Configure a firewall for Discourse

documentation sysadmin
,
1

It’s unclear if Linux distributions really “need” a firewall – but we have found that the following Uncomplicated Firewall rules work fine with a standard Docker based Discourse install:

ufw allow http
ufw allow https
ufw allow ssh
ufw enable

That is, allow HTTP (port 80), HTTPS (port 443), and SSH (port 22), and nothing else.

Check the current status of your firewall with

ufw status verbose

Sample output:

Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
80                         ALLOW IN    Anywhere
443                        ALLOW IN    Anywhere
22                         ALLOW IN    Anywhere
80 (v6)                    ALLOW IN    Anywhere (v6)
443 (v6)                   ALLOW IN    Anywhere (v6)
22 (v6)                    ALLOW IN    Anywhere (v6)

And if you ever want to turn it off

ufw disable

A firewall should not matter if you are using a default Docker install of Discourse, for the same reason almost no Linux distribution ships with a firewall enabled by default.

But if you have somehow installed extra services that talk to the outside world, adding a firewall gives you “belt and suspenders” security, if that is of interest to you.

27 Likes
4

As I understand it, the Docker container has very few open ports to the host system, so Discourse is effectively firewalled off from the server it is running on.

Of course if there are other things running on the host system, then Captain Obvious says you need to take reasonable precautions.

I’ve had a server that we THOUGHT was pretty well locked down get hacked into, it wasn’t pretty.

5

Topic isn’t totally accurate. If UFW is used outside docker, as ”normally” on VPS, it doesn’t apply per se with Discourse. I can disable port 80 and it is still wide open to Discourse/docker.

Sure, it protects everything else but if there isn’t any other services listening it is unnecessary.

I don’t know how UFW or iptables works if used after enter app or can firewall use that way at all.

I’m referencing to this topic:

2 Likes