From b695ae341b25abcee09670d96997b5bc01a5325b Mon Sep 17 00:00:00 2001 From: Dennis Reimann Date: Fri, 11 Oct 2019 11:54:07 +0200 Subject: [PATCH 1/2] Allow ssh connections from docker network on RPI Otherwise the [maintenance features](https://docs.btcpayserver.org/faq-and-common-issues/faq-serversettings#maintenance-1) do not work, as the firewall blocks SSH connections from the Docker container. --- RPi3.md | 4 ++++ RPi4.md | 6 +++++- 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/RPi3.md b/RPi3.md index 31aeb64e..bec3e3bf 100644 --- a/RPi3.md +++ b/RPi3.md @@ -102,7 +102,11 @@ sudo apt install ufw This command allows SSH connections from your LAN only.
**⚠️ Replace `192.168.1.0` with your own subnet:** ```bash +# local network sudo ufw allow from 192.168.1.0/24 to any port 22 + +# docker network, required for maintenance features +sudo ufw allow from 172.18.0.0/24 to any port 22 ``` These ports need to be accessible from anywhere (The default subnet is 'any' unless you specify one): diff --git a/RPi4.md b/RPi4.md index 5abf7e59..0d768e60 100644 --- a/RPi4.md +++ b/RPi4.md @@ -187,7 +187,11 @@ This command allows SSH connections from your LAN only.
**⚠️ Replace `192.168.1.0` with your own subnet:** ```bash -sudo ufw allow from 192.168.1.0/24 to any port 22 +# local network +ufw allow from 192.168.1.0/24 to any port 22 + +# docker network, required for maintenance features +ufw allow from 172.18.0.0/24 to any port 22 ``` These ports need to be accessible from anywhere (The default subnet is 'any' unless you specify one): From b70a60064d8dcb0f38e6247debce1dc7c8c0fd96 Mon Sep 17 00:00:00 2001 From: Dennis Reimann Date: Fri, 11 Oct 2019 18:23:56 +0200 Subject: [PATCH 2/2] RPI: Allow SSH connections from internal networks only All credits go to @wiz. See the discussion in #345. --- RPi3.md | 15 ++++++++------- RPi4.md | 15 ++++++++------- 2 files changed, 16 insertions(+), 14 deletions(-) diff --git a/RPi3.md b/RPi3.md index bec3e3bf..c76440aa 100644 --- a/RPi3.md +++ b/RPi3.md @@ -99,14 +99,15 @@ Install UFW: sudo apt install ufw ``` -This command allows SSH connections from your LAN only.
-**⚠️ Replace `192.168.1.0` with your own subnet:** +This command allows SSH connections from internal networks only: ```bash -# local network -sudo ufw allow from 192.168.1.0/24 to any port 22 - -# docker network, required for maintenance features -sudo ufw allow from 172.18.0.0/24 to any port 22 +sudo ufw allow from 10.0.0.0/8 to any port 22 proto tcp +sudo ufw allow from 172.16.0.0/12 to any port 22 proto tcp +sudo ufw allow from 192.168.0.0/16 to any port 22 proto tcp +sudo ufw allow from 169.254.0.0/16 to any port 22 proto tcp +sudo ufw allow from fc00::/7 to any port 22 proto tcp +sudo ufw allow from fe80::/10 to any port 22 proto tcp +sudo ufw allow from ff00::/8 to any port 22 proto tcp ``` These ports need to be accessible from anywhere (The default subnet is 'any' unless you specify one): diff --git a/RPi4.md b/RPi4.md index 0d768e60..714af166 100644 --- a/RPi4.md +++ b/RPi4.md @@ -183,15 +183,16 @@ ufw default deny incoming ufw default allow outgoing ``` -This command allows SSH connections from your LAN only.
-**⚠️ Replace `192.168.1.0` with your own subnet:** +This command allows SSH connections from internal networks only: ```bash -# local network -ufw allow from 192.168.1.0/24 to any port 22 - -# docker network, required for maintenance features -ufw allow from 172.18.0.0/24 to any port 22 +ufw allow from 10.0.0.0/8 to any port 22 proto tcp +ufw allow from 172.16.0.0/12 to any port 22 proto tcp +ufw allow from 192.168.0.0/16 to any port 22 proto tcp +ufw allow from 169.254.0.0/16 to any port 22 proto tcp +ufw allow from fc00::/7 to any port 22 proto tcp +ufw allow from fe80::/10 to any port 22 proto tcp +ufw allow from ff00::/8 to any port 22 proto tcp ``` These ports need to be accessible from anywhere (The default subnet is 'any' unless you specify one):