Skip to content

Securing the System with a Firewall

This section provides guidelines on firewall rules as well as the required ports to be opened for the system. Check the official Ubuntu Uncomplicated Firewall Document for more detail on firewall commands.

If your Integration Platform system is exposed to external traffic, NEC also recommends that your system be protected by a commercial grade firewall to prevent DOS or other malicious activity. The items listed in this document should be part of a overall security plan for your IT environment.

Secure a New System

By default after a clean install, the system firewall (iptables) contains all the rules necessary to allow Integration Platform services via the firewall. This is done behind the scenes by the Docker daemon which is manipulating the actual system firewall to provide network isolation.

However, there are no rules meant to forbid connections on other ports, which exposes the system to potential malicious activity.

Run the following commands to secure the system:

# Enable the UFW firewall
sudo ufw enable

# Deny all incoming connections unless specified otherwise
sudo ufw default deny incoming

# Allow all outgoing connections unless specified otherwise
sudo ufw default allow outgoing

# Allow SSH connections.
# Note: This is needed to be able to manage the system remotely via PuTTY / SCP or similar apps.
sudo ufw allow ssh

# We don't need to explicitly allow any Integration Platform specific ports (Docker does this for us)

# Reboot the system to ensure that these rules are effectively applied
sudo reboot now

This is the minimum set of rules needed to secure the system with a firewall.

To enforce additional rules, follow the guidelines from the Modify the Firewall Rules section.

Additional Notes

  • In the above rules, the open ports are allowed from all IP addresses. The "from" syntax can be used to restrict connection further by limiting which addresses can connect. For example, the following command allows SSH access (port 22 tcp) only from an IP address in the range of 192.168.1.0-192.168.1.255.

    sudo ufw allow from 192.168.1.0/24 to any port 22 proto tcp
    
  • External firewalls may use different rules than those specified here. If you are using an external firewall, be sure to allow the following ports in order to be able to access Integration Platform:

    • 22 for SSH administration of the Linux host system.
    • 80 or 443 for HTTP/HTTPS access to Integration Platform (depending on Integration Platform system configuration)
    • 9090 for the Integration Platform installation wizard. This port can be closed after Integration Platform has been installed and the setup wizard has been completed.
    • 65300 for WF Adapter proxy only if your Integration Platform system needs to use the WF Adapter Proxy with external adapters.

Check Firewall Status and Rules

To check the current firewall status and rules, run this command in a SSH session or in a console terminal:

sudo ufw status verbose

The output of this command after following the Secure a New System section above will appear like the following:

Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), deny (routed)
New profiles: skip

To              Action      From
--              ------      ----
22/tcp          ALLOW IN    Anywhere
22/tcp (v6)     ALLOW IN    Anywhere

If the firewall status is not "active", the system is not protected and it may be exposed to attacks. Activate the firewall by running sudo ufw enable. Then re-run the firewall status command sudo ufw status verbose

If the ports list contains anything else except the entries mentioned above, be sure to confirm whether those ports are required for other apps or services. If they are not used, it is recommended to remove the associated rules from the firewall to have the system fully protected.

If the ports list does not contain the required entries, they should be added to allow essential services through the firewall. Refer to the next section to learn how to add or remove ports from the firewall.

Modify Firewall Rules

There may be a need to allow or deny ports though the firewall after the system is configured. The following commands show how to add and remove "allow and deny" rules.

Allow Ports

To allow a specific TCP port through the firewall, use this command with the port number to be allowed:

sudo ufw allow <in|out> <port_number>/tcp

For example, to allow incoming TCP connections on port 4000, the command would look like the following:

sudo ufw allow in 4000/tcp

Remove Allowed Ports

To remove a previously allowed port from the firewall, delete the associated rule:

sudo ufw delete allow <in|out> <port_number>/tcp

For example, to remove incoming TCP connections on port 4000, the command would look like the following:

sudo ufw delete allow in 4000/tcp

Deny Ports

To deny a specific TCP port from passing through the firewall, use this command with the port number to be denied:

sudo ufw deny <in|out> <port_number>/tcp

For example, to deny the outgoing TCP connections on port 5555, the command would look like the following:

sudo ufw deny out 5555/tcp

Remove Denied Ports

To remove a previously denied port rule from the firewall, the associated rule needs to be deleted:

sudo ufw delete deny <in|out> <port_number>/tcp

For example, to remove the deny rule for outgoing access for TCP port 5555, the command would look like the following:

sudo ufw delete deny out 5555/tcp

Reset Firewall

To discard all firewall settings and return to a completely unlocked state, clear the firewall settings by running the reset command:

sudo ufw reset