Configuring the Firewall on a Dedicated server

Last modified: Wednesday November 22nd, 2023

This article describes how to activate the firewall.

Introduction

Online’s stateless firewall is a free security solution for your dedicated root server. In the client’s area, you can use the firewall feature to define your own filtering settings for incoming and outgoing traffic.

With our stateless firewall, or static firewall, data packets are not unpacked; rather, the head of each individual packet is inspected, and depending on the pre-defined settings, the firewall will decide whether to allow or reject these packets. In this way, the firewall prevents unpermitted access to your server.

However, with firewalls, it is important to remember that they do not actually recognize attempted attacks themselves. They only enforce a set of pre-defined rules for network communications.

The firewall for Robot customers (who use dedicated root servers) is configured to the switch port. By default, the firewall filters only IPv4 traffic, an additional IPv6 filter can be enabled via the Filter IPv6 packets option.

How do I activate the firewall?

You can activate the firewall by going to Main functions -> Servers. Then choose the server you would like, go to Firewall, and activate it. If you activate the firewall before entering any firewall rules, you will block all incoming traffic.

The firewall will immediately become active and will be configured to the switch. The configuration takes approximately 20-30 seconds.

Firewall rules

You can use a maximum of 10 rules per direction.

Parameter

  • Name: You can choose any name you like. Only special characters are not permitted.
  • IP version: IPv4 or IPv6 or not specified (*)
  • Protocol: Selection of protocol (for example, TCP or UDP).
  • Destination IP and source IP: You can enter IP addresses either as single IPs or as a subnet in CIDR notation (for example, <192.168.0.1> or <192.168.0.0/30>). Since the firewall is configured on the switch port, the rule without specified destination IP will apply to all IP addresses for the server.
  • Destination port and source port: You can enter ports as single ports or port ranges (for example, 80 or 32768-65535).
  • TCP flags: You can enter TCP flags (syn, fin, rst, psh, urg) individually or as a logical combination (| for logical OR = At least one of the flags must be set; & for logical AND = All flags must be set).
  • Action: The action defines what should happen with the packets when a rule applies, meaning it defines if the packets should be rejected (discard) or if they should be forwarded (accept).

Prioritizing

Rules are applied in the same order as they are defined in the client’s area. They are executed from top to bottom. You can change the order of the rules after you enter them by using the green arrow icons at the end of each rule.

If rule #1 does not apply, then rule #2 will be checked. If rule #2 also does not apply, then rule #3 will be checked and so on until one rule applies and the packet is either discarded or accepted in accordance with the defined action. If the second rule applies, for example, then all rules after that will not be checked. If none of the rules apply, then the packet will be discarded.

IPv6 Filter

The IPv6 filter can be activated via the “IPv6 filter” checkbox.

Please note that when the IPv6 filter is activated, all IPv6 traffic is blocked if no rules for IPv6 packets have been created yet.

If you do not specify an IP version for a rule, then the rule applies to both IPv4 and IPv6.

Limitations IPv6

  • It is not possible to filter the ICMPv6 protocol. ICMPv6 traffic to and from the server is always allowed. It is necessary to allow ICMPv6 by default because ICMPv6 is an important auxiliary protocol and is mandatory for the operation of IPv6.
  • For rules with IP version IPv6 or no specification of IP version, it is not possible to filter on destination and source IP address.
  • Without specifying the IP version, it is not possible to filter on a specific protocol.

Notes about stateless firewall configuration

A stateless firewall only makes decisions about packets by inspecting individual packets. Therefore, the firewall doesn’t “keep track of” whether or not an incoming packet belongs to an established connection. For this reason, unless you enter an additional rule, all outgoing connections from the server, and if you filter outgoing pakets all incoming connections to the server, will not work, because the respective answer packets in the opposite direction can no longer pass the filter.

Incoming direction

Without an additional rule, all answer packets coming to the server cannot pass the firewall.

You can use the following rule to generally allow all responses to TCP connections:

 Source IP: No entry
 Destination IP: No entry
 Source port: No entry
 Destination port: 32768-65535 (Ephemeral Port Range)
 Protocol: tcp
 TCP flags: ack
 Action: accept

By entering IP addresses and TCP ports, you can, of course, make this rule more restrictive.

Example

The following rules are defined in the firewall:

Incoming: Only HTTP pakets allowed

 Source IP: No entry
 Destination IP: No entry
 Source port: No entry
 Destination port: 80
 Protocol: tcp
 TCP flags: No entry
 Action: accept

Outgoing: No restrictions

 Source IP: No entry
 Destination IP: No entry
 Source port: No entry
 Destination port: No entry
 Protocol: *
 TCP flags: No entry
 Action: accept

The server <1.2.3.4> establishes a connection to the external webserver and sends the following TCP packet:

 Source IP: 1.2.3.4
 Destination IP: 4.3.2.1
 Source port: 44563 (random port from the ephemeral port range)
 Destination port: 80
 Protocol: tcp
 TCP flags: syn

In this example, the outgoing packet is not blocked by the firewall at all since only incoming connections are filtered.

The webserver <4.3.2.1> responds with the following packet:

 Source IP: 4.3.2.1
 Destination IP: 1.2.3.4
 Source port: 80
 Destination port: 44563
 Protocol: tcp
 TCP flags: syn & ack

This packet is blocked without the additional rule. So a connection cannot be established.

Outgoing direction

Similar to Incoming direction, answer packets are not automatically allowed for the opposite direction.

If only certain outgoing packets are allowed, then without further rules, answer packets from the server to connection requests to server services will also be unable to pass through the firewall.

You can add a general rule for the outgoing direction to allow all answer packets:

 Source IP: No entry
 Destination IP: No entry
 Quell-Port: No entry
 Ziel-Port: 32768-65535 (Ephemeral Port Range)
 Protocol: tcp
 TCP flags: ack
 Action: accept

Please note that the ephemeral port range of all clients must be respected here, this may differ from the port range of the server.

As a further essential rule, it is also recommended to allow packets to the DNS service.

 Source IP: No entry
 Destination IP: No entry
 Source port: No entry
 Destination Port: 53
 Protocol: udp
 TCP flags: No entry
 Action: accept
Example

The following rules are defined in the firewall:

Incoming: No restrictions

 Source IP: No entry
 Destination IP: No entry
 Source port: No entry
 Destination port: No entry
 Protocol: *
 TCP flags: No entry
 Action: accept

Outgoing:

Only HTTP and DNS traffic allowed.

 Source IP: No entry
 Destination IP: No entry
 Source port: No entry
 Destination port: 80
 Protocol: tcp
 TCP flags: No entry
 Action: accept
 Source IP: No entry
 Destination IP: No entry
 Source port: No entry
 Destination port: 53
 Protocol: udp
 TCP flags: No entry
 Action: accept

The client 4.3.2.1 establishes a connection to your HTTP server 1.2.3.4.

 Source IP: 4.3.2.1
 Destination IP: 1.2.3.4
 Source port: 44563 (random port from the Ephemeral Port Range)
 Destination port: 80
 Protocol: tcp
 TCP flags: syn

This packet can pass through the firewall, since incoming all traffic is allowed.

The server wants to respond to the connection request with a SYN & ACK packet:

 Source IP: 1.2.3.4
 Destination IP: 4.3.2.1
 Source port: 80
 Destination port: 44563
 Protocol: tcp
 TCP flags: syn & ack

This packet cannot pass the firewall in outgoing direction, because outgoing TCP traffic is only allowed to port 80.

The remedy is either a general rule as described above, or a special rule to allow only responses from the web server:

 Source IP: keine Angabe
 Destination IP: keine Angabe
 Source port: 80
 Destination port: 32768-65535 (Ephemeral Port Range)
 Protocol: tcp
 TCP flags: ack
 Action: accept

Firewall templates

If you click on the Firewall templates button in the server overview (Main functions -> Servers), you can create your own rulesets. Then you can paste these rules via the drop-down menu for the servers’ firewall configuration and configure them.

In addition, there are several pre-defined example templates for common server services by default.

Was this article helpful?
Views: 195

10 Years Beehosting!
Celebrate with 70% OFF + FREE Site Transfer.

Beehosting.pro website uses cookies

We use cookies to personalise content and ads, to provide social media features and to analyse our traffic. We also share information about your use of our site with our social media, advertising and analytics partners who may combine it with other information that you’ve provided to them or that they’ve collected from your use of their services.

Menu