Join the community today
Become a Member

Vultr Vultr Firewall Replicate CSF Firewall Inbound Rule Sets

Discussion in 'Virtual Private Server (VPS) hosting' started by eva2000, Apr 20, 2017.

Thread Status:
Not open for further replies.
  1. eva2000

    eva2000 Administrator Staff Member

    54,519
    12,211
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,780
    Local Time:
    9:38 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Vultr has their own optional firewall feature you can enable Vultr Firewall. However, this doesn't have any rule sets for Centmin Mod LEMP stack environment and is limited to a total of 50 rule sets for both IPv4 and Ipv6. Centmin Mod installs and configures it's own CSF Firewall and needs to be left enabled regardless.


    However, if you opt to use Vultr Firewall you would need to setup some basic firewall rules to replicate what CSF Firewall has configured. You can create Vultr Firewall via Vultr API as outlined at Vultr Firewall

    Vultr API Firewall Setup



    1. Get your Vultr API Key from https://my.vultr.com/settings/#settingsapi and whitelist your server IP i.e. XXX.XXX.XXX.XXX/32

    2. Assign API key to variable APIKEY on SSH command line - this variable only survives in current SSH session so once you exit this SSH session, the APIKEY variable is unset and need to set it again if you SSH login again. This is fine as you only need to do this once to setup Vultr Firewall via their API.
    Code (Text):
    APIKEY=YOURAPIKEY
    

    Install jq for prettier json output
    Code (Text):
    yum -y install jq
    

    3. To create Vultr firewall
    Code (Text):
    curl -4s -H "API-Key: $APIKEY" https://api.vultr.com/v1/firewall/group_create --data 'description=csf-replicated'
    

    Should return the firewall group id = YOURGROUPID
    Code (Text):
    {"FIREWALLGROUPID":"YOURGROUPID"}
    

    To list Vultr firewalls
    Code (Text):
    curl -4s -H "API-Key: $APIKEY" https://api.vultr.com/v1/firewall/group_list | jq
    
    {
      "YOURGROUPIP": {
        "FIREWALLGROUPID": "YOURGROUPID",
        "description": "csf-replicated",
        "date_created": "2017-04-19 09:52:25",
        "date_modified": "2017-04-19 09:52:25",
        "instance_count": 0,
        "rule_count": 0,
        "max_rule_count": 50
      }
    }
    

    4. Add CSF Firewall minimum replicated rule sets

    First assign firewall group id to variable FID - this variable only survives in current SSH session
    Code (Text):
    FID=YOURGROUPID
    

    Then add rules for IPv4
    Code (Text):
    curl -4s -H "API-Key: $APIKEY" https://api.vultr.com/v1/firewall/rule_create --data "FIREWALLGROUPID=${FID}" --data 'direction=in' --data 'ip_type=v4' --data 'protocol=tcp' --data 'subnet=0.0.0.0' --data 'subnet_size=0' --data 'port=21'
    curl -4s -H "API-Key: $APIKEY" https://api.vultr.com/v1/firewall/rule_create --data "FIREWALLGROUPID=${FID}" --data 'direction=in' --data 'ip_type=v4' --data 'protocol=tcp' --data 'subnet=0.0.0.0' --data 'subnet_size=0' --data 'port=22'
    curl -4s -H "API-Key: $APIKEY" https://api.vultr.com/v1/firewall/rule_create --data "FIREWALLGROUPID=${FID}" --data 'direction=in' --data 'ip_type=v4' --data 'protocol=tcp' --data 'subnet=0.0.0.0' --data 'subnet_size=0' --data 'port=53'
    curl -4s -H "API-Key: $APIKEY" https://api.vultr.com/v1/firewall/rule_create --data "FIREWALLGROUPID=${FID}" --data 'direction=in' --data 'ip_type=v4' --data 'protocol=udp' --data 'subnet=0.0.0.0' --data 'subnet_size=0' --data 'port=53'
    curl -4s -H "API-Key: $APIKEY" https://api.vultr.com/v1/firewall/rule_create --data "FIREWALLGROUPID=${FID}" --data 'direction=in' --data 'ip_type=v4' --data 'protocol=tcp' --data 'subnet=0.0.0.0' --data 'subnet_size=0' --data 'port=80'
    curl -4s -H "API-Key: $APIKEY" https://api.vultr.com/v1/firewall/rule_create --data "FIREWALLGROUPID=${FID}" --data 'direction=in' --data 'ip_type=v4' --data 'protocol=tcp' --data 'subnet=0.0.0.0' --data 'subnet_size=0' --data 'port=443'
    curl -4s -H "API-Key: $APIKEY" https://api.vultr.com/v1/firewall/rule_create --data "FIREWALLGROUPID=${FID}" --data 'direction=in' --data 'ip_type=v4' --data 'protocol=tcp' --data 'subnet=0.0.0.0' --data 'subnet_size=0' --data 'port=9418'
    curl -4s -H "API-Key: $APIKEY" https://api.vultr.com/v1/firewall/rule_create --data "FIREWALLGROUPID=${FID}" --data 'direction=in' --data 'ip_type=v4' --data 'protocol=tcp' --data 'subnet=0.0.0.0' --data 'subnet_size=0' --data 'port=30001:50011'
    

    For Ipv6
    Code (Text):
    curl -4s -H "API-Key: $APIKEY" https://api.vultr.com/v1/firewall/rule_create --data "FIREWALLGROUPID=${FID}" --data 'direction=in' --data 'ip_type=v6' --data 'protocol=icmp' --data 'subnet=::' --data 'subnet_size=0' --data 'port='
    curl -4s -H "API-Key: $APIKEY" https://api.vultr.com/v1/firewall/rule_create --data "FIREWALLGROUPID=${FID}" --data 'direction=in' --data 'ip_type=v6' --data 'protocol=tcp' --data 'subnet=::' --data 'subnet_size=0' --data 'port=21'
    curl -4s -H "API-Key: $APIKEY" https://api.vultr.com/v1/firewall/rule_create --data "FIREWALLGROUPID=${FID}" --data 'direction=in' --data 'ip_type=v6' --data 'protocol=tcp' --data 'subnet=::' --data 'subnet_size=0' --data 'port=22'
    curl -4s -H "API-Key: $APIKEY" https://api.vultr.com/v1/firewall/rule_create --data "FIREWALLGROUPID=${FID}" --data 'direction=in' --data 'ip_type=v6' --data 'protocol=tcp' --data 'subnet=::' --data 'subnet_size=0' --data 'port=53'
    curl -4s -H "API-Key: $APIKEY" https://api.vultr.com/v1/firewall/rule_create --data "FIREWALLGROUPID=${FID}" --data 'direction=in' --data 'ip_type=v6' --data 'protocol=udp' --data 'subnet=::' --data 'subnet_size=0' --data 'port=53'
    curl -4s -H "API-Key: $APIKEY" https://api.vultr.com/v1/firewall/rule_create --data "FIREWALLGROUPID=${FID}" --data 'direction=in' --data 'ip_type=v6' --data 'protocol=tcp' --data 'subnet=::' --data 'subnet_size=0' --data 'port=80'
    curl -4s -H "API-Key: $APIKEY" https://api.vultr.com/v1/firewall/rule_create --data "FIREWALLGROUPID=${FID}" --data 'direction=in' --data 'ip_type=v6' --data 'protocol=tcp' --data 'subnet=::' --data 'subnet_size=0' --data 'port=443'
    curl -4s -H "API-Key: $APIKEY" https://api.vultr.com/v1/firewall/rule_create --data "FIREWALLGROUPID=${FID}" --data 'direction=in' --data 'ip_type=v6' --data 'protocol=tcp' --data 'subnet=::' --data 'subnet_size=0' --data 'port=9418'
    curl -4s -H "API-Key: $APIKEY" https://api.vultr.com/v1/firewall/rule_create --data "FIREWALLGROUPID=${FID}" --data 'direction=in' --data 'ip_type=v6' --data 'protocol=tcp' --data 'subnet=::' --data 'subnet_size=0' --data 'port=30001:50011'
    

    Once you add minimum CSF Firewall replicated rules listing would be like

    For IPv4 where ip_type=v4
    Code (Text):
    curl -4s -H "API-Key: $APIKEY" "https://api.vultr.com/v1/firewall/rule_list?FIREWALLGROUPID=${FID}&direction=in&ip_type=v4" | jq
    
    {
      "1": {
        "rulenumber": 1,
        "action": "accept",
        "protocol": "tcp",
        "port": "22",
        "subnet": "0.0.0.0",
        "subnet_size": 0
      },
      "2": {
        "rulenumber": 2,
        "action": "accept",
        "protocol": "tcp",
        "port": "80",
        "subnet": "0.0.0.0",
        "subnet_size": 0
      },
      "3": {
        "rulenumber": 3,
        "action": "accept",
        "protocol": "tcp",
        "port": "443",
        "subnet": "0.0.0.0",
        "subnet_size": 0
      },
      "4": {
        "rulenumber": 4,
        "action": "accept",
        "protocol": "tcp",
        "port": "53",
        "subnet": "0.0.0.0",
        "subnet_size": 0
      },
      "5": {
        "rulenumber": 5,
        "action": "accept",
        "protocol": "udp",
        "port": "53",
        "subnet": "0.0.0.0",
        "subnet_size": 0
      },
      "6": {
        "rulenumber": 6,
        "action": "accept",
        "protocol": "tcp",
        "port": "30001 - 50011",
        "subnet": "0.0.0.0",
        "subnet_size": 0
      },
      "7": {
        "rulenumber": 7,
        "action": "accept",
        "protocol": "tcp",
        "port": "21",
        "subnet": "0.0.0.0",
        "subnet_size": 0
      },
      "8": {
        "rulenumber": 8,
        "action": "accept",
        "protocol": "tcp",
        "port": "9418",
        "subnet": "0.0.0.0",
        "subnet_size": 0
      },
      "17": {
        "rulenumber": 17,
        "action": "accept",
        "protocol": "icmp",
        "port": "-",
        "subnet": "0.0.0.0",
        "subnet_size": 0
      }
    }
    

    For IPv4 where ip_type=v6
    Code (Text):
    curl -4s -H "A"https://api.vultr.com/v1/firewall/rule_list?FIREWALLGROUPID=${FID}&direction=in&ip_type=v6" | jq                                                                                     {
    
    {
      "9": {
        "rulenumber": 9,
        "action": "accept",
        "protocol": "tcp",
        "port": "22",
        "subnet": "::",
        "subnet_size": 0
      },
      "10": {
        "rulenumber": 10,
        "action": "accept",
        "protocol": "tcp",
        "port": "21",
        "subnet": "::",
        "subnet_size": 0
      },
      "11": {
        "rulenumber": 11,
        "action": "accept",
        "protocol": "tcp",
        "port": "53",
        "subnet": "::",
        "subnet_size": 0
      },
      "12": {
        "rulenumber": 12,
        "action": "accept",
        "protocol": "udp",
        "port": "53",
        "subnet": "::",
        "subnet_size": 0
      },
      "13": {
        "rulenumber": 13,
        "action": "accept",
        "protocol": "tcp",
        "port": "80",
        "subnet": "::",
        "subnet_size": 0
      },
      "14": {
        "rulenumber": 14,
        "action": "accept",
        "protocol": "tcp",
        "port": "443",
        "subnet": "::",
        "subnet_size": 0
      },
      "15": {
        "rulenumber": 15,
        "action": "accept",
        "protocol": "tcp",
        "port": "9418",
        "subnet": "::",
        "subnet_size": 0
      },
      "16": {
        "rulenumber": 16,
        "action": "accept",
        "protocol": "tcp",
        "port": "30001 - 50011",
        "subnet": "::",
        "subnet_size": 0
      },
      "18": {
        "rulenumber": 18,
        "action": "accept",
        "protocol": "icmp",
        "port": "-",
        "subnet": "::",
        "subnet_size": 0
      }
    }
    

    How it looks in Vultr Firewall manager.

    vultr-csf-replicated-firewall.png
     
    Last edited: Apr 20, 2017
Thread Status:
Not open for further replies.