Introduction to the KUBBUR datacentre-level firewall
Firewalls are one of the most important factors in the security of a server, offline or online. They can prevent bad actors from accessing ports only meant to be used internally, filter traffic depending on its source IP and in some cases be configured to work with DDoS protection to help mitigate DDoS attacks.
That being said, there are multiple types of firewalls. The one you're likely most familiar with is the in-built operating system firewall which is bundled with most modern operating systems. In Ubuntu, for example, this is
iptables while on Windows it's
Windows Defender Firewall. These firewalls aren't bad per-se - quite the contrary, they're actually quite powerful and can do lots of great things - but they have one shortcoming which is capacity. Your operating system's firewall can only take as much traffic as your server will take, which is determined by the size of your network port and how much CPU processing power you have to yourself. This is where our datacentre-level firewall comes in. Provided by Path, it's a hardware firewall appliance situated in between the internet and our machines. This allows it to filter traffic before it even reaches our host machine, which when combined with its capacity makes it excellent for filtering high-capacity traffic and restricting access to your server in various ways.
First: the basics
Practically speaking the KUBBUR datacentre-level firewall, which we'll, for now, call just the "firewall", is made available through the firewall web interface which you can access from the
Firewall button in our VPS panel.
By default, all traffic except SSH (port 22) is dropped. This is due to the port punching approach Path uses for DDoS protection - if you can only permit intended traffic through, there's no need to drop unintended traffic, or worse forget to - which means you'll have to make an allow rule for every port you intend to open. While this is inconvenient, it's also incredibly effective and we cast our bets you'll start to like this approach after some time ;). However, this does not apply to SSH (port 22) which you will have to manually drop if you want to do something like whitelisting your IP and blocking all other IPs.
That being said, the order of rules is determined by both the specificity of the destination and source IP addresses as well as the action - dropping traffic takes precedence over allowing it - this means that if we block all traffic from 10.0.0.0/8 but allow all traffic from 10.10.10.10/32, a user connecting from 10.11.11.11 will be blocked from connecting while a user connecting from 10.10.10.10 will be allowed to connect. Likewise, blocking everyone (0.0.0.0/0) from connecting to port 22 (SSH) but allowing 10.10.10.10/32 to connect to the same port will only allow incoming connections from 10.10.10.10.
Some practical examples
Whitelisting only your home IP address for port 22 (SSH)
One good solution for securing your server is to simply deny everyone but yourself access to it using a system of identification where a potential attacker cannot easily fake their identity. IP addresses happen to be a convenient and fairly secure way to achieve this, which is why we'll be demonstrating how to achieve this with KUBBUR's firewall.
Unlike all other ports on your KUBBUR VM 22 (SSH) is open by default to avoid making customers wait 15-20 minutes every time they order a server to wait for an allow SSH rule to propagate. Because of this, you'll want to first block all incoming traffic on port 22 before continuing. To do this, navigate to the firewall interface by clicking the
Firewall button in the VM management interface. Once there you'll want to click the
New rule button, and fill out the fields in the modal as follows:
Make sure to leave the source IP field and the source port field empty.
Next we'll want to do the actual whitelisting. To do this click the
New rule button again and fill out the fields in the modal as follows:
Again, make sure to leave the source port empty.
Opening OpenVPN to the world
OpenVPN is one of the most widely used VPN applications out there, and we've actually written a tutorial on installing it, and one of the main problems our customers run into whilst installing it is opening the OpenVPN UDP port to the world, so here we'll demonstrate how.
In this example there's only one step, click the
New rule button from the firewall management interface and fill out the fields in the modal that appears as so:
Make sure to leave
Source Port empty, otherwise you will most likely not be able to connect to the server.
If you're running OpenVPN access, you may want to open the HTTPS port, port 443, as well, for the management interface to be accessible, like so: