Configuring Firewalls

June 20, 2017 2k views
Firewall Ubuntu
Jimo
By:
Jimo

I'm running two servers, a Perforce Version Control server and a standard HTTP web server for a CMS, each on separate droplets.

I'm quite unsure what I should be setting for firewall rules on each of these. For the web server I've kept pretty much the defaults, inbound SSH on port 22 and all outbound TCP/UDP ports, but I'm really unsure what to do for the Perforce server which connects on 1666. I read this thread which just has me even more confused: https://forums.perforce.com/index.php?/topic/827-ports-to-open-on-firewall/

Any help would be appreciated!

4 comments
  • SporkWitch June 20, 2017

    Can you narrow the question? What about the linked thread confused you?

  • Jimo June 20, 2017

    I guess I just have no idea what to set my firewall rules to with Digital Ocean for a Perforce configuration. The thread says it needs 1666, but then if I enable it I'll end up giving access to some bad data.

  • SporkWitch June 20, 2017

    It's saying that it's unencrypted, yes, so you would need to secure things in some way. Are you needing to access it remotely (e.g. over public internet)?

    The recommendation in the thread seems to be to set up a VPN connection and use that to get through the firewall and access perforce. This is a perfectly valid option.

    I've not worked with perforce myself, I use bitbucket. Does perforce not support ssh, https, or some other secure method?

  • Jimo June 20, 2017

    ah that part makes sense, did some further digging based on your comment and I think I'm getting somewhere. Thanks!

Log In to Comment
1 Answer
jtittle MOD June 20, 2017
Accepted Answer

@Jimo

If you're running a web server, I'd open ports 22 (SSH), 80 (HTTP), and 443 (HTTPS).

If those ports are blocked, you won't be able to get in to your Droplet or receive standard web traffic. Console will still be available if you lock yourself out, though if you're using SSH keys, Console won't be an option as SSH keys won't work there.

The thread you linked to isn't stating that you'll end up giving access to data, it's stating that the port is not encrypted (but neither is port 80, which is why HTTPS goes over 443 if enabled).

So what can you do? You can limit what IP's access the port -- that'd probably be best in any case if it isn't something you don't want the public to be able to access. To do this, you'd need a static IP, or a VPN.

You'd whitelist the IP of the VPN, connect to the VPN and then connect on that port. If you aren't on the VPN, then you wouldn't be able to access that port (the same would apply to everyone).

You can whitelist multiple IP's or IP ranges, so if you have multiple users that need to access that port, you can add multiple IP's -- though keep in mind, they need to be static IP's otherwise you're going to end up removing and adding IP's often. It's not an issue, just more of a burden since you have to keep up with everyones IP.

Reply
  • SporkWitch June 21, 2017

    Just as a clarifying point, limiting what IPs are allowed to access it would help secure access to the Perforce server, and so would be mostly sufficient in terms of helping thwart malicious access attempts. That said, it would not protect the data being passed; any node between the client and the server would be able to view the contents, as it's still unencrypted. If you want to keep the data confidential you would need to use something that supports encryption instead, such as the VPN option.

    Another benefit of using the VPN option is that you don't necessarily need to whitelist what IPs are allowed to connect, as you can restrict access via credentials (this will usually be done with asymmetric keys, rather than a simple passphrase, making unauthorized access incredibly unlikely, and brute force infeasible as an attack.)

    This kind is a good one for setting up OpenVPN. It assumes you're using Ubuntu, but will be largely unchanged on any Debian or derivative distribution. The firewall settings will be the only big difference, if you're not using Ubuntu Firewall (ufw); most people use iptables.

    https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-ubuntu-16-04

    How To Set Up an OpenVPN Server on Ubuntu 16.04
    by Justin Ellingwood
    Want to access the Internet safely and securely from your smartphone or laptop when connected to an untrusted network such as the WiFi of a hotel or coffee shop? A Virtual Private Network (VPN) allows you to traverse...
Have another answer? Share your knowledge.

Related Questions