I have Home Assistant OS running in a vm using KVM on an Ubuntu 22.04 server. I would like to install a firewall on it. Has anyone installed UFW? Any hints on how to do it?
It is generally not possible to install packages onto Home Assistant OS in the way that you would normally install packages on a desktop or server Linux distribution.
If you want that kind of flexibility, you are better off running Home Assistant Core or Home Assistant Supervised. (I run Core myself.)
Couldn’t I just use the terminal add-on and then sudo apt install ufw?
No because that would be deleted next time you performed an OS update.
2 Likes
And HAOS is not based on debian, so apt is not a thing.
1 Like
Why not install the FW on the host, assuming you bridged the networks?
1 Like
That would work except not with bridging. For a firewall to work, the host must be routing the guest traffic — not bridging.
True, thanks – I had it reversed.
@parautenbach and @Rudd-O – Thank you for your interest in my problem.
I installed HAOS successfully in a KVM on my mini pc that runs Ubuntu 23.04 server. The host’s ethernet interface enp1s0 is bridged to br0 and the vm gets a virtual interface at vnet0. Everything works fine until I enable ufw on the host. This cuts the vm off from the rest of my home network and I can no longer access HA.
What rules do I need add to ufw to allow traffic to reach the vm? The existing rules deny all inbound traffic except on ports 22 for ssh and 123 for ntp. Any help would be greatly appreciated.
After doing some research, it seems that ufw on the host will block traffic to the vm. As a result, I set up forwarding rules in /etc/ufw/before.rules. For more details, see here:
This allows me to continue to protect the host with ufw. I guess I just need to fine-tune my forwarding rules to the vm so that they are tailored to the things that HA is doing.
Any advice on what traffic to forward to the vm?
Just forward everything. Otherwise you will be in hell trying to figure out why certain things don’t work randomly.
Also, I don’t know if mDNS discovery will work under this networking hookup. I know in a similar setup (not bridged, only routed with proxy ARP) I ended up having to install an avahi reflector on the host box to reflect mDNS data from/to the LAN/HA box.
I am finding that my mDNS does in fact fail. If I disable ufw on the host then the vm gets an ip address. Afterwards I can enable ufw and traffic is able to reach the vm.
Is there a better way to do this?
What if I disable netfilter on the bridge? Is that recommended? Or does it create security issues? Would the host still be protected by ufw?
No, you can’t disable netfilter on the bridge because ufw requires control over netfilter.
Or I mean you could but hey who knows what will get in your network setup there, best of luck and see you when your phone is posting spam on this forum haha.
Turning off netfilter on the bridge seems to more common approach according to the github link I posted earlier.
Sure. Try it.
(Unless the host and guest are in a real layer 2 bridge configuration, mDNS will still fail, netfilter or no.)
But it would create security issues for both host and guest, right?
Yes, it quite likely will.
I am no expert on networking, but I share the same thoughts about disabling netfilter on the bridge.
I decided to go with the first alternative. Instead of relying on the router’s dhcp server to assign the virtual machine an ip address, I did manually in HAOS which is running in the KVM guest. Then I edited /etc/ufw/before.rules to forward traffic to and from that ip address. Now, I can access the KVM guest after the host boots up with ufw enabled.
It feels very inelegant though. But I guess it works.