All configuration of the firewall is conducted via the presence or absence of files in a number of directories beneath the prefix of /etc/symbiosis/firewall.

In short to allow an incoming connection to arrive at your machine, and be accepted, on port 22, you would create the file /etc/symbiosis/firewall/incoming.d/10-ssh. In this example there are two things that we’ve done:

There are two ways the files in the incoming.d and outgoing.d directories are used:

If you were wishing to ensure that your host would only accept incoming SSH requests from your office you might run something like this:

echo "office.my-brilliant-site.com" > /etc/symbiosis/firewall/incoming.d/10-ssh

This would ensure that when the firewall was generated incoming connections on the SSH port would be accepted from the host office.my-brilliant-site.com but not from anywhere else.

The firewall-blacklist tool runs once per hour, and is designed to scan your server’s logfiles for abusive behaviour from malicious remote hosts. Malicious activity which is detected will result in the remote host being denied further access to your server.

Currently we regard malicious activity as:

Disabling the firewall completely will disable the blacklisting behaviour, but you might also wish to disable that seperately.

To do so run the following two commands:

touch /etc/symbiosis/firewall/disabled.blacklist
firewall

TODO Refer to the FileZilla touching recipe instead.

(The first will ensure the blacklisting is disabled, and the second will ensure that this setting is honoured immediately.)

The firewall-whitelist tool runs once per hour, and is designed to perform the opposite task to the firewall-blacklist script - in short it is designed to ensure that any remote host which has successfully connected to your server in the past isn’t (accidentally) blacklisted in the future.

Every hour the script will examine the successful logins which have been observed within the past month. Each IP address which has successfully been the source of a login attempt will be permitted access to the system on a global basis, and will thus not be locked out.

By default outgoing connections by the web server have been disabled. This prevents many ways of infecting a machine with malicious software following a compromise in a web application.

However there are legitimate cases when a web application might need to make such a connection.

By default the firewall contains the rule:

/etc/symbiosis/firewall/outgoing.d/50-www-data

This rule is designed to prevent your webserver from making outgoing HTTP connections - if you have a PHP application which needs to make outgoing HTTP connections you will need to remove this file:

rm /etc/symbiosis/firewall/outgoing.d/50-www-data

Then rerun the firewall to make the changed configuration live:

firewall

The Symbiosis firewall package should allow you to carry out the most common tasks, simply by creating files named after the services you wish to permit or deny.

However there are times when you might wish to make your own custom additions, and for this purpose the firewall package allows you to run an unlimited number of custom scripts/programs once it has loaded the rules - these scripts may perform arbitrary actions, but will be most typically used to update the firewall rules, via the iptables command.

If you wish you may disable the firewall completely, allowing remote users to connect to any service you have running upon your machine.

We’d not recommend that you disable the firewall, because it does provide a increase in system security, but if you wish it is possible by executing the following two commands:

touch /etc/symbiosis/firewall/disabled
firewall