Tutorials Managing firewall

Managing firewall

Your UpCloud control panel offers an L3 firewall that is positioned just before the network interface connecting your cloud server to the internet. Therefore, it’s in a perfect position to secure all of the connections to your server. The firewall is configured per-server basis and billed according to our pricing.

Sign in to your UpCloud control panel, click on the server you wish to configure and open the firewall tab in your server settings.

Note that the UpCloud firewall is stateless and does not keep track of connections. Make sure to configure rules to allow both incoming and outgoing traffic.

Managing the firewall

When you first open your firewall settings, the rules list will be empty and the firewall itself is disabled. If you already have active services running on the server, such as a website or a database, keep the firewall disabled until you have created all the required rules to avoid blocking connections while making configurations.

Click the toggle switch at the top of the firewall panel to enable or disable the service. Server firewall options

Before configuring new rules, first, check the Default Rule settings for both incoming and outgoing traffic rules. These define the baseline rule for any traffic in each direction when no other rules match the data packet in question.

The most common approach for a firewall configuration is to use drop as the default rule and defining the rules list to accept connections you want to allow. Usually, there is no need to block outgoing traffic as anything on your cloud server should be installed and configured intentionally by you, but the option is there in case you need to be more restrictive.

Defining firewall rules

Start by setting the incoming traffic option to Default rule to Drop.

Firewall default drop

To allow connections on the incoming traffic rules, click the Add rule button, which will open a new firewall rule dialogue window. With the available rule options, you can precisely define which ports accept what kind of traffic and from where.

Firewall create new rule

However, if your cloud servers have more than just SSH and web services, creating all the rules manually could get tiresome. Instead, select Import premade profile from the drop-down menu just above your incoming rules.

Firewall import premade

You can then select a profile and check read a short description of the rule set in the dialogue panel to get a better idea what those premade profiles are meant for. Do not worry if none of the profiles seems to match your use case perfectly, you can always edit or add more rules later. For the moment, pick the one that gets the closest to what you are aiming for.

Firewall select profile

Once you’ve made your selection, click the Import rules button to confirm.

This creates a group of inbound rules for allowing traffic based on the premade profile description. If you want to check out a different profile, just repeat the steps and select another group of rules to try. Similarly, you can copy rules between cloud servers by selecting to Import from another server in the drop-down menu above your incoming rules table.

Finally, click the Save changes button at the right above your incoming rules table to apply the new rules.

Firewall premade rule set

The above example configuration is a standard web server listening at 80 and 443 for HTTP(S), 22 is for SSH, and port 53 for DNS. Each rule shows twice to allow both IPv4 and IPv6 traffic including ICMP that ping commands use. The default rule for all other incoming connections is to drop so packets heading to any other ports will be denied access. All outgoing ports can be allowed with Default rule Accept.

 

Updating firewall rules

You can edit the rules created from the premade profiles just as any other manually added rules by clicking the pencil icon to the right of the rule row. It opens the dialogue panel to change an existing firewall rule with the current settings for that specific rule selected.

For example, you could disable IPv4 ping reply for your server by editing the ICMP/IPv4 rule and selecting Drop from the Action menu. This retains the rule so you can easily allow it again if you wish instead of simply deleting the rule by clicking the bin icon. Save any changes by clicking Ok, or return without changing the rule by clicking Cancel.

Firewall edit rule

Please note that the Default rule Drop/Accept matches both IPv4 and IPv6 protocols. If you have IPv6 interface enabled on your server remember to add firewall rules for IPv6 traffic as well.

As with most firewall setups, the order of the rules also matters. All packets will be compared to the rules on a top-down basis, and the action is selected based on which rule matches the packet first. New rules you create are added to the bottom of the list, but you can change the order of the rules by simply dragging and dropping any rule on its list.

An example of using the rule order, for instance, if you wish to block all incoming IPv6 traffic, just create a new rule with Family: IPv6, Action: Drop and leave Protocol, Source, and Destination to “All”, then move that new rule to the top of the list using the arrows. This will supersede any other IPv6 rules below it regardless of their Action selection.

When you are done adding new or editing the existing rules, click the Save changes button again to apply the current set of rules to your firewall, then turn it on by clicking the toggle to Enabled at the top right of the page.

Summary

With the UpCloud Firewall configured and enabled your cloud server gets the extra protection it deserves. Thanks to the easy to use web console you don’t have to worry about locking yourself out of your server by accidentally blocking SSH connections. For more intricate connection policies, consider implementing a server-side software firewall, such as iptables, as well.

Leave a Reply

Your email address will not be published. Required fields are marked *

Locations

Helsinki (HQ)

In the capital city of Finland, you will find our headquarters, and our first data centre. This is where we handle most of our development and innovation.

London

London was our second office to open, and a important step in introducing UpCloud to the world. Here our amazing staff can help you with both sales and support, in addition to host tons of interesting meetups.

Seattle

Seattle is our 4th and latest office to be opened, and our way to reach out across the pond to our many users in the Americas.

Singapore

Singapore was our 3rd office to be opened, and enjoys one of most engaged and fastest growing user bases we have ever seen.