to translate the rules from the logical representation in which they are stored in the registry to the target firewall platform (e.g., nftables). In addition, it will automatically whitelist all nodes that are listed in the registry to talk to all other nodes on the ports used by the IC protocol. This code will be part of the upcoming releases in the next few weeks.

Meanwhile, we plan to use the new proposal types soon, in order to prepare the firewall rules in the new format and put them into the registry.

I will be happy to provide more information for anyone interested, and to answer any questions.