Efficient service isolation on Alpine with VRFs
Firewalls themselves are boring in my opinion, so let's talk about something Alpine can do that, as far as I know, no other distribution can easily do out of the box yet: service isolation using the base networking stack itself instead of netfilter. Network namespaces allow for the use of an alternate routing table, one that can be restricted to say, the management LAN. Introducing VRFs. Any network engineer with experience will surely be aware of VRFs. The VRF name is an acronym which stands for virtual routing and forwarding. Thanks to the work of Cumulus Networks, Linux gained support for VRF interfaces in Linux 4.3. Since Alpine 3.13, we have supported managing VRFs and binding services to them, primarily for the purpose of low-cost service isolation. We will a single VRF, in conjunction with the system's default route table. Once a VRF is configured, you can use the ip vrf exec command to run a program in the specified VRF context. Success! Now we know that using ip vrf exec, we can launch services with an alternate routing table.