Configuring firewall for FCOS

By default it seems like Fedora CoreOS leaves all ports open. I’m trying to modify this behavior by adding some firewall rules. I can’t find any documentation on this topic but my assumption is that FCOS is using iptables.

Whenever I edit /etc/sysconfig/iptables using ignition, CoreOS is unable to complete booting. Doesn’t matter what the contents of the file are. Instead it goes into emergency mode. For example, if I add this to ignition:

storage:
  files:
    - path: /etc/sysconfig/iptables
      mode: 0600
      contents:
        inline: |
          *filter
          :INPUT ACCEPT [0:0]
          :FORWARD ACCEPT [0:0]
          :OUTPUT ACCEPT [0:0]
          COMMIT

Editing manually after booting doesn’t seem to be an issue, only if it’s set via ignition.

What’s the correct way to update firewall rules for Fedora CoreOS?

Looks like you filed this over here too: https://github.com/coreos/fedora-coreos-tracker/issues/467

I’ll reply there; let’s keep discussion in that ticket.