Firewall Ruleset
# Firewall Ruleset
This article details the firewall ruleset configured for our MediaWiki servers. Understanding these rules is crucial for both system administrators and developers deploying custom extensions or modifications. This document focuses on the current configuration as of MediaWiki 1.40, running on Debian 11 ("Bullseye"). Incorrectly configured firewall rules can lead to service disruptions or security vulnerabilities. This guide assumes a basic understanding of networking and firewall concepts. Please refer to the System Administration page for general server information.
Overview
Our firewall utilizes `iptables`, a user-space utility program that allows a system administrator to configure the tables of the Linux kernel firewall. We employ a stateful firewall approach, tracking connections and only allowing established, related, or explicitly permitted traffic. The rules are structured to minimize the attack surface while ensuring necessary services function correctly. We regularly review and update these rules based on security audits and evolving threats. See the Security Policy for more information.
Core Ruleset
The following table summarizes the core ruleset applied to the server. These rules are applied in order, and the first matching rule determines the action.
| Chain | Rule Number | Action | Protocol | Port(s) | Source | Destination | Comment |
|---|---|---|---|---|---|---|---|
| INPUT | 1 | ACCEPT | TCP | 22 | Any | Server IP | Allow SSH access (restricted to specific IPs - see SSH Access Control) |
| INPUT | 2 | ACCEPT | TCP | 80 | Any | Server IP | Allow HTTP access |
| INPUT | 3 | ACCEPT | TCP | 443 | Any | Server IP | Allow HTTPS access |
| INPUT | 4 | ACCEPT | TCP | 53 | Any | Server IP | Allow DNS queries (outgoing) |
| INPUT | 5 | ACCEPT | TCP | 25 | Any | Server IP | Allow SMTP (outgoing) for system alerts |
| INPUT | 6 | ACCEPT | RELATED,ESTABLISHED | Any | Any | Any | Allow established connections and related traffic |
| INPUT | 7 | DROP | Any | Any | Any | Drop all other incoming traffic |
These rules are configured using a script located at `/etc/iptables.rules` and loaded at boot time via `systemd`. Changes to this script require a restart of the `iptables` service: `sudo systemctl restart iptables`. Always test changes in a staging environment before applying them to production. See Deployment Procedures for details.
Specific Service Rules
Beyond the core rules, specific services require additional firewall considerations. For example, MediaWiki relies on PHP-FPM to process requests. The following table details the rules pertaining to PHP-FPM.
| Service | Protocol | Port(s) | Source | PHP-FPM | TCP | 9000 | localhost |
|---|
This rule allows communication between the web server (Apache) and PHP-FPM on the local machine. Restricting access to localhost is crucial for security. Similarly, our database server (MariaDB) has its own set of rules, documented in the Database Configuration article.
Output Rules
While the INPUT chain is most critical for security, the OUTPUT chain also plays a role. We primarily allow all outgoing traffic, but log potentially suspicious activity.
| Chain | Rule Number | Action | OUTPUT | 1 | ACCEPT | All traffic is generally allowed outbound. |
|---|
However, we log outgoing connections to port 25 (SMTP) to monitor for potential spam or unauthorized email activity. This logging is configured using `iptables` logging capabilities and analyzed by our security information and event management (SIEM) system. See Log Analysis for more details.
Monitoring and Maintenance
Regularly reviewing firewall logs is essential for identifying potential security incidents. We use tools like `fail2ban` to automatically block IP addresses exhibiting malicious behavior. See Fail2ban Configuration for more information. Furthermore, we perform periodic security audits to ensure the firewall ruleset remains effective. The Incident Response Plan outlines procedures for handling security breaches.
Related Pages
- System Administration
- Security Policy
- SSH Access Control
- Deployment Procedures
- Database Configuration
- Log Analysis
- Fail2ban Configuration
- Incident Response Plan
- Network Topology
- Server Hardware
- PHP Configuration
- Apache Configuration
- MariaDB Configuration
- Extension Installation
- Cron Jobs
- Backup Procedures
- Telegram: @powervps Servers at a discounted price
Intel-Based Server Configurations
| Configuration | Specifications | Benchmark |
|---|---|---|
| Core i7-6700K/7700 Server | 64 GB DDR4, NVMe SSD 2 x 512 GB | CPU Benchmark: 8046 |
| Core i7-8700 Server | 64 GB DDR4, NVMe SSD 2x1 TB | CPU Benchmark: 13124 |
| Core i9-9900K Server | 128 GB DDR4, NVMe SSD 2 x 1 TB | CPU Benchmark: 49969 |
| Core i9-13900 Server (64GB) | 64 GB RAM, 2x2 TB NVMe SSD | |
| Core i9-13900 Server (128GB) | 128 GB RAM, 2x2 TB NVMe SSD | |
| Core i5-13500 Server (64GB) | 64 GB RAM, 2x500 GB NVMe SSD | |
| Core i5-13500 Server (128GB) | 128 GB RAM, 2x500 GB NVMe SSD | |
| Core i5-13500 Workstation | 64 GB DDR5 RAM, 2 NVMe SSD, NVIDIA RTX 4000 |
AMD-Based Server Configurations
| Configuration | Specifications | Benchmark |
|---|---|---|
| Ryzen 5 3600 Server | 64 GB RAM, 2x480 GB NVMe | CPU Benchmark: 17849 |
| Ryzen 7 7700 Server | 64 GB DDR5 RAM, 2x1 TB NVMe | CPU Benchmark: 35224 |
| Ryzen 9 5950X Server | 128 GB RAM, 2x4 TB NVMe | CPU Benchmark: 46045 |
| Ryzen 9 7950X Server | 128 GB DDR5 ECC, 2x2 TB NVMe | CPU Benchmark: 63561 |
| EPYC 7502P Server (128GB/1TB) | 128 GB RAM, 1 TB NVMe | CPU Benchmark: 48021 |
| EPYC 7502P Server (128GB/2TB) | 128 GB RAM, 2 TB NVMe | CPU Benchmark: 48021 |
| EPYC 7502P Server (128GB/4TB) | 128 GB RAM, 2x2 TB NVMe | CPU Benchmark: 48021 |
| EPYC 7502P Server (256GB/1TB) | 256 GB RAM, 1 TB NVMe | CPU Benchmark: 48021 |
| EPYC 7502P Server (256GB/4TB) | 256 GB RAM, 2x2 TB NVMe | CPU Benchmark: 48021 |
| EPYC 9454P Server | 256 GB RAM, 2x2 TB NVMe |
Order Your Dedicated Server
Configure and order your ideal server configurationNeed Assistance?
⚠️ *Note: All benchmark scores are approximate and may vary based on configuration. Server availability subject to stock.* ⚠️