If you have a new account but are having problems posting or verifying your account, please email us on for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact

Firewall setup + security on remote server

  • 10-07-2009 12:00pm
    Registered Users Posts: 6,464 ✭✭✭

    I've got the use of a dedicated server for a while (running Ubuntu jaunty) which came with just the basic ubuntu installation. Which is fun as it's years since I've even used *nix, let alone managed a server. But there's nothing critical on it, so it's good experience.

    I've got the basics set up - LAMP, ftp, webmin - and I'm looking at security.
    A bit of googling suggested shorewall as a better alternative to ufw.

    The first page on the shorewall installation instructions warns not to attempt it on a remote server as you'll probably lock yourself out. Which makes sense. But surely the same is going to apply to ufw or any other firewall, particularly since I'm connecting the the server from my home connection so I'm not guaranteed a fixed IP address at my end.

    Has anyone got any tips/suggestions on setting up security on a remote server without locking yourself out?


  • Registered Users Posts: 6,464 ✭✭✭MOH

    To ansswer my own question, I went with shorewall, and took a chance after in general following the instructions in the shorewall section here. I didn't lock myself out, and it seems to be working.

    Two important things to note when setting it up initially.

    The rules file is the first thing checked - if there's a matching rule found there then none of the other stuff in the zones or policy files are checked.

    So add the entry:
    SSH/ACCEPT net $FW
    to your rules file, to ensure that no matter what else, you can still access your server through ssh.
    Of course, this is also saying that ssh connections will be accepted from anywhere, so you might want to narrow that down later.

    The other thing is the routestopped file, which determines what traffic is allowed while the firewall is in a 'stopped' state.
    eth0    a.b.c.d/blah
    replacing a.b.c.d/blah with the IP address (if static) or netmask (if dynamic) you connect from.

    Finally, always run shorewall check before restarting shorewall to validate that your config files are correct.

    That should (hopefully) help stop you locking yourself out while configuring shorewall (though I make no guarantees!).

    (Also, if you are following that guide, don't forget to do the last shorewall bit where you enable ping and mail - I spent 2 hours trying to get my mailserver set up before copping on that the firewall was blocking inbound mail).

  • Registered Users Posts: 8,813 ✭✭✭BaconZombie

    If your looking for a Firewall have a look into index.php?option=com_content&task=view&id=40&Itemid=43.