Configure firewall#

When not using Docker#

The firewall.sh script closes most ports by default. Its behavior is controlled by variables in the firewall-settings.local file.

Most variables are set by state files:

SSH_IPV4 and SSH_IPV6

IPs from which to allow SSH collections. Set by the firewall state using Pillar data. See Connect to a server (SSH).

PUBLIC_HTTP

Opens port 80. Set by the apache state.

PUBLIC_HTTPS

Opens port 443. Set by the apache state.

PUBLIC_POSTGRESQL

Opens port 5432. Set by the postgres state, if postgres.public_access is True in Pillar.

PRIVATE_POSTGRESQL

Opens port 5432 to the replica servers. Set by the postgres state, if postgres.public_access isn’t True in Pillar.

REPLICA_IPV4 and REPLICA_IPV6

The IPs of replica servers. Set by the postgres state using Pillar data, if postgres.public_access isn’t True in Pillar.

PUBLIC_ELASTICSEARCH

Opens port 9200. Set by the elasticsearch state.

PUBLIC_TINYPROXY

Opens port 8888. Set by the tinyproxy state.

PRIVATE_PROMETHEUS_CLIENT

Opens port 7231 to the Prometheus server. Set by the prometheus.node_exporter state.

PROMETHEUS_IPV4 and PROMETHEUS_IPV6

The IPs of the Prometheus server. Set by the prometheus.node_exporter state using Pillar data.

Other variables are:

PUBLIC_SSH

Opens port 22. Supersedes port knocking.

Open a port#

If no variable corresponds to the port you need to open, update the firewall.sh script and firewall-settings.local template.

You might need to set variables if you’re working in a development environment. To set a variable, use the set_firewall macro, for example:

{{ set_firewall("PUBLIC_SSH") }}

This sets PUBLIC_SSH="yes" in the firewall-settings.local file.

Close a port#

Use the unset_firewall macro if a set_firewall call is removed from a service’s state, whether directly (by deleting a set_firewall call) or indirectly (by un-including a state file with set_firewall calls).

Troubleshoot#

When making changes to firewall settings or port assignments, you might want to:

  • Check if a port is open:

    telnet host port
    
  • List active connections:

    netstat -tupln
    

When using Docker#

The firewall.sh script rewrites all iptables rules. However, Docker needs to add rules to route traffic to and from containers. To address this incompatibility, the firewall.sh script exits if the docker command exists. To implement firewall rules on Docker servers, we implement an external firewall.

Hetzner (hardware servers)#

Hetzner provide a free stateless firewall for each dedicated server. “Stateless” means that the firewall does not store information about connections over time, which is required for HTTP sessions and port knocking, for example.

You can configure a Hetzner firewall as follows:

  1. Log into Hetzner

  2. Select your server and go to the Firewall tab

  3. Set Status to active

  4. Enable Hetzner Services

  5. Create your firewall rules. The recommended minimum is:

    Name

    Source IP

    Destination IP

    Source port

    Destination port

    Protocol

    TCP flags

    Action

    Allow SSH

    0.0.0.0/0

    0.0.0.0/0

    0-65535

    22

    Accept

    Allow ICMP

    0.0.0.0/0

    0.0.0.0/0

    0-65535

    0-65535

    icmp

    Accept

    Allow Prometheus

    213.138.113.219/32

    0.0.0.0/0

    0-65535

    7231

    Accept

    Allow Outgoing TCP

    0.0.0.0/0

    0.0.0.0/0

    0-65535

    32768-65535

    tcp

    ack

    Accept

Linode (VPS servers)#

Linode provide a stateful Cloud Firewall. Stateful firewalls can store information about connections over time, which is required for HTTP sessions and port knocking, for example.

You can configure a Linode Cloud Firewall as follows:

  1. Log into Linode

  2. Open the Firewalls list

  3. Click Create Firewall

    1. Set Label to the server name

    2. Set Linodes to the server

    3. Click Create Firewall

  4. Click on the label for the new firewall

    1. Set Default inbound policy to Drop

    2. Add an inbound rule. The recommended minimum is:

      Label

      Protocol

      Ports

      Sources

      Action

      Allow-SSH

      TCP

      SSH (22)

      All IPv4, All IPv6

      Accept

      Allow-ICMP

      ICMP

      All IPv4, All IPv6

      Accept

      Allow-Prometheus

      TCP

      7231

      213.138.113.219/32, 2001:41c8:51:7db::219/128

      Accept

      Most servers will also have:

      Label

      Protocol

      Ports

      Sources

      Action

      Allow-HTTP

      TCP

      HTTP (80), HTTPS (443)

      All IPv4, All IPv6

      Accept

    3. Click Save Changes