Skip to Main Content

Navigation

Introduction to the KUBBUR datacentre-level firewall

Knowledgebase/all/introduction-to-the-kubbur-datacentre-level-firewall

Firewalls are one of the most important factors in the security of a server, offline or online. They can prevent bad actors from accessing ports only meant to be used internally, filter traffic depending on its source IP and in some cases be configured to work with DDoS protection to help mitigate DDoS attacks.

That being said, there are multiple types of firewalls. The one you're likely most familiar with is the in-built operating system firewall which is bundled with most modern operating systems. In Ubuntu, for example, this is iptables while on Windows it's Windows Defender Firewall. These firewalls aren't bad per-se - quite the contrary, they're actually quite powerful and can do lots of great things - but they have one shortcoming which is capacity. Your operating system's firewall can only take as much traffic as your server will take, which is determined by the size of your network port and how much CPU processing power you have to yourself. This is where our datacentre-level firewall comes in. Provided by Path, it's a hardware firewall appliance situated in between the internet and our machines. This allows it to filter traffic before it even reaches our host machine, which when combined with its capacity makes it excellent for filtering high-capacity traffic and restricting access to your server in various ways.

First: the basics

Practically speaking the KUBBUR datacentre-level firewall, which we'll, for now, call just the "firewall", is made available through the firewall web interface which you can access from the Firewall button in our VPS panel.

By default, all traffic except SSH (port 22) is dropped. This is due to the port punching approach Path uses for DDoS protection - if you can only permit intended traffic through, there's no need to drop unintended traffic, or worse forget to - which means you'll have to make an allow rule for every port you intend to open. While this is inconvenient, it's also incredibly effective and we cast our bets you'll start to like this approach after some time ;). However, this does not apply to SSH (port 22) which you will have to manually drop if you want to do something like whitelisting your IP and blocking all other IPs.

That being said, the order of rules is determined by both the specificity of the destination and source IP addresses as well as the action - dropping traffic takes precedence over allowing it - this means that if we block all traffic from 10.0.0.0/8 but allow all traffic from 10.10.10.10/32, a user connecting from 10.11.11.11 will be blocked from connecting while a user connecting from 10.10.10.10 will be allowed to connect. Likewise, blocking everyone (0.0.0.0/0) from connecting to port 22 (SSH) but allowing 10.10.10.10/32 to connect to the same port will only allow incoming connections from 10.10.10.10.

Some practical examples

Whitelisting only your home IP address for port 22 (SSH)

One good solution for securing your server is to simply deny everyone but yourself access to it using a system of identification where a potential attacker cannot easily fake their identity. IP addresses happen to be a convenient and fairly secure way to achieve this, which is why we'll be demonstrating how to achieve this with KUBBUR's firewall.

Step one

Unlike all other ports on your KUBBUR VM 22 (SSH) is open by default to avoid making customers wait 15-20 minutes every time they order a server to wait for an allow SSH rule to propagate. Because of this, you'll want to first block all incoming traffic on port 22 before continuing. To do this, navigate to the firewall interface by clicking the Firewall button in the VM management interface. Once there you'll want to click the New rule button, and fill out the fields in the modal as follows:

Make sure to leave the source IP field and the source port field empty.

Step two

Next we'll want to do the actual whitelisting. To do this click the New rule button again and fill out the fields in the modal as follows:

Again, make sure to leave the source port empty.

Opening OpenVPN to the world

OpenVPN is one of the most widely used VPN applications out there, and we've actually written a tutorial on installing it, and one of the main problems our customers run into whilst installing it is opening the OpenVPN UDP port to the world, so here we'll demonstrate how.

In this example there's only one step, click the New rule button from the firewall management interface and fill out the fields in the modal that appears as so:

Make sure to leave Source Port empty, otherwise you will most likely not be able to connect to the server.

If you're running OpenVPN access, you may want to open the HTTPS port, port 443, as well, for the management interface to be accessible, like so:

Need more help?

Speak to our support team to help you with your problem!

let's talk!
KUBBUR Logo

Made with ❤️ in Iceland

Copyright © 2021 - 2022 KUBBUR Limited. All rights reserved. KUBBUR is a brand of KUBBUR Limited, a duly registered company of England and Wales. Company no. 13999809. ICO no. ZB331924.

Minecraft® is a registered trademark of Mojang AB. This website is not affiliated with or endorsed by Mojang AB. Discord®, the Discord® logo and Discord Nitro® are registered trademarks of Discord, Inc. Ubuntu®, Kubuntu®, Lubuntu®, Xubuntu®, Canonical®, the Ubuntu® logo and the "Circle of Friends®" are registered trademarks of Canonical, Ltd. Intel®, and the Intel® logo are registered trademarks of Intel Corporation and its subsidiaries. AMD®, AMD Ryzen®, the AMD® and AMD® arrow logo, AMD EPYC®, and the AMD Ryzen® logo are registered trademarks of Advanced Micro Devices, Inc. Apex Hosting® is a registered trademark of Apex Hosting, LLC. MCProHosting® is a registered trademark of MCProHosting, LLC. PebbleHost® is a registered trademark of Daniel James Jackson.

All product names, brands, logos, trademarks and registered trademarks are property of their respective owners. Any use of the aforementioned on this website is for identification purposes only and does not imply endorsement.

KUBBUR Limited is a subsidiary of KVM Group Limited and Scaleblade, Ltd. of the United Kingdom.