Skip to content

All about firewall rules

A firewall rule decides who can reach a service, port, or HAProxy listen on a specific node. This article walks through the two halves — 'Source' and 'Target' — and the firewall-group concept that goes with them.

Where to find firewall rules

Firewall rules are managed per node. In Core, open a node — the 'Firewall Rules' section lists its rules, with a '+' button to create one.

Creating a firewall rule

The 'Create Firewall Rule' page is built around two tile-grid sections.

Source — who is allowed

Pick exactly one 'Source' tile:

  • 'All' — allow everyone (the default).
  • A firewall group by name — allow only the IP networks in that group.
  • An external provider — allow only IP ranges published by 'AWS', 'Google Cloud', 'Atlassian', or 'Buddy'. These tiles are disabled if external providers aren't enabled on the cluster (see below).
  • 'New Firewall Group' — a shortcut tile that takes you to the firewall-group create page, then back to finish the rule.

Target — what is protected

Pick exactly one 'Target' tile:

  • A service — 'SSH', 'ProFTPD', 'nginx', or 'Apache'.
  • An 'HAProxy listen' on the node (one tile per existing listen).
  • 'Port' — picking this reveals a 'Port Number' input for a specific TCP port.

The rule applies to the node you're creating it from.

ProFTPD covers PASV ports too

The 'ProFTPD' service tile doesn't only cover port 21. It also covers the passive (PASV) data port range 49152–65534, which FTP clients negotiate dynamically. You don't need to add a separate rule for those ports.

Enabling external providers

External-provider source tiles ('AWS', 'Google Cloud', 'Atlassian', 'Buddy') are greyed out until external providers are enabled on the cluster's firewall properties — the tooltip on the disabled tile says exactly that.

One-way switch

Once external providers are turned on for a cluster, they can't be turned off again.

Docker nodes

On nodes with Docker installed, the firewall leaves the iptables FORWARD chain alone — Docker manages its own rules there. Firewall rules you create still apply to inbound traffic (INPUT), so the user-facing behaviour is the same. The difference matters only if you're inspecting the raw iptables ruleset and wondering why Docker's chains are intact.

Firewall groups

A firewall group is a named, reusable list of IP networks. Use one when you want the same allow-list across multiple firewall rules — change the group's IPs in one place and every rule that uses it follows.

Where to find them

Firewall groups are managed per cluster. In Core, open a cluster — the 'Firewall Groups' section lists them, with a '+' button to create one.

Creating a firewall group

The 'Create Firewall Group' page has:

  • 'Name' — lowercase letters, digits, underscore.
  • 'IP Network' — a CIDR range. Use the '+' button to add another row; Tab from the last row auto-adds one.

To allow a single IP address, use a /32 (IPv4) or /128 (IPv6). For example:

192.0.2.6/32
2001:0db8:8aa:bc:111:abcd:aa11:8991/128