We are in the process of migrating this forum. A new space will be available soon. We are sorry for the inconvenience.

dedicated cloud firewall configuration mistery


bit1422
2015-03-10, 03:10 PM
Thank you very much ! You made my day ... and most of all, in half a day you beated three days of long ticketing with premium support from ovh Spain !!!

So, just to help others, the solution to use the dedicated cloud firewall to close everything and let pass only tcp port 21 is, for example:

priority 1 - permit tcp any eq 21
priority 17 - permit tcp any with options "established" <--- this makes the difference ! because packets originated from inside your server to outside world will be able to come back !!!
priority 18 - deny tcp any

Thank you very much ;-)

math
2015-03-10, 01:00 PM
The firewall is acting exactly like you asked it to behave. It blocks any incoming tcp connection.

You should allow established tcp connection.

You surf the internet by reaching port 80 on a given IP. By doing so, your computer opens a tcp high port (above 1024). You need to allow this port to receive traffic, which can be accomplished by allowing incoming established connection.

bit1422
2015-03-10, 08:41 AM
It seems there's no way to have an answer to this question even from the "vip" support.

Question is very simple: I have a dedicated cloud, with Anti DDoS protection and I have access to a firewall.

I --simply-- need to use the dedicated cloud firewall as... well... as a normal firewall ! So I need by default all ports closed less the ones I use. Let's say, I only need TCP port 21 for an FTP Server on a Virtual Machine.

So on the specific IP, I did this trough the firewall APIs:

Priority 1: permit tcp any eq 21
Priority 18: deny tcp any

With this configuration, I'm able to block all requests different from tcp port 21, that's fine, BUT ... and here comes the problem, this way the server itself can't surf the internet anymore (so for example I'm not able to get anymore windows updates, or I can't open a web browser from inside the server) because of the rule "deny tcp any".

If take out the "deny tcp any" and leave only the "permit tcp any eq 21", I'm able to correctly surf the internet from the server again BUT I'm totally exposed to all kind of attacks because --ALL PORTS-- are open, not only the 21.

Is there a solution to use your firewall... as a firewall ???

Thank you.