From 2a4980cc6f8c9652a278e16a904779a4ebb82fc8 Mon Sep 17 00:00:00 2001 From: Nicole Rappe Date: Sun, 14 Jul 2024 17:33:37 -0600 Subject: [PATCH] Update Docker & Kubernetes/Docker/Docker Compose/Firefox.md --- .../Docker/Docker Compose/Firefox.md | 23 +++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/Docker & Kubernetes/Docker/Docker Compose/Firefox.md b/Docker & Kubernetes/Docker/Docker Compose/Firefox.md index 4b46876..832e4c0 100644 --- a/Docker & Kubernetes/Docker/Docker Compose/Firefox.md +++ b/Docker & Kubernetes/Docker/Docker Compose/Firefox.md @@ -29,6 +29,29 @@ networks: N/A ``` +## Local Firewall Hardening +It is important, due to how this browser just allows anyone to access it, to lock it down to only allow access to the SSH port and port 5800 to specifically-allowed devices, in this case, the Traefik Reverse Proxy. This ensures that it only allows the proxy to communicate with Firefox's container, keeping it securely protected behind Keycloak's middware in Traefik. + +These rules will drop all traffic by default, allow port 22, and restrict access to port 5800. + +``` sh +# Set the default zone to drop +sudo firewall-cmd --set-default-zone=drop + +# Create a new zone named custom-trusted +sudo firewall-cmd --permanent --new-zone=traefik-proxy + +# Allow traffic to port 5800 only from 192.168.5.29 in the traefik-proxy zone +sudo firewall-cmd --permanent --zone=traefik-proxy --add-source=192.168.5.29 +sudo firewall-cmd --permanent --zone=traefik-proxy --add-port=5800/tcp + +# Allow SSH traffic on port 22 from any IP in the drop zone +sudo firewall-cmd --permanent --zone=drop --add-service=ssh + +# Reload FirewallD to apply the changes +sudo firewall-cmd --reload +``` + ## Traefik Reverse Proxy Configuration If the container does not run on the same host as Traefik, you will need to manually add configuration to Traefik's dynamic config file, outlined below. ``` yaml