Problem/Justification
I would like to request the ability to isolate apps (i.e. docker containers) in a separate network segment to enhance the security posture of a TrueNAS installation. Specifically, my objective is ensuring that if an attacker gains access to an application container, they will not have direct connectivity to the same network segment where the TrueNAS shares, web UI, and ssh daemon are listening (typically the LAN), thus making it harder for them to move laterally into my network.
Given a TrueNAS server with IP addresses on multiple interfaces (either physical or VLANs), it becomes possible to bind apps API endpoints to only some of them (or only one). While this effectively ensures ingress connectivity to the app containers will be bound to a given segment, it does not limit egress connectivity. For example: let’s assume TrueNAS has one IP in a LAN subnet and another in an APPS subnet. The default route points to the LAN gateway. Let’s also assume an app container is configured to use port bind mode = publish and host ip = the TrueNAS IP in the APPS subnet. Egress connectivity initiated by the container will be routed onto the LAN subnet.
Note that other discussions have requested specific implementations that could satisfy this feature request. I thought it would still be valuable though to restart from scratch and reframe the request in terms of product features and user objectives rather than getting stuck on implementation details. It’s ultimately unimportant how the behavior I’m requesting is implemented.
Impact
- improve security of TrueNAS, especially when apps are exposed to the internet
- (potential side-effect) make apps networking behave as incus containers, where the above is already possible via macvlan interfaces
- a challenge that may need addressing is asymmetric routing, if the solution involves TrueNAS having IPs on multiple network segments. Today, a multi-homed TrueNAS server will suffer from the well-known asymmetric routing issue any Linux box has always had. I’ve filed NAS-137453 to address this.
User Story
A user creating an app should be able to select which (potentially precreated) network segments their container should be bound to. This could be accomplished by selecting a network interface from a drop down menu, and possibly indicating a VLAN ID.
An ideal implementation would allow the user to select a different network segment for each app, although simply keeping all apps separate from the TrueNAS LAN would already be beneficial.
If going the per-app networks route, it is important to however retain the possibility for some apps to talk to each other as that’s their intended use case (e.g. nginx proxy manager).