I’m deploying a specific app that lets users create network connections to arbitrary hosts (a kind of gateway), and would like to prevent this app from accessing other apps in the same organization.
Reading through the docs, it seems like blocking access to any IP address that starts with fdaa:0:18 should do the trick. Or is there anything I’m missing?
Is there any advice how to configure the container to block connections to this range of IP addresses? perhaps setting up iptables or similar?
Blocking access to fdaa:0:18:: should do what you need, yeah. We don’t have any examples of IP tables in the VMs, but it probably isn’t difficult to setup.
Are you actually running user code in these, or just using them as a proxy? We do have a guide for setting up Smokescreen: GitHub - fly-apps/smokescreen: An example of deploying Smokescreen on Fly.io
Thanks Kurt!
I’m using them as a proxy at the moment, but intend to run user code in the future. Thanks for the Smokescreen suggestion - I wasn’t aware of this solution. It doesn’t do the trick for my use case, as I’m running a data link layer proxy (using gvisor-tap-vsock). I looked into their code to see if I could hack something there, and I noticed they don’t support IPv6 at the moment (even though is an open pull request for IPv6), so it’s less of a concern for now.