Replacing the default ServerPilot Firewall with your own using UFW

ServerPilot comes with a default firewall enabled when you connect to a droplet instance such as from Vultr or Digital Ocean, the only option you have from the ServerPilot control panel is to toggle if on or off.

serverpilot-firewall-toggle

The actual firewall used is called UFW (uncomplicated firewall) which is a simplistic wrapper over the underlying IP Tables, if you run ufw status when logged in as root you will see the ServerPilot default rules.

To Action From
 -- ------ ----
 22/tcp ALLOW Anywhere
 80/tcp ALLOW Anywhere
 443/tcp ALLOW Anywhere
 68/udp ALLOW Anywhere
 22/tcp (v6) ALLOW Anywhere (v6)
 80/tcp (v6) ALLOW Anywhere (v6)
 443/tcp (v6) ALLOW Anywhere (v6)
 68/udp (v6) ALLOW Anywhere (v6)

To set your own firewall up, toggle the firewall to off back in the ServerPilot control panel, now if you run ufw status you will see it is inactive .

[email protected]:~# ufw status
 Status: inactive

So time to build your own, from the snippet below the first command allows an IP address access to all  – a good strategy if you have a permanent IP address, the other rules replicate the ServerPilot ones and the final command ufw enable turns the firewall on.

ufw allow from 1.2.3.4
ufw allow 22/tcp
ufw allow 80/tcp
ufw allow 443/tcp
ufw allow 68/udp

ufw enable

The output below will be what the command line will spit back to you as you enter the rules from above.

[email protected]:~# ufw allow from 1.2.3.4
 Rules updated
 [email protected]:~# ufw allow 22/tcp
 Rules updated
 Rules updated (v6)
 [email protected]:~# ufw allow 80/tcp
 Rules updated
 Rules updated (v6)
 [email protected]:~# ufw allow 443/tcp
 Rules updated
 Rules updated (v6)
 [email protected]:~# ufw allow 68/udp
 Rules updated
 Rules updated (v6)
 [email protected]:~# ufw enable
 Command may disrupt existing ssh connections. Proceed with operation (y|n)? y
 Firewall is active and enabled on system startup

Now you have this active you can further add new rules and allow or ban IP addresses.

Technically you could just add more rules to the existing ServerPilot firewall without turning it off and creating your own but they advise against doing this as you may lose your customisations – so better off to create your own.

Now that you have your own custom firewall just make sure the ServerPilot firewall is not toggled back on as doing so will override your customatisations.

Leave a Comment





%d bloggers like this: