How to Bytemark

Managing the firewall

Symbiosis keeps you secure from day one with a pre-configured firewall. It has some sensible defaults, but is simple to configure to your needs by connecting to your server via SFTP and following the instructions below.

Introduction

The firewall configuration files are inside the “/etc/symbiosis/firewall” directory. Inside, you’ll find some sub-directories. These are the important ones:

You can easily manage the firewall by creating or deleting the appropriate files. Read on to find out how to do that.

Allow/deny access to services on your server

These are the default files you’ll see inside /etc/symbiosis/firewall/incoming.d:

00-established
00-related
00-syn-ack-flood-protection
05-essential-icmpv6
05-ping
07-ssh
10-http
10-https
20-ftp
...
99-reject

These files should be named according to the format “number-name”. The “number” determines the position in the firewall. The “name” can be one of three things:

  • a service (eg, http), which is translated to a port number (according to the file /etc/services)
  • a port number (eg, 80)
  • a special name (eg, established), though normally you don’t need to touch these.

For example, the file “/etc/symbiosis/firewall/incoming.d/10-http” allows people to connect to port 80 on your server and visit your website. If the file was called “10-80”, it would have the same effect.

Limit connections to specific IP addresses

You may want to limit connections to your server to only specific IP addresses (eg, from your office). For example, to only allow SSH connections from “203.0.113.1”, “203.0.113.2” and “2001:db8::1/64”, add these lines to the file “/etc/symbiosis/firewall/incoming.d/07-ssh”:

203.0.113.1
203.0.113.2
2001:db8::1/64

Add as many IP addresses as you need to the file, each on a new line. You can add IPv4 addresses (eg, 203.0.113.1), IPv6 addresses (eg, 2001:db8::1), or address blocks using CIDR notation (eg, 203.0.113.1/29).

Allow/deny access from your server to other services

These are the default files you’ll see inside /etc/symbiosis/firewall/outgoing.d:

00-established
00-related
05-essential-icmpv6
50-reject-www-data

By default, Symbiosis allows all outgoing connections except for your web applications. This is common security practice. People can still connect to your web application, but if an attacker manages to compromise the site then this precaution helps to stop them doing more damage.

However, you may want your web application to communicate with an external service (eg, PayPal or Twitter). You can allow this by adding a domain (eg, search.twitter.com) or IP address to the file “outgoing.d/50-reject-www-data”.

If you want to allow all outgoing connections from your web application, delete the file “outgoing.d/50-reject-www-data”.

Block access from abusive IP addresses

If you create a file called “203.0.113.234” inside the “/etc/symbiosis/firewall/blacklist.d” directory, Symbiosis will block all access from the IP address 203.0.113.234. This is useful if you’ve discovered that malicious activity is coming from a particular IP address. Create as many files as you need.

Symbiosis actually does some automatic detection of abuse and may decide to block some IP addresses for you. When this happens, you’ll see files that looks like “blacklist.d/203.0.113.111.auto” appear.

If there are any IP addresses that have been blacklisted but shouldn’t be, you can delete the appropriate file and Symbiosis will stop blocking it.

Allow access from “known-good” IP addresses

If you create a file called “203.0.113.111” inside the “/etc/symbiosis/firewall/whitelist.d” directory, Symbiosis will always allow access from the IP address 203.0.113.111. This is useful if you always connect from your office and want to make sure you never get locked out from your server. Create as many files as you need (and this will also override the blacklist).

Find out more

There are other things you can do with the firewall, such as create custom rules, or disable it completely. You can read more in our firewall reference.

You are currently viewing Symbiosis user documentation. Symbiosis also has a comprehensive technical reference manual.

Bytemark Cloud used to be called "BigV"—nothing has changed except the name! We’re hiring! Please visit careers.bytemark.co.uk to find out more.