A firewall is a hardware or software system that is configured to deny unauthorized access to certain services on your server while permitting authorized communications according to the specified rules. A rule defines which services will be allowed through your Firewall, and which ones will be kept out.
Add a rule
- Action - select the action:
- Allow - access to the service is allowed for all connections.
- Deny - all connections will be blocked. IP addresses must belong to one network.
- Allow for - list the IP-addresses from which access will be allowed.
- Deny for - list the IP-addresses from which access will be denied. IP addresses must belong to one network.
- Protocol - select a data transfer protocol. You may select either all protocols or a specific one.
- Port - provide a port.
- IP address - you can enter a single IP address or a network, such as 22.214.171.124/24
Denied/Allowed IP addresses - enter the IP addresses that will be allowed/denied to access this network.
To allow or deny access from any IP address, enter 0.0.0.0 in the IP Address field.
Firewall rules are grouped according to the following scheme:
- if the "Deny" rule is created for the subnet, and one or several "Allow for" rules are specified (allowing access for an IP address belonging to a closed network), those rules will be grouped into the "Allow for" rule.
- if the "Allow" rule is created for the subnet, and one or several "Deny for" rules are specified (denying access for an IP address belonging to an open network), those rules will be grouped into the "Deny for" rule.
Block by country
You can block access for users from certain countries. The user's country is determined by GeoIP databases. To set up the block:
- Register in MaxMind.
- Open the MaxMind interface and create a license key: My account → Manage License Keys → Generate new license key. It can take up to five minutes to activate the key.
- In the Control Panel, create rules for countries:
- Go to Firewall → Countries.
Open Settings and enter your MaxMind license key.
- Press Ok. The module will automatically load the list of countries.
To configure individual access rules, select the country in the table → Block / Unblock. The access status is displayed in the Status column.
When maximum protection is enabled, all networks in all countries will be blocked.
ISPmanager will not allow adding firewall rules that may result in losing control over your server. For example:
- you cannot block the IP address from which you have connected;
- you cannot block the network, which contains the IP address from which you have connected, unless there is an allow rule for your address;
- you cannot create a deny rule for any port for any IP address of a server if there are no allow rules for that server.
You can add the FirewallCheckAccess option to the ISPmanager configuration file to change the panel's behavior.
Option FirewallCheckAccess - this parameter enables to add denying rules depending on the module restrictions.