Configuring Firewalls for Instances

• Firewall
• UFW
• port-25

A firewall controls incoming and outgoing network traffic based on predefined security rules. Typically, it establishes a barrier between a trusted (internal) network and an untrusted external network, like the internet.

UFW, or Uncomplicated FireWall, is a frontend for IPTables to simplify the configuration of your firewall.

Before you startLink to this anchor

To complete the actions presented below, you must have:

• A Scaleway account logged into the console
• Owner status or IAM permissions allowing you to perform actions in the intended Organization
• An Instance running on Ubuntu Focal Fossa or later
• An SSH key
• sudo privileges or access to the root user

Installing UFWLink to this anchor

UFW is available as a pre-built package in the apt repositories of Ubuntu. It can be easily installed via apt.

1. Connect to your Instance with SSH. In a terminal run:

   ssh root@<your_instance_ip>
   

2. Update the system and upgrade the software already installed on the Instance.

   apt update && apt upgrade -y
   

3. run the command below to install UFW:

sudo apt-get install ufw

Configuring security policiesLink to this anchor

Security policies applied by the firewall on your server depend on your needs and the applications you use.

The most secure configuration is to block all traffic, inbound and outbound by default and to allow ports on a case-by-case policy.

In this tutorial, we will configure a policy that blocks inbound packets and authorizes outbound traffic by default.

1. Start by defining the policy, that refuses everything by default:

   sudo ufw default deny
   

2. Enable outgoing traffic.

   sudo ufw default allow outgoing
   

Establishing rulesLink to this anchor

To define rules, you have to know which services are running on the server and which are their associated ports.

In this example, an SSH server, HTTP(S), and a DNS server are running on the machine.

Every known protocol uses an associated port from the well-known ports list.

The services running on the machine used in this example need the following ports:

• Port 22 / TCP for SSH
• Port 80 / TCP for HTTP
• Port 443 / TCP for HTTPS
• Port 53 / TCP & UDP for DNS

1. Authorize SSH.

   sudo ufw allow 22/tcp
   

2. Authorize HTTP.

   sudo ufw allow 80/tcp
   

3. Authorize HTTPS.

   sudo ufw allow 443/tcp
   

4. Authorize DNS.

   sudo ufw allow 53
   

   Note

   In this case TCP has not to be specified, as both TCP and UDP are needed.

5. Activate the new rules.

   sudo ufw enable
   

6. Verify the configuration.

   sudo ufw status numbered
   

   A list of all configured rules displays:

   Status: active
       To                         Action      From
       --                         ------      ----
   [ 1] 22/tcp                     ALLOW IN    Anywhere
   [ 2] 80/tcp                     ALLOW IN    Anywhere
   [ 3] 443/tcp                    ALLOW IN    Anywhere
   [ 4] 53                         ALLOW IN    Anywhere
   [ 5] 22/tcp (v6)                ALLOW IN    Anywhere (v6)
   [ 6] 80/tcp (v6)                ALLOW IN    Anywhere (v6)
   [ 7] 443/tcp (v6)               ALLOW IN    Anywhere (v6)
   [ 8] 53 (v6)                    ALLOW IN    Anywhere (v6)
   

Adding more rulesLink to this anchor

As the firewall is running now, it is possible to add more rules to it:

Allow the connection to port 25 (SMTP) via TCP to the server:

sudo ufw allow 25/tcp

Deleting rulesLink to this anchor

Over time, you may recognize that some of the rules you defined previously do not match your requirements anymore.

1. Display the list of all defined rules:

   sudo ufw status numbered
   

The numbers at the beginning of each row are the number of the rule in UFW.

2. To delete a rule, find its number and type:

   sudo ufw delete <RULE_NUMBER>