Firewall settings: Cut your attack surface

Cut your attack surface

ElasticHosts Inbound Firewall / Packet Filter


Introduction

Our Firewall / Packet filter is an excellent tool to employ in reducing your server’s inbound attack surface. The Firewall can be used to filter (reject/accept) network packets based on three dimensions:

  • Protocol
  • Port
  • Origin

Let's get started

From the Control Panel, click on your server’s cog symbol to gain access to the Firewall settings:

ElasticHosts Control Panel - Configurations

Default settings look like the below:

ElasticHosts Control Panel - Firewall settings

By default, the server is set to receive all* traffic on all ports. Ping traffic (ICMP) is always permitted. Your server’s Firewall can be adjusted on the fly, no need to power off your Virtual Machine or Container.

*A select number of outbound ports are restricted by default. Please raise a support ticket to have them lifted.

Firewall overview

ElasticHosts Control Panel - Firewall settings in details

  1. Closed ports: Inbound traffic arriving on Ports detailed under 'Closed ports' field will be dropped. These packets will not reach your server.

  2. Open ports: Inbound traffic arriving on Ports detailed under 'Open ports' field will be accepted. These packets will reach your server.

  3. Policy: The Policy radio button can be set either to Accept or Reject.

    • Choosing “Accept” will allow everything except traffic defined in the field (1).
    • Choosing “Reject” will drop everything except traffic defined in the field (2).
  4. Technical summary: Hover over the circled question mark (4) for a technical summary.

Good to know 1. Other non-TCP, non-UDP traffic is filtered if "Policy" is set to "Reject", and allowed through otherwise.
2. If both "Closed ports" and "Open ports" are empty and "Policy" is set to "Accept", you will not be billed for firewall usage on this server.

Example

Add this rule to the 'Open ports' field: tcp/80

Firewall rule to accept inbound traffic only on TCP/IP port 80

The above rule will allow the server to accept inbound traffic only on TCP/IP port 80 (HTTP). All other inbound traffic is dropped.

To save the above rule, scroll to the top of the page and click Save:

Save Firewall settings

Back on the control panel, the server will now have a Firewall symbol.

Firewall rule enabled

To preview the server's Firewall settings, just hover over the Firewall symbol.

Firewall tooltip on hover

Now that you know how to change the Firewall settings, we will show you a few more examples for Firewall rules.

Firewall syntax

Accept inbound traffic on multiple ports

Let's extend the previous example to include both TCP/IP port 80 & 443 (HTTP/HTTPS). To achieve that, use this rule: tcp/80 tcp/443

Firewall rule to accept inbound traffic on both TCP/IP port 80 & 443

Restrict SSH connections

We can further restrict SSH connections to a single external IP address via the below rule:

tcp/80 tcp/443 tcp/1.2.3.4/22

Firewall rule to accept inbound traffic only from one IP

Tip To find your external IP address, Google what is my ip.

Check your IP with Google

Accept inbound traffic from an IP address block

It’s possible to use a CIDR mask to specify a block of IP addresses. If you do that, it's still mandatory to specify a port range as the last part of the rule. To catch all ports, use the range 1:65534.

The below rule would allow HTTP traffic from the entire 10.0.0.0/16 IP block on port 8080:

tcp/10.0.0.0/16/8080

Firewall rule to accept inbound traffic from an IP block on a specified port

To select a range of ports, e.g. from 8080 to 8090, change the rule: tcp/10.0.0.0/16/8080:8090

Block UDP traffic

The below rule will block UDP traffic, on all ports, but accept all other traffic :

udp/1:65534

Firewall rule to block UDP traffic on all ports

Thanks for reading the tutorial!

If you have any question, let us know in the comments below.

Make sure to read all of our useful tutorials!


New to ElasticHosts?

Report a technical issue