On the Discovery network, you can create firewall rules to protect your NVMe instance from malicious attacks. The network firewall provides a layer of protection between your instance and the outside world. Once enabled, all traffic is routed through your firewall which allows you to pick out the traffic which you don’t want to hit your server. This is useful if you want to block specific ports like 22 or only allow traffic to ports from specific IPs. Here we are going to configure firewall rules that will protect SSH on an instance. Below we also deal with pre-configured firewall rules using security groups to protect software like cPanel.
By default, the firewall on all instances is turned off. This helps prevent confusion for new customers. But to enable your firewall, navigate to Services > My Services and select the instance you want to configure a firewall on. From the Instance control panel, click the Firewall icon.
Configure Firewall Rule
So now, you are now ready to configure a firewall rule. Click the + Add button. Let’s go through these options;
- In / Out – Is this firewall targeted at traffic coming in or traffic going out?
- Action – What should the firewall do?
- Accept – Allow traffic through the firewall
- Reject – Deny traffic through the firewall
- Drop – Drop the connection
- Interface – What interface should the firewall work on?
- net0 – Default network for VMs
- net1 – Internal traffic
- Source – Filter traffic by IP
- Destination – Filter traffic by IP
- Macro – Use a predefined rule
- Protocol – What transport should we monitor. Default is TCP.
- Source Port – Monitor traffic coming from x port
- Destination Port – The port the traffic is going to
In our example, we are going to block all traffic to port 22. So our firewall options will be;
- In > Drop > net0 > tcp (protocol 6) > 22
Before we activate this rule we can see that SSH is active on our development instance;
[[email protected] ~]# ssh 51.xXx.1x9.114 Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
Whilst root logins are disabled by default on the network. We can still connect to port 22. With our firewall rule above this will not be allowed so let’s enable our new rule.
Now, when we try to SSH to this instance the connection should not complete. Let’s try it. We will use nmap to try to connect
[[email protected] ~]# nmap 22 51.xXx.1x9.114 Starting Nmap 6.40 ( http://nmap.org ) at 2021-06-13 11:21 UTC setup_target: failed to determine route to 22 (0.0.0.22) sendto in send_ip_packet_sd: sendto(4, packet, 40, 0, 51.xXx.1x9.114, 16) => Operation not permitted Offending packet: TCP 54.36.xXx.239:57701 > 22.214.171.124:80 A ttl=51 id=55236 iplen=40 seq=0 win=1024 sendto in send_ip_packet_sd: sendto(4, packet, 44, 0, 1.xXx.1x9.114, 16) => Operation not permitted Offending packet: TCP 54.36.xXx.239:57957 > 51.xXx.1x9.114:1025 S ttl=43 id=59058 iplen=44 seq=3425942542 win=1024
So we can see from the output that port 22 is being blocked and no connections are being allowed to that port. A network firewall is a much better tool than using a software firewall like CSF. You can add any firewall rules required but be careful when adding rules. But you could lock yourself out of your instance and you would need to disable the firewall or remove the firewall rule to resolve that.
Firewall Security Groups
A security group is a preconfigured set of firewall rules usually designed for specific software. From the Firewall section, you can choose to apply security groups to your instance. One example is our cPanel security group. This is preconfigured to allow all of the ports required for cPanel. To apply security groups;
- First, ensure in “Firewall Options” your firewall input policy is set to “Drop” and your outgoing policy is set to “Accept”. You could also set the outgoing policy to reject
- And next, in the Firewall section click the 3 dots and “Add Security Group”
- Slide the slider to enable and choose a group but always apply this to the net0 interface.
- Your network firewall is now active
How was this article? Configure Firewall Rules
You might also like
More from Instance Management
If you have installed your Discovery instance using a distribution ISO. Then it's likely your drive will be using a …
How To Configure An Internal MySQL Database Server High-value assets like database servers are always a target for hackers. Typically, these …