Firewall Rules
Attention
This page covers the server’s network firewall. There is also Web Application Firewall (WAF).
Default Settings
By default some general purpose firewall rules are present before any customization:
Default Firewall Rules
All incoming and outgoing traffic is blocked by default, except:
related or established connections
ICMP/ICMPv6
Traceroute
SSH
outgoing connections to some common services (see below)
Tip
Outgoing connections might not be allowed according to your company guidelines. Make sure configure a more restricted ruleset as our defaults if needed!
Outgoing connections
By default, connections to the following ports are allowed: 25, 80, 110, 143, 443, 465, 587, 993, 995
Alter the list of allowed outgoing ports by adding only the desired ports to the
nftables::allow_outgoing_ports array within the Custom JSON Server Level Configuration:
Allow HTTP and HTTPS Only
{
"nftables::allow_outgoing_ports": [ 80, 443 ]
}
Deny any Outgoing Ports
{
"nftables::allow_outgoing_ports": false
}
Warning
Whenever possible, create explicit rules to allow traffic to a specific destination only, and do not just open ports to the whole internet here. See Custom Rules below.
Incoming SSH
Incoming SSH is allowed from anywhere by default.
If you want to allow SSH for certain IP addresses only, you can remove our preset and create specific rules by adding your rule to the nftables::rules hash within the Custom JSON Server Level Configuration:
{
"nftables::preset_ssh": false,
"nftables::rules": {
"allow SSH example IPv4": {
"chain": "input",
"rule": "tcp dport 22 ip saddr 192.168.1.1 accept"
},
"allow SSH example IPv6": {
"chain": "input",
"rule": "tcp dport 22 ip6 saddr 2001:db8::1 accept"
}
}
}
Automatic Rules
Where needed, we add required firewall rules when you add / configure a service on the server, for example:
Custom Rules
To allow the desired incoming or outgoing connections, you can add custom firewall rules to /etc/nftables.conf
by adding the rule to the nftables::rules hash within the Custom JSON Server Level Configuration:
{
"nftables::rules": {
"accept incoming port example for IPv4": {
"chain": "input",
"rule": "tcp dport 1234 ip saddr 192.168.1.1 accept"
},
"accept incoming port example for IPv6": {
"chain": "input",
"rule": "tcp dport 1234 ip6 saddr 2001:db8::1 accept"
},
"accept outgoing port example for IPv4": {
"chain": "output",
"rule": "tcp dport 1234 ip daddr 192.168.1.1 accept"
},
"accept outgoing port example for IPv6": {
"chain": "output",
"rule": "tcp dport 1234 ip6 daddr 2001:db8::1 accept"
},
"example with udp and without specific ip address": {
"chain": "output",
"rule": "udp dport 53 accept"
},
"example ordered rule": {
"chain": "output",
"rule": "udp dport 53 accept",
"order": 55
}
}
}
Attention
Make sure to always add rules for both IPv4 and IPv6.
Tip
Details about possible rule configurations are listed in the nftables Wiki.
Rule order
Sometimes it is required to be able to configure the order of the firewall rules, for this there is the optional order parameter. This can be a number between 1 and 99, where a lower number means higher priority.
If the order parameter is omitted the default value is 50, also our automatically configured firewall rules for the services (web server, database server, etc.) have an order value of 50. It is possible to override automatically generated rules by using a value below 50.
Debugging
To debug your firewall configuration syntax or take a look at the log files, you can login in with the devop user (see Generic Admin User).
Commands
The following commands are available:
nft-listto list the current nftables configuration.nft-checkto validate the current nftables configuration. This command will also show you the problematic parts if you have any errors in your syntax.
Log Files
Blocked connections are logged to syslog and written to /var/log/syslog.
This file is readable with the devop user (see Generic Admin User) as well.