You will only be able to manage your servers firewall if your user role has permission to do so. Review our guide for more information on the different roles and permissions.
For users of our Advanced Integration, ServerAuth can provide web-based management of your server's firewall, with options to view existing rules, add/remove rules and enable or disable the firewall from running.
We support Debian and Ubuntu based servers and uses the system's built-in UFW firewall. Unless changes have been made to your server to remove UFW you should not need to perform any setup work at all.
If however UFW has been removed, it can be installed again via APT by running:
sudo apt-get install ufw
When you first visit the firewall section of your ServerAuth control pane we'll attempt to load the current firewall details. This will include its current active state, its run-on-boot state, and any existing rules that you or your hosting provider may have added.
To add a new rule, click on the 'Add Rule' tab and fill out the form with the rule details. We currently support creating ALLOW, DENY and LIMIT rules, which do the following:
An allow rule tells your server to permit an ip (or all traffic if no IP is provided) to access your server, or to access outside of your server if the 'outbound' option is selected. You can also optionally specify a port.
An example of where you may wish to use this is to allow all traffic inbound access to ports 80 and 443 for websites, or to allow your office or team member's IP address access to port 22 for SSH access.
A deny rule has the opposite effect of the allow rule, and blocks access to/from your server, again with the option to specify an IP and port.
Limit rules allow you to throttle traffic to your server. These would typically only be used for inbound traffic. Typically this is only used in special circumstances, and we recommend using tools such as Fail2Ban for handling things like limiting SSH access.
When this is used UFW will limit traffic to 6 connection attempts within a 30-second period before blocking an IP. Caution is advised, and we recommend reviewing the documentation for your operating system before making use of this.
Rules can be set to apply to either inbound traffic or outbound traffic. In most cases you won't need to use the outbound options, and many servers just allow all outbound traffic as it makes things easier if your server runs multiple processes (obviously depending on your setup and usage there may be security implications to doing this).
When adding a new firewall rule you can provide a single IP address or an IP range (aka CIDR). For example, if you wanted to block IPs 1.1.1.1 through to 1.1.1.255 you would enter 1.1.1.0/24. This also works for IPv6 addresses.
You can also leave the IP Address field blank to apply the rule to all IPs.
The port field allows you to enter either a single port, a list of ports, or a range of ports. For example to apply the rule to ports 100 through to 200 you would enter 100:200. To apply the rule to ports 80 and 443 only you would enter 80,443.
The port rule can be left blank if you wish to apply the rule to all ports. This would typically be the case if you were wanting to block an IP from any kind of server access, or wanted to allow all outbound traffic.
Depending on which service you're granting or allowing access to will depend on what protocol it uses. Services such as Apache, Nginx, SSH, and MySQL use the 'TCP' protocol. If your server runs something like OpenVPN you may find it uses a 'UDP' protocol.
If you're unsure of which to use and it's a common package such as a webserver then theres typically no harm leaving the protocol set to 'All', however for maximum security we do recommend limiting access only to the protocol that the service applies to.
When we load your firewall we'll automatically whitelist our system IP addresses. These are the IPs ServerAuth uses to run commands on your behalf. If the rules are removed or altered we'll attempt to automatically correct them the next time an action is performed, providing we've still got access to do so. We'll also automatically update this list should our IP range change, or if we add any new ones to our pool.
Users with the correct permissions (As standard both Admins and Managers) will be able to start and stop the firewall from the 'Options' dropdown menu.
When you start or stop the firewall we'll also automatically change the boot state. So if for example, you stop the firewall this will also stop it from running again should your server reboot, and if you start the firewall we'll set it to run on boot.
