View All Products
Compute
Storage
Databases
Networking
Developer Tools
Delivery
Security
Services
Industries
Pricing
Community
Engage With Us
Community Questions Connectivity lost when enabling the Cloud Firewall
Log in to Ask a Question
✓ Solved

Connectivity lost when enabling the Cloud Firewall

linode-manager cloud-firewall

Hi all, I need help setting up the Cloud Firewall.

I added the following set of rules through Linode Manager.

Inbound rules
Label    Protocol    Port Range  Sources Action  
accept-inbound-SSH    TCP 22  All IPv4, All IPv6  Accept  
accept-inbound-HTTP    TCP 80  All IPv4, All IPv6  Accept  
accept-inbound-HTTPS    TCP 443 All IPv4, All IPv6  Accept
accept-inbound-DNS    TCP 53  All IPv4, All IPv6  Accept      
Default inbound policy: Drop    

Outbound Rules
Label    Protocol    Port Range  Destinations    Action  
accept-outbound-SSH    TCP 22  All IPv4, All IPv6  Accept  
accept-outbound-HTTP    TCP 80  All IPv4, All IPv6  Accept  
accept-outbound-HTTPS    TCP 443 All IPv4, All IPv6  Accept
accept-outbound-HTTPS    DNS 443 All IPv4, All IPv6  Accept
accept-outbound-DNS    TCP 53  All IPv4, All IPv6  Accept  
Default inbound policy: Drop

When I enable them, I lose all connectivity from inside the VPS. Can't apt update, can't ping 8.8.8.8. Any clues?

Edit: fixed copy-paste

6 Replies

✓ Best Answer

No worries, just didn't want an open resolver out there haha.

Change the outbound for DNS to UDP.

Did you open port 53 out? dns use that port.

@Tntdruid Thanks for your answer. Yes, I did enable port 53 (inbound & outbound) for DNS. I messed the my copy-paste of my rules and have corrected my first post. Sorry about that.

Your firewall rules don't allow outbound pings so those will fail to even send.

Are you sure you want to allow inbound DNS?

I am not sure how you added DNS 443. I am not able to do this in the GUI so maybe something only in CLI.

@nixhex Thanks for your input. You're right, allowing inbound DNS makes no sense. I guess I was desperate and ready to allow anything! (Which kind of defeats the purpose.) Removed it.

Boy did I mess up the copy-paste of those rules. Here goes again, hoping to get it right this time.

Still no luck. :(

Inbound rules
Label    Protocol    Port Range  Sources Action  
accept-inbound-SSH    TCP 22  All IPv4, All IPv6  Accept  
accept-inbound-HTTP    TCP 80  All IPv4, All IPv6  Accept  
accept-inbound-HTTPS    TCP 443 All IPv4, All IPv6  Accept     
Default inbound policy: Drop    

Outbound Rules
Label    Protocol    Port Range  Destinations    Action  
accept-outbound-SSH    TCP 22  All IPv4, All IPv6  Accept  
accept-outbound-HTTP    TCP 80  All IPv4, All IPv6  Accept  
accept-outbound-HTTPS    TCP 443 All IPv4, All IPv6  Accept
accept-outbound-DNS    TCP 53  All IPv4, All IPv6  Accept
Default inbound policy: Drop

@nixhex Perfect, that works!

(Kind of odd that the preset Linode firewall rule for DNS aims for TCP instead of UDP.)

Sorry for the delayed response and thank you ever so much for your help.

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Log in to Reply
Community Code of Conduct