Configure a firewall for Discourse

Documentation Self-Hosting
,
1

It’s unclear if Linux distributions really “need” a firewall – but we have found that the following Uncomplicated Firewall rules work fine with a standard Docker based Discourse install:

ufw allow http
ufw allow https
ufw allow ssh
ufw enable

That is, allow HTTP (port 80), HTTPS (port 443), and SSH (port 22), and nothing else.

Check the current status of your firewall with

ufw status verbose

Sample output:

Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
80                         ALLOW IN    Anywhere
443                        ALLOW IN    Anywhere
22                         ALLOW IN    Anywhere
80 (v6)                    ALLOW IN    Anywhere (v6)
443 (v6)                   ALLOW IN    Anywhere (v6)
22 (v6)                    ALLOW IN    Anywhere (v6)

And if you ever want to turn it off

ufw disable

A firewall should not matter if you are using a default Docker install of Discourse, for the same reason almost no Linux distribution ships with a firewall enabled by default.

But if you have somehow installed extra services that talk to the outside world, adding a firewall gives you “belt and suspenders” security, if that is of interest to you.

28 Likes
4

As I understand it, the Docker container has very few open ports to the host system, so Discourse is effectively firewalled off from the server it is running on.

Of course if there are other things running on the host system, then Captain Obvious says you need to take reasonable precautions.

I’ve had a server that we THOUGHT was pretty well locked down get hacked into, it wasn’t pretty.

1 Like
5

Topic isn’t totally accurate. If UFW is used outside docker, as ”normally” on VPS, it doesn’t apply per se with Discourse. I can disable port 80 and it is still wide open to Discourse/docker.

Sure, it protects everything else but if there isn’t any other services listening it is unnecessary.

I don’t know how UFW or iptables works if used after enter app or can firewall use that way at all.

I’m referencing to this topic:

3 Likes
6

I would definitely be interested in hearing this story, perhaps in a separate thread :slight_smile:

fwiw, discussions about the relationship between Docker and ufw / firewalls are pretty much as old as Docker itself, here is a pretty high profile one with a lot of interesting insight

Docker themselves have gotten better in recent years in regards to documenting the relevant details ; Packet filtering and firewalls | Docker Docs

Dont want to spam the topic too much with links, but if you are interested in the topic of firewalls, these seem like really insightful pieces to review, along with general Google search for more details.

Based on some of these sentiments, and on the super helpful thread linked by @Jagster , it seems like maybe the default out-of-the-box Discourse installation configuration with Docker is sufficient on its own? After all, mine looks like this;

$ docker ps
CONTAINER ID   IMAGE                 COMMAND        CREATED      STATUS        PORTS                                                                      NAMES
5dd4a572cd8e   local_discourse/app   "/sbin/boot"   6 days ago   Up 16 hours   0.0.0.0:80->80/tcp, :::80->80/tcp, 0.0.0.0:443->443/tcp, :::443->443/tcp   app

So, unless I am mistaken, and unless there are some other ports in use by other software on the server, I think the only traffic that should be connecting in-bound would be on these listed ports 80 and 443

If you want to do a sanity-check, I think you should be able to use netstat to check the listening ports on your server ( How to Install netstat on Ubuntu ; https://linuxize.com/post/check-listening-ports-linux/ )

netstat -tunlp

For an even stronger sanity check, you may consider spinning up a second small Linux server and trying to scan your Discourse server’s open ports; How To Use Nmap to Scan for Open Ports | DigitalOcean

# scan all ports ; insert your IP address here
sudo nmap -n -PN -sT -sU -p- 1.2.3.4
  • check the included link to DigitalOcean docs for some more commands for scanning, etc.

I think that if one is concerned about server firewall stuff for their Discourse server, these resources and insights should be super helpful :slight_smile:

2 Likes