Configuring Firewall Rules And Filters For Web Hosting
You will learn how to setup the firewall rules needed to run a web server. I will be assuming you are using sudo for commands or are the root user for this guide. I will also be assuming you are running a debian based distro.
- All web servers use ports 80 TCP (http) and 443 TCP (https).
Configuring The Firewall Manager on Debian Based Distros
First we will ensure that we have the the ufw package installed.
apt install ufw
We will then allow the following ports:
- 22 TCP (to allow you to SSH in)
- 80 TCP (http)
- 443 TCP (https)
To do this run the following commands:
ufw allow 22/tcp
ufw allow 80/tcp
ufw allow 443/tcp
Enable ufw:
ufw enable
Run the following command to verify these ports are open.
ufw status
To further lockdown our firewall we will set the default to deny incoming traffic by running the following command: (Be sure that you have allowed SSH connections through the firewall (port 22) otherwise you will not be able to SSH back into this machine.)
sudo ufw default deny incoming
Edge Rules & Filters
Now onto our Edge Rules/Filters, due to our link with Path.net we can define edge firewall rules/filters. Unfortunately for now our Filter Manager is offline, however you can open a ticket allowing us to assign them for you.
We have 2 things to work with, Firewall rules and filters, let's start with firewall rules, below are the firewall rules we will setup.
Port - Protocol - Action - Source (If any)
- 0.0.0.0/0 - DENY ALL (Port Punch), we do this to block all access outside of the rules we define
- 22 - TCP - allow all OR allow from (Your IP), this is our SSH port, this can either be locked to your IP if you have a static IP, or allow all allowing all connections on 22
- 80 - TCP - allow all (Used for HTTP)
- 443 - TCP - allow all (Used for SSL/TLS - HTTPS)
Edge Filters
- TCP Service - port 80/443 - (This filter enables stricter packet validation for TCP packets incoming to a listen port.)
- TCP Service (symmetric) - port 80/443 - (This filter enables full packet validation for incoming TCP connections. Requires that the return traffic is routed through Path.)
(This guide will be updated once the new filter page is released.)
