Firewall Rules
Attention
This site covers the IP/network firewall. There is also a web application firewall within Website.
Default Settings
All incoming and outgoing traffic is blocked by default, except:
related or established connections
ICMP/ICMPv6
Traceroute
SSH
outgoing connections to some common services (see below)
Tip
Outgoing connections might not be allowed by default according to your company guidelines.
Change Default Allowed Outgoing Ports
Alter the list of allowed outgoing ports by adding only the desired ports to the
nftables::allow_outgoing_ports
array within the Custom JSON Server Level Configuration:
Default Settings
{
"nftables::allow_outgoing_ports": [ 25, 80, 110, 143, 443, 465, 587, 993, 995 ]
}
Allow HTTP and HTTPS Only
{
"nftables::allow_outgoing_ports": [ 80, 443 ]
}
Deny any Outgoing Ports
{
"nftables::allow_outgoing_ports": false
}
Warning
Whenever possible, create explicit rules to allow traffic to a certain destination, and do not just open ports to the whole internet here.
Incoming SSH
Incoming SSH is allowed by default.
If you want to allow SSH for certain IP addresses only,
you can remove our preset and create specific rules
by adding your rule to the nftables::rules
hash within the Custom JSON Server Level Configuration:
{
"nftables::preset_ssh": false,
"nftables::rules": {
"allow SSH example IPv4": {
"chain": "input",
"rule": "tcp dport 22 ip saddr 192.168.1.1 accept"
},
"allow SSH example IPv6": {
"chain": "input",
"rule": "tcp dport 22 ip6 saddr 2001:db8::1 accept"
}
}
}
Automatic Rules
Where possible, we add required firewall rules when you configure a certain service, for example:
Custom Rule
To allow your desired incoming or outgoing connections, you can add custom firewall rules to /etc/nftables.conf
by adding the rule to the nftables::rules
hash within the Custom JSON Server Level Configuration:
{
"nftables::rules": {
"accept incoming port example for IPv4": {
"chain": "input",
"rule": "tcp dport 1234 ip saddr 192.168.1.1 accept"
},
"accept incoming port example for IPv6": {
"chain": "input",
"rule": "tcp dport 1234 ip6 saddr 2001:db8::1 accept"
},
"accept outgoing port example for IPv4": {
"chain": "output",
"rule": "tcp dport 1234 ip daddr 192.168.1.1 accept"
},
"accept outgoing port example for IPv6": {
"chain": "output",
"rule": "tcp dport 1234 ip6 daddr 2001:db8::1 accept"
},
"example with udp and without specific ip address": {
"chain": "output",
"rule": "udp dport 53 accept"
},
"example ordered rule": {
"chain": "output",
"rule": "udp dport 53 accept",
"order": 55
}
}
}
Attention
Make sure to always add rules for both IPv4 and IPv6.
Tip
Details about possible rule configurations are listed in the nftables Wiki.
Rule order
Sometimes it is desirable to be able to configure the order of the firewall rules, for this there is the optional order parameter. This can be a number between 1 and 99. If this parameter is omitted the default value is 50, also our automatically configured firewall rules for the services (web server, database server, etc.) have an order value of 50. So it is possible to override automatically generated rules by using a value below 50.
Debugging
To debug your firewall configuration syntax or take a look at the log files, you can login in with the devop user (see Generic Admin User).
Commands
The following commands are available:
nft-list
to list the current nftables configuration.nft-check
to validate the current nftables configuration. This command will also show you the problematic parts if you have any errors in your syntax.
Log Files
Blocked connections are logged to syslog and written to /var/log/syslog
.
This file is readable trough devop user (see Generic Admin User) as well.