ISPmanager 5 Lite Documentation

Firewall rules

This is documentation for an outdated product. See the current documentation

 

firewall is a hardware or software system that is configured to deny unauthorized access to certain services on your server while permitting authorized communications according to the specified rules. A rule defines which services will be allowed through your Firewall, and which ones will be kept out.

Add a rule

  • Action - select the action:
    • Allow - access to the service is allowed for all connections.
    • Deny - all connections will be blocked. IP addresses must belong to one network.
    • Allow for - list the IP-addresses from which access will be allowed.
    • Deny for - list the IP-addresses from which access will be denied. IP addresses must belong to one network.
  • Protocol - select a data transfer protocol. You may select either all protocols or a specific one.
  • Port - provide a port.
  • IP address - you can enter a single IP address or a network, such as 8.8.8.0/24
  • Denied/Allowed IP addresses - enter the IP addresses that will be allowed/denied to access this network.
    Note
    To allow or deny access from any IP address, enter 0.0.0.0 in the IP Address field.

Dependent rules

Firewall rules are grouped according to the following scheme:

  • if the "Deny" rule is created for the subnet, and one or several "Allow for" rules are specified (allowing access for an IP address belonging to a closed network), those rules will be grouped into the "Allow for" rule.
  • if the "Allow" rule is created for the subnet, and one or several "Deny for" rules are specified (denying access for an IP address belonging to an open network), those rules will be grouped into the "Deny for" rule.

Additional information

ISPmanager will not allow adding firewall rules that may result in losing control over your server:

  • You cannot deny your IP address (the one from which you are connecting).
  • You cannot deny the network to which your IP address belongs (the one from which you are connecting) if the "Allow" rule is not specified for your address.
  • You cannot create the "Deny" rule for any port of an IP address if there are now "Allow" rules for that server.

You can add the FirewallCheckAccess option to the ISPmanager configuration file to change the panel's behavior.

Option FirewallCheckAccess - this parameter enables to add denying rules depending on the module restrictions.