Firewall Rules¶
Attention
This site covers the IP/network firewall. There is also a web application firewall within Website.
Default Settings¶
All incoming and outgoing traffic is blocked by default, except:
related or established connections
ICMP/ICMPv6
Traceroute
SSH
outgoing connections to some common services (see :ref:`` below)
Tip
Outgoing connections might not be allowed by default according on your company guidelines.
Change Default Allowed Outgoing Ports¶
Alter the list of allowed outgoing ports by adding only the desired ports to the
nftables::allow_outgoing_ports array within the Custom JSON Server Level Configuration:
Default Settings¶
{
"nftables::allow_outgoing_ports": [ 25, 80, 110, 143, 443, 465, 587, 993, 995 ]
}
Allow HTTP and HTTP Only¶
{
"nftables::allow_outgoing_ports": [ 80, 443 ]
}
Deny any Outgoing Ports¶
{
"nftables::allow_outgoing_ports": false
}
Automatic Rules¶
Where possible, we add required firewall rules when you configure a certain service, for example:
the Website module will allow incoming HTTP/HTTPS
the FTP Access module will allow incoming FTP
Custom Rule¶
To allow your desired incoming or outgoing connections, you can add custom firewll rules /etc/nftables.conf
by adding the rule to the nftables::rules hash within the Custom JSON Server Level Configuration:
{
"nftables::rules": {
"accept incoming port example for IPv4": {
"chain": "input",
"rule": "tcp dport 1234 ip saddr 192.168.1.1 accept"
},
"accept incoming port example for IPv6": {
"chain": "input",
"rule": "tcp dport 1234 ip6 saddr 2001:db8::1 accept"
},
"accept outgoing port example for IPv4": {
"chain": "output",
"rule": "tcp dport 1234 ip daddr 192.168.1.1 accept"
},
"accept outgoing port example for IPv6": {
"chain": "output",
"rule": "tcp dport 1234 ip6 daddr 2001:db8::1 accept"
},
"example with udp and without specific ip address": {
"chain": "output",
"rule": "udp dport 53 accept"
}
}
}
Attention
Make sure to always add rules for both IPv4 and IPv6.
Tip
Details about possible rule configurations are listed in the nftables Wiki.
Request Limits¶
nftables can also be used to limit requests matching certain conditions.
Tip
You can also limit connections within your Custom Rule. Details about possible configurations are listed in the nftables Wiki.
By default, we limit the following connections:
Incoming SSH¶
Incoming SSH connections are limited to 600 per minute. You can alter or remove
this limit by setting the nftables::input_ssh_limit within the Custom JSON
Server Level Configuration:
{
"nftables::input_ssh_limit": "600/minute"
}
By default, SSH is allowed from any IP address.
You can remove this firewall rule by setting nftables::preset_ssh within the Custom JSON Server Level Configuration to false.
Afterwards you have to create a firewall rule for each IP address from which you want to allow access.
{
"nftables::preset_ssh": false,
"nftables::rules": {
"accept ssh from office ipv4": {
"chain": "input",
"rule": "tcp dport ssh ip saddr <your ipv4> accept"
},
"accept ssh from office ipv6": {
"chain": "input",
"rule": "tcp dport ssh ip6 saddr <your ipv6> accept"
}
}
}
Incoming ICMP¶
Incoming ICMP connections are limited to 600 per minute. You can alter or remove
this limit by setting the nftables::input_icmp_limit within the Custom JSON
Server Level Configuration:
{
"nftables::input_icmp_limit": "600/minute"
}
Incoming ICMPv6¶
Incoming ICMPv6 connections are limited to 600 per minute. You can alter or remove
this limit by setting the nftables::input_icmpv6_limit within the Custom JSON
Server Level Configuration:
{
"nftables::input_icmpv6_limit": "600/minute"
}
Debugging¶
To debug your firewall configuration syntax or take a look at the log files, you can login in with the devop user (see Generic Admin User).
Commands¶
The following commands are available:
nft-listto list the current nftables configuration.nft-checkto validate the current nftables configuration. This command will also show you the problematic parts if you have any errors in your syntax.
Log Files¶
Blocked connections are logged to syslog and written to /var/log/messages.
This file is readable trough devop user (see Generic Admin User) as well.