Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Feature request: Allow editing of inbound firewall rules #61

Open
johnmaguire opened this issue Jul 25, 2022 · 13 comments
Open

Feature request: Allow editing of inbound firewall rules #61

johnmaguire opened this issue Jul 25, 2022 · 13 comments
Labels
enhancement New feature or request

Comments

@johnmaguire
Copy link
Member

Copied from slackhq/nebula#628:

@ajuitar on Jan 8:

Is there a way to edit the nebula internal firewall settings in the Android app? The default setting are:

firewall:
  conntrack:
    tcp_timeout: 120h
    udp_timeout: 3m
    default_timeout: 10m
    max_connections: 100000
  outbound:
  - port: any
    proto: any
    host: any
  inbound: []

and nothing much comes in.

@m1w31l on Jul 7:

I would also be very interested in knowing that.

@brad-defined on Jul 11:

Hi @ajuitar and @m1w31l - do you mind sharing more about your use case?

What inbound access would you like to have on your Nebula mobile devices?

@m1w31l on Jul 11:

Hello @brad-defined,

I have a FTP server running on one of my Android devices that I would like to be able to reach. And a friend of mine has a remote control software that could be reached for TCP. So it would be great for me if I could configure it directly. Of course it would be great if you could upload the whole configuration at once with a QR code and not only the certificates.

@ajuitar on Jul 11:

Hello @brad-defined,

I regularly run a WebDAV server on my Android phone in order to sync some files between the phone and a laptop. If I could do so using Nebula, I woundn't need to have the phone and the laptop to be on the same network, and both my devices would have Nebula's static IPs.

Totally support this:

Of course it would be great if you could upload the whole configuration at once with a QR code and not only the certificates.

@brunoherbelin
Copy link

Hi ! Thanks for the great job with Nebula and Nebula app !

I would also like to add a rule for a group in the inbound section, e.g. :

  inbound:
    - port: any
      proto: udp
      groups:
        - mygroupname

Is it planned to add this feature to the Android app ?

@johnmaguire
Copy link
Member Author

@brunoherbelin Hi Bruno, it's not currently prioritized but we're keeping it in mind for the future. Would you mind sharing your use case?

@brunoherbelin
Copy link

Thanks! I'll stay tuned!
Use case: video art performance, where multiple devices are connected and stream video with SRT; mostly nebula enables to keep fixed IPs while the setup can be anywhere with internet.

@johnmaguire johnmaguire changed the title Moved: Android app - internal firewall settings Feature request: Allow editing of inbound firewall rules Nov 18, 2022
@bohdantrotsenko
Copy link

I use termux on Android and there I can run "mosh-server". So, it would be great to use it via nebula.

@johnmaguire johnmaguire added the enhancement New feature or request label Apr 14, 2023
@s-cerevisiae
Copy link

I need this to run servers on Termux. Also it would be cool if I'm able to send file between my mobile devices with Localsend and alike.

@johnmaguire
Copy link
Member Author

Hi all - I don't have an update to share on configuring inbound firewall rules for Nebula OSS, but I did want to mention that if you're using a DN-managed site (defined.net), you are able to specify firewall rules for mobile devices there, which appears to be working for me with Android & nginx running in Termux.

I know this is not really a satisfactory issue to the problem at hand, but I figured I'd share this info in case it's a tenable solution for someone.

@Arkanosis
Copy link

Hello. I have another use-case for this feature, though it is very similar to the termux + mosh-server mentioned above: I frequently connect to Android phones through SSH for file transfers, backups, text editing… but for simplicity and security reasons I only do that when the phones are on the same local network as the device I'm connecting from. Being able to connect through Nebula instead would make it possible for me to connect over the Internet without having to worry about the phones' current IP addresses or having a reachable SSH port. Thanks!

@NiceGuyIT
Copy link

Another use case is Syncthing. Two phones running Syncthing cannot connect to each other because Nebula does not allow incoming connections. They can connect to a third device, and the third device can connect to both phones but they cannot talk to each other. Please note it may be possible to configure Syncthing to communicate outside of the Nebula network thus allowing two phones to directly talk to each other.

@cheesington
Copy link

Use case: I run sshd on my android phone to quickly upload ebooks, audiobooks, and other files from my computer. I'd like to be able to connect via the nebula IP I've assigned to my phone, but the current firewall rules deny all incoming connections.

@nerflad
Copy link

nerflad commented Nov 13, 2024

Hi, seems like this is a necessary feature in order to actually run mobile applications behind the vpn. Is this possible with the cloud management service? Being able to read the config file in the app and not edit it is a bit confusing. Thank you.

@johnmaguire
Copy link
Member Author

Hi @nerflad - that's correct. The mobile app was designed with outbound connectivity (or remote access) as its primary goal. As such, inbound firewall rules have not yet been implemented. Are you able to share your use case for inbound access? Thanks in advance!

@rahul-jangra
Copy link

Hi, I have another use case for this feature. Sometimes I need to connect to my device using adb bridge that uses tcp protocol. If there is no incoming traffic, we will not be able to connect with device.

@dongdongbh
Copy link

Another use case is Syncthing. Two phones running Syncthing cannot connect to each other because Nebula does not allow incoming connections. They can connect to a third device, and the third device can connect to both phones but they cannot talk to each other. Please note it may be possible to configure Syncthing to communicate outside of the Nebula network thus allowing two phones to directly talk to each other.

On Syncthing, you can set the Device address to the there IP in Nebula, e.g. tcp://192.168.100.x:22000, then they can connect to each other.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

No branches or pull requests

10 participants