A Hardware Firewall is a network device that is connected upstream from a server. The Firewall blocks unwanted traffic from a server before the traffic ever reaches the server. The main advantage to having a Hardware Firewall is that a server only has to handle 'good' traffic and no resources are wasted dealing with the 'bad' traffic.
Configuring a Firewall is as simple as creating a set of rules to allow access to certain ip addresses and ports from specific internet addresses.
Adding a Firewall to a Server
To add a Firewall to a server, click on the link under the Security->hardware firewall tab in the customer portal. This page will display a list of servers on the account and show which servers are eligible to be protected by a Firewall, which ones are already protected by a Firewall, and which ones cannot be protected by a Firewall due to network configuration.
To add a Firewall to your server, assuming the server is eligible for a Firewall, click the 'add' link and instructions will be displayed on how to have Firewall protection added to the server. Once a Firewall has been added to a server, an 'edit' link will be available to configure the Firewall.
When a Firewall is first added to a server, a set of rules is initially put in place that allows all traffic to reach the server. The rules can then be edited to control the traffic reaching the server. Rules are displayed in order with lower numbered rules having precedence over higher number rules.
From the Firewall management link, click on the 'edit' link for the Firewall to be configured. The page will display a block showing a tab with the current rules in effect plus several tabs containing templates customized for the server's operating system.
At this point links are available to edit the current rules or start fresh using a template. Once the user has selected to either edit the current rules, or edit a new configuration starting with a template, a list of rules is shown with an 'edit' button on each line. This list of rules is known as the 'working config'. A 'working config' is a set of rules that is in the process of being created but has not yet been applied to the Firewall. A user may edit, add, and delete rules until the rule set is completed and then apply the rules to the Firewall which will put the rule set into effect.
Clicking on the 'edit' button takes the user to a rule edit form. The fields are:
- Order - this select list controls the order in which rues are evaluated
- Action - this select list is used to 'permit' or 'deny' traffic matching this rule
- Source IP - this ip address field can be either 'any' or a specific ip address (must be an ip, not a name)
- Source IP Mask - this select list is used when a range of ips is required for a rule, usually set to 'entire internet'
- Destination Ports - these two fields allow selection of the port or port range for the rule (for one port, put the same port number in both fields)
- Protocol - this select list allows the rule to only be appliced for a specific protocol (usually tcp)
FTP - 21
SSH - 22
Telnet - 23
SMTP - 25
DNS - 53
HTTP - 80
POP3 - 110
IMAP - 143
HTTPS - 443
MSSQL - 1433
MySQL - 3306
Remote Desktop - 3389
PostgreSQL - 5432
VNC Web - 5800
VNC Client - 5900
Urchin - 9999 or 10000
Once the 'working config' is complete, press the 'Apply Config' button to have the 'working config' applied to the Firewall. The rules should take effect immediately.
Bypassing the Firewall
If a user wishes to have all traffic temporarily pass through the Firewall, a 'Bypass' button is available on many of the Firewall management pages. When a Firewall is in this mode, a rule is put in place to allow all traffic to pass through. The last set of applied rules is still stored and may be put back into effect at any time by re-applying the configuration. While in bypass mode, the status line on the Firewall management pages will display 'bypassed'.