Securing Access¶

This tutorial demonstrates how to use UFW, also known as Uncomplicated Firewall, to restrict access to a system to Enclave peers connecting via SSH. UFW is a simple firewall configuration tool, available by default in Ubuntu and Debian.

Prerequisites¶

We've assumed that you already have Enclave installed on the machine you want to secure SSH access to. If this isn't the case, please refer to this document to install Enclave.

Configuring UFW¶

Open the terminal and enter sudo ufw allow from 100.64.0.0/10. This will add a rule to the firewall to allow any traffic from the Enclave subnet through to your system. By default, all incoming traffic is blocked. You can go a step further and restrict the traffic to a single tap adapter using the command sudo ufw allow in on [tap] from 100.64.0.0/10, where [tap] is the name of the Enclave tap adapter. To find the name of this adapter, run enclave status.

Warning

If you're running other services which create tap adapters, the Enclave tap adapter may change on reboot.
If it isn't already enabled, enable the firewall by running sudo ufw enable. You can check the status of the firewall using the command sudo ufw status.
If you're connected via SSH to the system you're securing access to, close the SSH session now. Reconnect to the machine using the Enclave virtual network address, as opposed to the public IP address. You can find the virtual network address of a system in the Enclave portal or by running enclave status.
Disallow SSH by running sudo ufw delete allow ssh.
If you have any other firewall rules, you can now safely delete them. To get an indexed list of all of your UFW rules, run sudo ufw status numbered. Enter sudo ufw delete [INDEX] to delete the rule.

Warning

The indices may change after each deletion. Re-run sudo ufw status numbered to update the list if indices.

Having problems? Contact us at support@enclave.io or get help and advice in our community support channels.

Last updated February 7, 2023