Configure firewall rules

Manual provisioning of firewall rules for a Google Distributed Cloud (GDC) air-gapped appliance instance is required due to the static allocation of the management network along with the minimal network traffic footprint.

You must manually apply host-based firewall policies for the network traffic flows in the management network of GDC air-gapped appliance. To apply port and IP filtering rules on network interfaces of the bare metal machines, use the Uncomplicated Firewall (ufw) command library.

Apply firewall rules

The management network for GDC air-gapped appliance is eno1. The static IP addresses of the GDC air-gapped appliance machines are as follows:

Machine name IP address
xx-aa-bm01 198.18.255.228 (root admin/org admin)
xx-aa-bm02 198.18.255.229
xx-aa-bm03 198.18.255.230

To apply the firewall rules to the management network, follow these steps:

  1. Establish a Secure Shell (SSH) connection from the bootstrapper machine or laptop to the bm01 machine using the default SSH key provided by Google.

    ssh 198.18.255.228
    
  2. Configure the default routes on the management interface of bm01:

    sudo ufw default allow outgoing
    sudo ufw default allow incoming
    
  3. Configure the policies on the bm01 root admin nodes. These policies allowlist traffic on the management network between the various devices in GDC air-gapped appliance. The policies also allowlist SSH access from all bare metal machines along with the bootstrapper machine or laptop:

    sudo ufw allow in on eno1 from 198.18.255.229 to 198.18.255.228 port 6385 proto tcp
    sudo ufw allow in on eno1 from 198.18.255.230 to 198.18.255.228 port 6385 proto tcp
    sudo ufw allow in on eno1 from 198.18.255.229 to 198.18.255.228 port 6180 proto tcp
    sudo ufw allow in on eno1 from 198.18.255.230 to 198.18.255.228 port 6180 proto tcp
    sudo ufw allow in on eno1 from 198.18.255.229 to 198.18.255.228 port 5050 proto tcp
    sudo ufw allow in on eno1 from 198.18.255.230 to 198.18.255.228 port 5050 proto tcp
    sudo ufw allow in on eno1 from 198.18.255.229 to 198.18.255.228 port 67 proto udp
    sudo ufw allow in on eno1 from 198.18.255.230 to 198.18.255.228 port 67 proto udp
    sudo ufw allow in on eno1 from 198.18.255.229 to 198.18.255.228 port 69 proto udp
    sudo ufw allow in on eno1 from 198.18.255.230 to 198.18.255.228 port 69 proto udp
    sudo ufw allow in on eno1 from 198.18.255.225 to 198.18.255.228 port 69 proto udp
    sudo ufw allow in on eno1 from 198.18.255.229 to 198.18.255.228 port 22 proto tcp
    sudo ufw allow in on eno1 from 198.18.255.230 to 198.18.255.228 port 22 proto tcp
    sudo ufw allow in on eno1 from 198.18.255.254 to 198.18.255.228 port 22 proto tcp
    sudo ufw allow in on eno1 from 198.18.255.229 to 198.18.255.228 port 123 proto udp
    sudo ufw allow in on eno1 from 198.18.255.230 to 198.18.255.228 port 123 proto udp
    sudo ufw deny in on eno1
    
  4. Enable the ufw policies on bm01:

    sudo ufw enable
    
  5. Disconnect your SSH Session from bm01.

  6. Establish a Secure Shell (SSH) connection from the bootstrapper machine or laptop to the bm02 machine using the default SSH key provided by Google.

    ssh 198.18.255.229
    
  7. Configure the default routes on the management interface of bm02:

    sudo ufw default allow outgoing
    sudo ufw default allow incoming
    
  8. Configure the policies on the bm02 org node:

    sudo ufw allow in on eno1 from 198.18.255.228 to 198.18.255.229 port 443 proto tcp
    sudo ufw allow in on eno1 from 198.18.255.228 to 198.18.255.229 port 67 proto udp
    sudo ufw allow in on eno1 from 198.18.255.228 to 198.18.255.229 port 68 proto udp 
    sudo ufw allow in on eno1 from 198.18.255.228 to 198.18.255.229 port 22 proto tcp
    sudo ufw allow in on eno1 from 198.18.255.254 to 198.18.255.229 port 22 proto tcp
    sudo ufw deny in on eno1
    
  9. Enable the ufw policies on bm02:

    sudo ufw enable
    
  10. Disconnect your SSH Session from bm02.

  11. Establish a Secure Shell (SSH) connection from the bootstrapper machine or laptop to the bm03 machine using the default SSH key provided by Google.

    ssh 198.18.255.230
    
  12. Configure the default routes on the management interface of bm03:

    sudo ufw default allow outgoing
    sudo ufw default allow incoming
    
  13. Configure the policies on the bm03 org node:

    sudo ufw allow in on eno1 from 198.18.255.228 to 198.18.255.230 port 443 proto tcp
    sudo ufw allow in on eno1 from 198.18.255.228 to 198.18.255.230 port 67 proto udp
    sudo ufw allow in on eno1 from 198.18.255.228 to 198.18.255.230 port 68 proto udp
    sudo ufw allow in on eno1 from 198.18.255.228 to 198.18.255.230 port 22 proto tcp
    sudo ufw allow in on eno1 from 198.18.255.254 to 198.18.255.230 port 22 proto tcp
    sudo ufw deny in on eno1
    
  14. Enable the ufw policies:

    sudo ufw enable