Firewall management on edge devices
The firewall is used to configure input and output ports of the remote embedded devices. The current functionality is developed to satisfy most user demands. If you need more detailed firewall configurations it is possible to create those through our Ansible integration or through using specific scripts to set the firewall.
Just define the firewall rules your application needs. With qbee the standard setting usually is "drop all". By default qbee opens its own port from the inside. This is a pull based approach and allows communication through most company firewalls and NATs. So usually the firewall can be configured with default policy "drop" and qbee will work anyhow. The same is true for all remote access to the devices. Both the remote shell access and the remote access to any port do not demand any open ports in the firewall. All this is handled by the qbee agent through its own VPN. This communciation is running over port 443 which is triggered from the inside and then waiting for the qbee server to communicate back. This is all based on secure https communication.
Even if drop all is selected qbee and the qbee VPN will still work
It is possible to configure the firewall with default policy "drop". qbee and remote access will work independent of this.
Rules can be created for TCP or UDP. It is possible to limit the IP access range or use "ANY" in order to allow any IP to connect. The following example shows a firewall configuration that drops all connections by default but allows HTTPS access through port 443. This could be used for allowing external web server access. As mentioned closing this will not impact qbee functionality.
So it is possible to drop all and define custom rules which allow access or accept all and drop or reject certain ports.
This example opens external HTTPS access to the device. This is potentially dangerous as it weakens the security concept. With qbee-connect you would be able to provide the same access without exposing any external ports since it is routed through the qbee VPN.