Firewall Rules
Attention
This site covers the IP/network firewall. There is also a web application firewall within Website.
Default Settings
All incoming and outgoing traffic is blocked by default, except:
related or established connections
ICMP/ICMPv6
Traceroute
SSH
outgoing connections to some common services (see :ref:`` below)
Tip
Outgoing connections might not be allowed by default according on your company guidelines.
Change Default Allowed Outgoing Ports
Alter the list of allowed outgoing ports by adding only the desired ports to the
nftables::allow_outgoing_ports
array within the Custom JSON Server Level Configuration:
Default Settings
{
"nftables::allow_outgoing_ports": [ 25, 80, 110, 143, 443, 465, 587, 993, 995 ]
}
Allow HTTP and HTTP Only
{
"nftables::allow_outgoing_ports": [ 80, 443 ]
}
Deny any Outgoing Ports
{
"nftables::allow_outgoing_ports": false
}
Automatic Rules
Where possible, we add required firewall rules when you configure a certain service, for example:
the Website module will allow incoming HTTP/HTTPS
the FTP Access module will allow incoming FTP
Custom Rule
To allow your desired incoming or outgoing connections, you can add custom firewll rules /etc/nftables.conf
by adding the rule to the nftables::rules
hash within the Custom JSON Server Level Configuration:
{
"nftables::rules": {
"accept incoming port example for IPv4": {
"chain": "input",
"rule": "tcp dport 1234 ip saddr 192.168.1.1 accept"
},
"accept incoming port example for IPv6": {
"chain": "input",
"rule": "tcp dport 1234 ip6 saddr 2001:db8::1 accept"
},
"accept outgoing port example for IPv4": {
"chain": "output",
"rule": "tcp dport 1234 ip daddr 192.168.1.1 accept"
},
"accept outgoing port example for IPv6": {
"chain": "output",
"rule": "tcp dport 1234 ip6 daddr 2001:db8::1 accept"
},
"example with udp and without specific ip address": {
"chain": "output",
"rule": "udp dport 53 accept"
},
"example ordered rule": {
"chain": "output",
"rule": "udp dport 53 accept",
"order": 55
}
}
}
Attention
Make sure to always add rules for both IPv4 and IPv6.
Tip
Details about possible rule configurations are listed in the nftables Wiki.
Rule order
Sometimes it is desirable to be able to configure the order of the firewall rules, for this there is the optional order parameter. This can be a number between 1 and 99. If this parameter is omitted the default value is 50, also our automatically configured firewall rules for the services (web server, database server, etc.) have an order value of 50. So it is possible to override automatically generated rules by using a value below 50.
Request Limits
nftables can also be used to limit requests matching certain conditions.
Tip
You can also limit connections within your Custom Rule. Details about possible configurations are listed in the nftables Wiki.
By default, we limit the following connections:
Incoming SSH
Incoming SSH connections are limited to 600 per minute. You can alter or remove
this limit by setting the nftables::input_ssh_limit
within the Custom JSON
Server Level Configuration:
{
"nftables::input_ssh_limit": "600/minute"
}
By default, SSH is allowed from any IP address.
You can remove this firewall rule by setting nftables::preset_ssh
within the Custom JSON Server Level Configuration to false.
Afterwards you have to create a firewall rule for each IP address from which you want to allow access.
{
"nftables::preset_ssh": false,
"nftables::rules": {
"accept ssh from office ipv4": {
"chain": "input",
"rule": "tcp dport ssh ip saddr <your ipv4> accept"
},
"accept ssh from office ipv6": {
"chain": "input",
"rule": "tcp dport ssh ip6 saddr <your ipv6> accept"
}
}
}
Incoming ICMP
Incoming ICMP connections are limited to 600 per minute. You can alter or remove
this limit by setting the nftables::input_icmp_limit
within the Custom JSON
Server Level Configuration:
{
"nftables::input_icmp_limit": "600/minute"
}
Incoming ICMPv6
Incoming ICMPv6 connections are limited to 600 per minute. You can alter or remove
this limit by setting the nftables::input_icmpv6_limit
within the Custom JSON
Server Level Configuration:
{
"nftables::input_icmpv6_limit": "600/minute"
}
Debugging
To debug your firewall configuration syntax or take a look at the log files, you can login in with the devop user (see Generic Admin User).
Commands
The following commands are available:
nft-list
to list the current nftables configuration.nft-check
to validate the current nftables configuration. This command will also show you the problematic parts if you have any errors in your syntax.
Log Files
Blocked connections are logged to syslog and written to /var/log/messages
.
This file is readable trough devop user (see Generic Admin User) as well.