Configure a firewall for Discourse

If you are using a standard Docker based Discourse install, the following Uncomplicated Firewall rules will protect any non-Docker services on your server:

ufw allow http
ufw allow https
ufw allow ssh
ufw enable

That is, allow HTTP (port 80), HTTPS (port 443), and SSH (port 22), and nothing else.

Note: Docker manipulates iptables directly and bypasses ufw rules. This means ufw cannot block or restrict access to ports exposed by Docker containers (ports 80 and 443 in a standard Discourse install). The ufw rules above will only protect non-Docker services running on your host.

Check the current status of your firewall with

ufw status verbose

Sample output:

Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
80                         ALLOW IN    Anywhere
443                        ALLOW IN    Anywhere
22                         ALLOW IN    Anywhere
80 (v6)                    ALLOW IN    Anywhere (v6)
443 (v6)                   ALLOW IN    Anywhere (v6)
22 (v6)                    ALLOW IN    Anywhere (v6)

And if you ever want to turn it off

ufw disable

A default Docker install of Discourse only exposes ports 80 and 443, so a host firewall is not strictly necessary. But if you have other services running on the host that listen on additional ports, adding a firewall provides an extra layer of “belt and suspenders” security for those services.

Last edited by @JammyDodger 2024-05-25T11:25:44Z

Check document

Perform check on document:

As I understand it, the Docker container has very few open ports to the host system, so Discourse is effectively firewalled off from the server it is running on.

Of course if there are other things running on the host system, then Captain Obvious says you need to take reasonable precautions.

I’ve had a server that we THOUGHT was pretty well locked down get hacked into, it wasn’t pretty.

Topic isn’t totally accurate. If UFW is used outside docker, as ”normally” on VPS, it doesn’t apply per se with Discourse. I can disable port 80 and it is still wide open to Discourse/docker.

Sure, it protects everything else but if there isn’t any other services listening it is unnecessary.

I don’t know how UFW or iptables works if used after enter app or can firewall use that way at all.

I’m referencing to this topic:

I would definitely be interested in hearing this story, perhaps in a separate thread

fwiw, discussions about the relationship between Docker and ufw / firewalls are pretty much as old as Docker itself, here is a pretty high profile one with a lot of interesting insight

• docker and ufw serious problems · Issue #4737 · moby/moby · GitHub
• there are old articles from this time period as well which may or may not be slightly scare-mongering, but still have some interesting details The dangers of UFW + Docker ; https://stackoverflow.com/questions/30383845/what-is-the-best-practice-of-docker-ufw-under-ubuntu

Docker themselves have gotten better in recent years in regards to documenting the relevant details ; Packet filtering and firewalls | Docker Docs

Dont want to spam the topic too much with links, but if you are interested in the topic of firewalls, these seem like really insightful pieces to review, along with general Google search for more details.

Based on some of these sentiments, and on the super helpful thread linked by @Jagster , it seems like maybe the default out-of-the-box Discourse installation configuration with Docker is sufficient on its own? After all, mine looks like this;

$ docker ps
CONTAINER ID   IMAGE                 COMMAND        CREATED      STATUS        PORTS                                                                      NAMES
5dd4a572cd8e   local_discourse/app   "/sbin/boot"   6 days ago   Up 16 hours   0.0.0.0:80->80/tcp, :::80->80/tcp, 0.0.0.0:443->443/tcp, :::443->443/tcp   app

So, unless I am mistaken, and unless there are some other ports in use by other software on the server, I think the only traffic that should be connecting in-bound would be on these listed ports 80 and 443

If you want to do a sanity-check, I think you should be able to use netstat to check the listening ports on your server ( How to Install netstat on Ubuntu ; https://linuxize.com/post/check-listening-ports-linux/ )

netstat -tunlp

For an even stronger sanity check, you may consider spinning up a second small Linux server and trying to scan your Discourse server’s open ports; How To Use Nmap to Scan for Open Ports | DigitalOcean

# scan all ports ; insert your IP address here
sudo nmap -n -PN -sT -sU -p- 1.2.3.4

• check the included link to DigitalOcean docs for some more commands for scanning, etc.

I think that if one is concerned about server firewall stuff for their Discourse server, these resources and insights should be super helpful

Small thing, but this link seems to be dead.

The latest Ubuntu LTS ufw gives ALLOW not ALLOW IN

This has been annoying for the mail-reciever admin, getting API preparation failed in ./launcher logs mail-receiver even with port 25 open on ufw.

allowing all incoming and outgoing then denying desired ports, has been a solution.

I don’t know enough about iptables to fine tune further yet