A firewall is like a security guard for your computer. Imagine your computer is a house, and it has lots of doors and windows—that's how it talks to the outside world, like the Internet. The firewall stands at those doors and windows to check everyone and everything trying to come in or go out. If it sees something it doesn't trust, like a stranger, it doesn't let them in (to keep your server safe).
A port in computing is like a specific door in that house where only certain kinds of information can go in or out. Just like a mailbox might be the place where all the mail goes, a specific port on a computer is where certain types of data are sent or received. This helps keep things organized and secure. A port is merely a number, agreed upon (in advance) by both the sender and receiver.
A Linux server will employ dozens (hundreds?) of ports. Some ports must be exposed to the public (like the mailbox). Most can be (and should be) hidden from the public to increase security. This is where the firewall comes in - it blocks public access to server ports - unless you tell it otherwise (using “rules”).
This is a basic explanation and introduction to the GB firewall recommendations when using CAS.
CAS does not automatically configure your firewall.
You are responsible for maintaining the security of your CAS server.
Security considerations should include the implementation of a secure firewall.
Incoming TCP ports required by CAS (reference):
7741 is required for the gate service (20230801+),
legacy (deprecated) BATM communication with CAS, and
the port should be blocked after the BATM connects to CAS (with the latest firmware).
7742 and [13000 to 13010] is required by the Terminal VPN.
Allows VPN-protected BATM communications with CAS, so
allow when using the Terminal VPN.
7777 is required for insecure admin access
Initially used until the VPN admin is configured, then disabled.
See below: unprotected ADMIN access
Block public port 7777 after enabling the Admin VPN.
[12000 to 12050] are also required if you use the VPN for CAS Admin access.
See below: ADMIN access: secure
7743 is OPTIONAL - may be used by various extensions (Onfido, etc).
when in doubt, enhance security by keeping this port blocked. You can always turn it back on again later if necessary, but you can’t undo a security breach. Block it to be safe.
443 is OPTIONAL - may be used by nginx (or other web servers) when implementing a proxy server.
when forwarding port 7777 - is not recommended (block it), and is a security risk on a public server.
Block after enabling the Admin VPN: https://generalbytes.atlassian.net/l/cp/W0qvjkaT
Allow only if you use Veriff.
Two different methods of implementing the Ubuntu firewall are specified here. Please use UFW when possible. A default "clean" Ubuntu LTS server installation - as specified in GB documentation, will automatically permit all access to these ports. If the ports are already blocked, then something unexpected has been installed, and this falls outside the scope of our support.
In the interest of security, you should always employ a firewall on your CAS server.
Option 1(Recommended): Configure UFW
UFW, or Uncomplicated Firewall, is a simplified firewall management interface. It controls “iptables” without the college degree. UFW is included (by default) with Ubuntu. These instructions will restrict access solely to your terminals and those people with whom you deliberately share access to CAS.
Check to see if UFW is enabled and running:
sudo ufw status
If UFW is enabled and working, it will report the active rules of allowed connections to your server - otherwise you'll see something like this:
fresh/new systems will normally be inactive (unprotected).
If UFW is active, then this procedure will erase that previous configuration and rewrite the rules.
1. Initialize UFW
Reset & deny all incoming connections by default:
sudo ufw reset
This will erase any/all previous UFW configuration.
Deny all public access to all ports:
sudo ufw default deny incoming
Now we’re left to specify exceptions (the “rules”).
2. SSH
Allow incoming TCP connections on port 22 for SSH connections:
sudo ufw allow ssh
For extra security, you might limit access to a specific IP:
sudo ufw allow from ALLOWED_IP to any port 22
replace
ALLOWED_IP
with the specific public IP to which you wish to grant access.this security enhancement can lock you out of your server, proceed with caution - and make sure that the IP you are permitting is the correct one (and will be until you deliberately change it).
3. BATM/Terminal
Terminals (v.20230801+) employing the VPN normally use only ports 7742, and 13000 through 13010.
Port 7741 may need to be exposed under certain conditions.
Port 7741 is only used for the initial connection to your CAS, e.g. when the BATM is brand new (or factory reset) and has never connected to a CAS before.
Digital Ocean droplets routinely use “
eth0
" as the public interface name.Other hosts may vary, use
ip a
to see all available interfaces in that case.Replace
eth0
(on the relevant UFW line) with that name.
Terminal VPN rules:
sudo ufw allow 7742/tcp sudo ufw allow in on eth0 from any to any proto tcp port 13000:13010
The port range 13000:13010 affords access to as many as 2000 Terminals.
First-time connection to CAS
If you are connecting a new BATM, you will need to temporarily expose port 7741:
sudo ufw allow 7741/tcp
After you’ve connected the BATM, remove the UFW exception with:
sudo ufw deny 7741/tcp
4. Admin Access
Allow administrative access to CAS. Without this access, you cannot login or control your CAS.
Digital Ocean droplets routinely use “
eth0
" as the public interface name.Other hosts may vary, use
ip a
to see all available interfaces in that case.Replace
eth0
(on the relevant UFW lines below) with that name.
Secure admin rules:
Set up /wiki/spaces/ESD/pages/2807791617 and
configure the firewall integrated admin VPN:
sudo ufw allow in on eth0 from any to any proto tcp port 12000:12050 sudo ufw allow in on tunU+ to any port 7777 proto tcp
each user credential has its own VPN port and
12000:12050
permits access to 50 admin users.
Alternatives:
Less secure option:
If you have a static IP on your home/office and won’t use the integrated VPN:
sudo ufw allow from ALLOWED_IP to any port 7777
Set
ALLOWED_IP
to your home/office PUBLIC IP.Determine your current public IP with your browser; navigate to this website: My IP
In some cases the IP will change frequently, and you’ll have to go in frequently and update it.
If you use nginx as a proxy server, then change the port as follows:
sudo ufw allow from ALLOWED_IP to any port 443
Completely unprotected (strongly discouraged):
This will expose your server to attack (and there’s little reason to even use a firewall in this case):
sudo ufw allow 7777/tcp
(Optional) Allow incoming TCP connections on port 7743 for extensions:
sudo ufw allow 7743/tcp
Veriff: contact them to acquire their IP addresses, and
restrict this port to that range (if you only use Veriff):
sudo ufw allow from ALLOWED_IP to any port 7743
do not restrict the IP for this port (if allowed) when used for any extension except Veriff!
Lightning, Onfido, etc all require incoming traffic from a variety of unpredictable IP’s.
Finally, enable/reload UFW to enforce the new rules:
sudo ufw enable # final step (in the event that UFW was already enabled): sudo ufw reload
If your system complied with your commands, you should now be protected by UFW.
Option 2: iptables
These are examples using the iptables command. This option is for experts that employ a custom firewall. UFW saves configurations, but iptables does not. Do not use iptables (or proceed) unless you are willing to accept all involved risks.
If you aren't sure, then STOP and walk away. Hire a professional for assistance if you feel that you must use iptables for whatever reason.
This info is presented for expert users. The iptables is volatile - it will be erased after rebooting the system - and it will then permit all incoming access.
These rules must be entered in a precise order.
Digital Ocean droplets routinely use “eth0
" as the public interface name.
Other hosts may vary, use
ip a
to see all available interfaces in that case.Replace
eth0
(on the relevant bash line) with that name.
Default/initial iptables entries:
sudo iptables -F INPUT sudo iptables -P INPUT ACCEPT sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT
Assumes that port 22 is used for SSH.
Permit admin access using one of the following options:
Least secure: this option is the bare minimum to permit access (never recommended).
sudo iptables -A INPUT -p tcp --dport 7777 -j ACCEPT
More secure: if your home/office router has a STATIC (unchanging) IP address, modify the rule to permit only access to that IP:
sudo iptables -A INPUT -p tcp -s ALLOWED_IP --dport 7777 -j ACCEPT
Set
ALLOWED_IP
to your home/office PUBLIC router IP.Navigate to this website: My IP on your browser to help you determine your router IP.
In some cases the IP will change frequently, and then you’ll have to update the configuration script.
You may repeat the line multiple times with different IP addresses.
Most secure: using the integrated OpenVPN connection:
sudo iptables -A INPUT -p tcp --match multiport --dports 12000:12100 -j ACCEPT
Permit unsecured Terminal access:
If you need to reconnect a “lost” or new BATM/Terminal, you must grant it unsecured access:
sudo iptables -A INPUT -p tcp --dport 7741 -j ACCEPT
DO NOT USE THIS RULE PERMANENTLY.
REMOVE THIS RULE DURING NORMAL USE.
Permit Terminal VPN & Extension access
sudo iptables -A INPUT -p tcp --dport 7742 -j ACCEPT sudo iptables -A INPUT -p tcp --dport 7743 -j ACCEPT sudo iptables -A INPUT -p tcp --match multiport --dports 13000:13050 -j ACCEPT
Finally: block everything else:
sudo iptables -I INPUT 1 -i lo -j ACCEPT sudo iptables -A INPUT -j DROP
That’s it, the iptables are now configured (until you reboot).
Troubleshooting
When requested by Support, please forward the iptables in a ticket.
Enable UFW:
ufw enable
List the firewall rules:
iptables -S
Disable UFW again (if unusable):
ufw disable