Jump toUpdate content
Configuring Firewalls for Instances
A firewall controls incoming and outgoing network traffic based on predefined security rules. Typically it establishes a barrier between a trusted (internal) network and untrusted external network, like the Internet.
UFW, or Uncomplicated FireWall, is a frontend for IPTables to simplify the configuration of your firewall.
You may need certain IAM permissions to carry out some actions described on this page. This means:
- you are the Owner of the Scaleway Organization in which the actions will be carried out, or
- you are an IAM user of the Organization, with a policy granting you the necessary permission sets
- You have an account and are logged into the Scaleway console
- You have configured your SSH Key
- You have sudo privileges or access to the root user
UFW is available as a pre-built package in the apt repositories of Ubuntu. It can be easily installed via apt:
sudo apt-get install ufw
Configuring security policies
Security policies applied by the firewall on your server depend on your needs and the applications you use.
The most secure configuration is to block all traffic, inbound and outbound by default and to allow ports on a a case by case policy.
In this tutorial, we will configure a policy that blocks inbound packets and authorizes outbound traffic by default.
- Start by defining the policy, that refuses everything by default:
sudo ufw default deny
- Enable outgoing traffic.
sudo ufw default allow outgoing
To define rules, you have to know which services are running on the server and which are their associtated ports.
In this example, a SSH server, HTTP(S) and a DNS server are running on the machine.
Every known protocol uses an associated port from the Well Known Ports list.
The services running on the machine used in this example need the following ports:
- Port 22 / TCP for SSH
- Port 80 / TCP for HTTP
- Port 443 / TCP for HTTPS
- Port 53 / TCP & UDP for DNS
Authorize SSH.sudo ufw allow 22/tcp
Authorize HTTP.sudo ufw allow 80/tcp
Authorize HTTPS.sudo ufw allow 443/tcp
Authorize DNS.sudo ufw allow 53Note:
In this case
TCPhas not to be specified, as both,
Activate the new rules.sudo ufw enable
Verify the configuration.sudo ufw status numbered
A list of all configured rules displays:Status: activeTo Action From-- ------ ----[ 1] 22/tcp ALLOW IN Anywhere[ 2] 80/tcp ALLOW IN Anywhere[ 3] 443/tcp ALLOW IN Anywhere[ 4] 53 ALLOW IN Anywhere[ 5] 22/tcp (v6) ALLOW IN Anywhere (v6)[ 6] 80/tcp (v6) ALLOW IN Anywhere (v6)[ 7] 443/tcp (v6) ALLOW IN Anywhere (v6)[ 8] 53 (v6) ALLOW IN Anywhere (v6)
Adding more rules
As the firewall is running now, it is possible to add more rules to it:
Allow the connection to port 25 (SMTP) via TCP to the server:
sudo ufw allow 25/TCP
Over the time you may recognize, that some of the rules you defined previously don’t match your requirements anymore.
- Display the list of all defined rules:
sudo ufw status numbered
The numbers at the beginning of each row are the number of the rule in UFW. 2. To delete a rule, find its number and type:
sudo ufw delete NUMBER