Example Rules for Linode Cloud Firewall

I'd like to set up Linode's Cloud Firewall, but I didn't see specific case examples on the documentation page. What would be a good set of rules for the following two situations:

1) wordpress on lamp as a test server. I'd only want the site to be accessible to me (ie, my IP address) while I'm working on it.

2) the same site live

In both cases I would develop/administer/maintain the server via the Lish console, so external access via SSH not needed unless that would interfere with updates or other things I'm unaware of. :)

Any help on this much appreciated!

2 Replies

Once you've got your head around it, the Cloud Firewall is easy to set up although I remember scratching my head a couple the first time I tried it.

This should cover your first scenario…

1) Create a new firewall and select the relevant Linode.

2) Set the default Inbound (Drop) and Outbound (Accept) rules. This means nothing can connect to your server (Lish still works) but your server can make outbound connections for updates, etc.

3) Click "Add an Inbound Rule", enter a label, select TCP as the protocol, select HTTP (80) and then HTTPS (443) for the ports, select "IP/Netmask" in sources and enter your IP address, make sure the action is "Accept" and click "Add Rule".

4) Your inbound policy should now effectively be "block everything except 80 & 443 from my IP" but it won't take effect until you…

5) Click "Save Changes" at the bottom of the page to activate the new firewall.

In my experience, it takes a few moments for the change to become active. At this point, you could use something like https://validator.w3.org/ to confirm that your website isn't accessible to anyone else.

When you want to make the site live to everyone, you just need to edit the Inbound Rule and change the "Sources" entry to one of the "All…" options (depending on whether you want IPv6), then save your changes.

If you then wanted to block an IP address (e.g. someone running a vulnerability scan on your site), create a new Inbound Rule similar to step 3 but set the action to "Drop". You can then drag the new rule so that it comes before the "Accept" rule in the list of Inbound Rules.

Personally, I'd also set up UFW on the server and replicate the firewalls rules. If anything happened to the Cloud Firewall then the local firewall on the server would still give you protection:
https://www.linode.com/docs/guides/configure-firewall-with-ufw/

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct