Added firewall config in docs

Updated firewall rules in live-exam iso image generator

Added firewall config in docs
8106ab66 · Florent Gluck · 9b5d9d0f · 8106ab66 · 8106ab66
Commit 8106ab66 authored 6 months ago by Florent Gluck
--- a/docs/install.md
+++ b/docs/install.md
@@ -6,6 +6,7 @@
 * [Installing nexus-server for development](#installing-nexus-server-for-development)
 * [Building and running nexus clients](#building-and-running-nexus-clients)
 * [Building and deploying nexus live exam OS](#building-and-deploying-nexus-live-exam-OS)
+* [Server firewall configuration](#server-firewall-configuration)
 * [Creating initial templates](#creating-initial-templates)
 * [Copy a template from another server](#copy-a-template-from-another-server)
 * [Additional tools](#additional-tools)
@@ -307,6 +308,34 @@ To run the tests, make sure nexus-server for development is running, then execut
 make tests LOGIN=tests@nexus.org
 ```

+<!-- ============================================================================================================== -->
+# Server firewall configuration
+
+On the nexus server, it's a good idea to limit incoming connections to nexus-server only (and also ssh).
+The `ufw` tool provides an easy way to configure the Linux kernel firewall. Install it with:
+
+```
+sudo apt-get install -y ufw
+```
+
+Then, make sure to configure the fiewall to match open ports specified in `nexus-server/config/nexus.conf`. There is the API port and the range of ports for Spice. 
+
+Let's assume the API port is 1077 and the range of Spice ports is [42000-43000]. Use `ufw` to add the following firewall rules with:
+```
+ufw allow 1077/tcp
+ufw allow 42000:43000/tcp
+```
+
+To remove some firewall rules, list their numbers with:
+```
+ufw status numbered
+```
+
+Then delete a rule by specifying its number (here 42):
+```
+ufw delete 42
+```
+
 <!-- ============================================================================================================== -->
 # Creating initial templates


--- a/live_exam_os/config/03-boot_hooks/9999-firewall
+++ b/live_exam_os/config/03-boot_hooks/9999-firewall
@@ -8,13 +8,12 @@ firewall ()
    ufw default deny incoming
    ufw default deny outgoing
    # Allow outgoing traffic to nexus-server API
-    ufw allow out from any to $1 port $2
+    ufw allow out from any to $1 port $2 proto tcp
    # Allow outgoing ntp and dns traffic
    ufw allow out from any to any port 123 proto udp
    ufw allow out from any to any port 53 proto udp
    # Allow outgoing traffic to nexus VMs (Spice)
    ufw allow out from any to $1 port 1025:65535 proto tcp
-    ufw allow out from any to $1 port 1025:65535 proto udp

    ufw enable
 }