Firewall
Note
this site belongs to the IP/network firewall. There is also a web application firewall within the Website service
Default settings
By default, all incoming and outgoing traffic is blocked, except:
related or established connections
ICMP/ICMPv6
Traceroute
SSH
- outgoing connections to the following common services
HTTP(S): TCP Ports 80, 443
SMTP(S): TCP Ports 25, 587, 465
POP3(S): TCP Ports 110, 995
IMAP(S): TCP Ports 143, 993
Note
depending on your companys guideline, outgoing connections might not be allowed by default
Disable common outgoing services
To enhance the security level of your server, disable outgoing connections to common services by adding the following custom JSON configuration:
{
"base::firewall::allow_outgoing_ports": false
}
Custom rules trough service
Where applicable, all services will add the firewall rules required automatically, for example:
website module will allow incoming HTTP(S)
ftp module will allow incoming FTP
Custom rules
Where applicable, both IPv4 and IPv6 Rules are added by default (for example INPUT chains for a particular port).
Configuration
Hint
this service as based on the official Puppet firewall module. For further configuration details, see the firewall documentation on Github
chain
INPUT for incoming rules
OUTPUT for outgoing rules
action
accept: The packet is accepted.
reject: The packet is rejected with a suitable ICMP response.
drop: The packet is dropped.
source (optional)
IPv4 source address or network. Examples:
192.168.0.1
192.168.0.0/24
source6 (optional)
IPv6 source address or network. Examples:
2001:db8::1
2001:db8::/32
destination (optional)
IPv4 destination address or network. Examples:
192.168.0.1
192.168.0.0/24
destination6 (optional)
IPv6 destination address or network. Examples:
2001:db8::1
2001:db8::/32
sport
Source port number.
dport
Destination port number.
proto
Protocol. Examples:
tcp
udp
Examples
Allow outgoing
{
"base::firewall::rules": {
"021 accept outgoing smtp to mailrelay": {
"action": "accept",
"chain": "OUTPUT",
"destination": "192.168.0.1",
"destination6": "2001:db8::1",
"dport": "25"
}
}
}
Deny incoming
You can add custom rules to deny services, too:
{
"base::firewall::rules": {
"020 deny HTTP from evil network": {
"action": "reject",
"chain": "INPUT",
"source": "192.168.0.0/24",
"source6": "2001:db8::/32",
"dport": "80"
}
}
}
Debugging
Logged in as user devop
, you can diagnose created rules and logs
trough the following means:
Firewall logs in
/var/log/messages
show created rules with
iptables-list
oriptables-rules