Firewall Rules

Attention

This site covers the IP/network firewall. There is also a web application firewall within Website.

Default Settings

All incoming and outgoing traffic is blocked by default, except:

  • related or established connections

  • ICMP/ICMPv6

  • Traceroute

  • SSH

  • outgoing connections to some common services (see :ref:`` below)

Tip

Outgoing connections might not be allowed by default according on your company guidelines.

Change Default Allowed Outgoing Ports

Alter the list of allowed outgoing ports by adding only the desired ports to the nftables::allow_outgoing_ports array within the Custom JSON Server Level Configuration:

Default Settings

{
  "nftables::allow_outgoing_ports": [ 25, 80, 110, 143, 443, 465, 587, 993, 995 ]
}

Allow HTTP and HTTP Only

{
  "nftables::allow_outgoing_ports": [ 80, 443 ]
}

Deny any Outgoing Ports

{
  "nftables::allow_outgoing_ports": false
}

Automatic Rules

Where possible, we add required firewall rules when you configure a certain service, for example:

  • the Website module will allow incoming HTTP/HTTPS

  • the FTP Access module will allow incoming FTP

Custom Rule

To allow your desired incoming or outgoing connections, you can add custom firewll rules /etc/nftables.conf by adding the rule to the nftables::rules hash within the Custom JSON Server Level Configuration:

{
  "nftables::rules": {
    "accept incoming port example for IPv4": {
      "chain": "input",
      "rule": "tcp dport 1234 ip saddr 192.168.1.1 accept"
    },
    "accept incoming port example for IPv6": {
      "chain": "input",
      "rule": "tcp dport 1234 ip6 saddr 2001:db8::1 accept"
    },
    "accept outgoing port example for IPv4": {
      "chain": "output",
      "rule": "tcp dport 1234 ip daddr 192.168.1.1 accept"
    },
    "accept outgoing port example for IPv6": {
      "chain": "output",
      "rule": "tcp dport 1234 ip6 daddr 2001:db8::1 accept"
    },
    "example with udp and without specific ip address": {
      "chain": "output",
      "rule": "udp dport 53 accept"
    }
  }
}

Attention

Make sure to always add rules for both IPv4 and IPv6.

Tip

Details about possible rule configurations are listed in the nftables Wiki.

Request Limits

nftables can also be used to limit requests matching certain conditions.

Tip

You can also limit connections within your Custom Rule. Details about possible configurations are listed in the nftables Wiki.

By default, we limit the following connections:

Incoming SSH

Incoming SSH connections are limited to 600 per minute. You can alter or remove this limit by setting the nftables::input_ssh_limit within the Custom JSON Server Level Configuration:

{
  "nftables::input_ssh_limit": "600/minute"
}

By default, SSH is allowed from any IP address. You can remove this firewall rule by setting nftables::preset_ssh within the Custom JSON Server Level Configuration to false. Afterwards you have to create a firewall rule for each IP address from which you want to allow access.

{
  "nftables::preset_ssh": false,
  "nftables::rules": {
    "accept ssh from office ipv4": {
      "chain": "input",
      "rule": "tcp dport ssh ip saddr <your ipv4> accept"
    },
    "accept ssh from office ipv6": {
      "chain": "input",
      "rule": "tcp dport ssh ip6 saddr <your ipv6> accept"
    }
  }
}

Incoming ICMP

Incoming ICMP connections are limited to 600 per minute. You can alter or remove this limit by setting the nftables::input_icmp_limit within the Custom JSON Server Level Configuration:

{
  "nftables::input_icmp_limit": "600/minute"
}

Incoming ICMPv6

Incoming ICMPv6 connections are limited to 600 per minute. You can alter or remove this limit by setting the nftables::input_icmpv6_limit within the Custom JSON Server Level Configuration:

{
  "nftables::input_icmpv6_limit": "600/minute"
}

Debugging

To debug your firewall configuration syntax or take a look at the log files, you can login in with the devop user (see Generic Admin User).

Commands

The following commands are available:

  • nft-list to list the current nftables configuration.

  • nft-check to validate the current nftables configuration. This command will also show you the problematic parts if you have any errors in your syntax.

Log Files

Blocked connections are logged to syslog and written to /var/log/messages. This file is readable trough devop user (see Generic Admin User) as well.