Linode Cloud Firewall Settings Issues
Having a problem allowing ssh access for developer unless firewall is completely disabled. Also, my app can't send files or messages in chat with these Linode Cloud Firewall settings.
Current Linode Cloud Firewall Settings Image
When the firewall is disabled, my developer can access the server via ssh. I currently have Accept Inbound SSH set for his IP and Accept Outbound SSH set the same way. He can't connect unless the firewall is completely disabled.
I have Accept Inbound HTTP/HTTPS/DNS but if the firewall is on, messages from my app are blocked. When I turn the firewall off, the messages come through with no issues.
What am I missing here? I want to make sure everything is fully secure but also have everything working properly.
2 Replies
Without more information about your intended setup, and the details of exactly which ports/services should be accessible beyond your firewall, it’s difficult to say for certain exactly how your firewall rules should be written. When troubleshooting the initial setup of a firewall, don’t be afraid to start from scratch : pick your preferred firewall option (ufw or Cloud firewall) and remove all the rules. When that’s done, re-enable one thing at a time, checking at every step that everything works as intended.
If your current configuration isn’t working, it might be because you have competing rules. I think there are two things that you are trying to do here, let’s look at them separately.
# My app can’t send files or messages in chat
The picture that you attached to your post shows the configurations of your Cloud Firewall. One thing that could prevent your app from working is the “Outbound Rules”.
I suggest that you delete the specific Outbound rule and change the default outbound policy to “accept” by default.
The configuration that you have now is blocking all traffic except for port 22 and 784. But actually, your app might need to use other ports to function normally. In the same way, when interacting with your machine via SSH, restricting outbound traffic can block certain functionalities.
# My developer can't connect unless the firewall is completely disabled
Here’s what I suggest you do :
- Check your internal firewall configurations
If you’re using an internal firewall like ufw, it’s possible that it’s configured in a way that’s conflicting with your Cloud Firewall. The strictest rule wins, so if you blocked port 22 with ufw, you will not be able to access it even if it’s enabled with your Cloud firewall.
If you’re using ufw, review the status of your configurations with
ufw status
and enable port 22 if necessary.
→ More on how to set your ufw rules : Use UFW to manage Firewall Rules
- Confirm which port SSH is using
By convention, SSH listens on port 22 but that can be changed. I can see that you tried to enable port 22 and 784 for SSH in your Cloud firewall, so it’s possible that SSH is listening on port 784 and not port 22 as you expect it. You can check that by running
nmap -sV -p 22,784 $Your IP
If you need to change this, open your sshd config file located in /etc/ssh/sshd_config and adjust the settings. Don’t forget to restart the daemon with
sudo systemctl restart sshd
if you make any changes.
→ More on how to troubleshoot SSH : Troubleshooting SSH on Compute Instances
Note : If you want to control access to SSH, another way could be to restrict it to specific users. In the same sshd_config file, add the user you want to grant access in the AllowUsers parameter. Note that any user that you add must be separated by a space. This would allow a specific user to access the Linode, regardless of which IP address they are connecting from, while also restricting others from accessing the Linode at all. Combining this approach with key-based authentication, and disallowing root access over SSH will go a long way in securing remote access to your server.
More generally, I would say that to accomplish what you want to do, it may be better to configure just one firewall (ufw or the Cloud firewall).
The Cloud firewall will block connections before they get to your Linode and you’ll configure it through your Cloud Manager which makes it easier to manage. This option also lets you apply the same rules to different Linodes.
Ufw will block connections when they reach your Linode. Rules are configured from within your machine via the terminal. If you’re looking into setting up more complex rules, this is a better option for you.
→ More on choosing a firewall : Comparing Cloud Firewalls to Linux Firewall Software
Based on your imgur pic you're only allowing 22 and 784 out. So 80/443 and 53 incoming won't be able to send out (along with any apps that use DNS port 53) due to your default policy drop rule for outgoing. That alone doesn't explain why ssh doesn't work, but might and probably does explain some of the part of the issues.
Port 53 blocked outgoing means your linode nor any of its apps probably can't do DNS lookups/requests.
As for ssh I'd test that first by making a separate firewall with only your rules for port 22 allowed for incoming (default policy drop for everything else like you already have), and for outgoing just default accept all without any rules (at first). That should lock down port 22 with your developers' ips to the server. Then maybe experiment with outgoing port 22 rules if you still feel the need to, but unless your dev's ips are needing to be forwarded somewhere else or a separate app on your linode also uses ssh on some other port or something else weird like that, you probably don't need to.