Firewalld
- Firewalld Configuration on MediaWiki Servers
This article details configuring Firewalld, a dynamic firewall manager, on servers hosting MediaWiki installations. Properly configuring a firewall is crucial for server security, preventing unauthorized access and protecting sensitive data. This guide assumes you have root or sudo access to your server.
Introduction to Firewalld
Firewalld provides a user-friendly interface for managing the iptables firewall. It uses the concept of "zones" to define trust levels for different network interfaces and services. Each zone has a set of rules that determine what traffic is allowed or blocked. This is a significant improvement over directly managing iptables, which can be complex and error-prone.
Installation and Basic Commands
Most modern Linux distributions include Firewalld by default. If not, you can install it using your distribution's package manager.
- **Debian/Ubuntu:** `sudo apt update && sudo apt install firewalld`
- **CentOS/RHEL/Fedora:** `sudo yum install firewalld` or `sudo dnf install firewalld`
After installation, start and enable the service:
```bash sudo systemctl start firewalld sudo systemctl enable firewalld ```
Basic commands include:
- `sudo firewall-cmd --state`: Checks if Firewalld is running.
- `sudo firewall-cmd --get-default-zone`: Displays the default zone.
- `sudo firewall-cmd --list-all`: Lists all rules for the default zone.
- `sudo firewall-cmd --reload`: Reloads the firewall configuration. *Important:* This does not interrupt existing connections.
Understanding Firewalld Zones
Firewalld uses zones to categorize network connections and apply appropriate rules. Here’s a table outlining common zones:
| Zone | Description |
|---|---|
| drop | Drops all incoming connections without replying. |
| block | Rejects incoming connections with an icmp-host-prohibited message. |
| public | For untrusted public networks. |
| external | For external networks with masquerading enabled. |
| dmz | For computers in a Demilitarized Zone. |
| work | For trusted work networks. |
| home | For trusted home networks. |
| internal | For internal networks. |
| trusted | Accepts all connections. |
The default zone is typically "public". You can change the default zone with: `sudo firewall-cmd --set-default-zone=<zone_name>`
Configuring Firewalld for MediaWiki
To secure a MediaWiki server, you need to allow traffic on specific ports. These typically include:
- **Port 80 (HTTP):** For standard web access.
- **Port 443 (HTTPS):** For secure web access (recommended).
- **Port 22 (SSH):** For remote administration (restrict access to trusted IP addresses).
- **Port 53 (DNS):** If the server also acts as a DNS server.
Here’s how to open these ports using Firewalld:
```bash sudo firewall-cmd --permanent --add-port=80/tcp sudo firewall-cmd --permanent --add-port=443/tcp sudo firewall-cmd --permanent --add-port=22/tcp sudo firewall-cmd --permanent --add-port=53/tcp sudo firewall-cmd --reload ```
The `--permanent` flag ensures the rules persist across reboots. Remember to replace port 22 with a non-standard port for increased security. Consider using fail2ban in conjunction with SSH for further protection.
Services vs. Ports
Firewalld also allows you to define services, which are pre-defined sets of ports and protocols. For example, instead of opening port 80/tcp, you can enable the "http" service.
| Service | Ports/Protocols |
|---|---|
| http | 80/tcp |
| https | 443/tcp |
| ssh | 22/tcp |
| dns | 53/tcp, 53/udp |
To enable a service:
```bash sudo firewall-cmd --permanent --add-service=<service_name> sudo firewall-cmd --reload ```
Using services simplifies configuration and ensures consistency. Refer to the Firewalld documentation for a complete list of available services.
Restricting Access by IP Address
For enhanced security, you can restrict access to specific services based on source IP addresses. This is particularly useful for SSH.
```bash sudo firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="<your_ip_address>" service name="ssh" accept' sudo firewall-cmd --reload ```
Replace `<your_ip_address>` with the IP address you want to allow SSH access from. Using "rich rules" provides fine-grained control over firewall policies.
Advanced Configuration and Logging
Firewalld offers advanced features like:
- **Direct Rules:** Allows you to add raw iptables rules. Use with caution.
- **Masquerading:** Enables Network Address Translation (NAT).
- **Port Forwarding:** Redirects traffic from one port to another.
Logging is essential for monitoring firewall activity. Firewalld logs to the system journal. You can view the logs using:
```bash journalctl -u firewalld ```
Consider configuring Logrotate to manage log file size. Regularly reviewing firewall logs can help identify and mitigate security threats. Understanding server logs is paramount for security.
Table of Recommended Firewall Rules
| Rule | Description | Action |
|---|---|---|
| Allow HTTP | Allows access to the MediaWiki web interface over HTTP. | Add Port 80/tcp |
| Allow HTTPS | Allows secure access to the MediaWiki web interface over HTTPS. | Add Port 443/tcp |
| Restrict SSH | Limits SSH access to specific IP addresses. | Add Rich Rule (IP restriction) |
| Allow DNS (if applicable) | Allows DNS queries if the server is a DNS server. | Add Port 53/tcp and 53/udp |
| Block all other incoming traffic | Default deny policy for security. | Default Zone set to 'drop' or 'block' |
Further Resources
- Firewalld Documentation: [1](https://firewalld.org/documentation/)
- iptables: Understanding the underlying technology.
- SSH Security: Hardening your SSH server.
- Fail2ban: Intrusion prevention system.
- Server Security Best Practices: General server security guidelines.
- MediaWiki Security: Specific security considerations for MediaWiki.
Intel-Based Server Configurations
| Configuration | Specifications | Benchmark |
|---|---|---|
| Core i7-6700K/7700 Server | 64 GB DDR4, NVMe SSD 2 x 512 GB | CPU Benchmark: 8046 |
| Core i7-8700 Server | 64 GB DDR4, NVMe SSD 2x1 TB | CPU Benchmark: 13124 |
| Core i9-9900K Server | 128 GB DDR4, NVMe SSD 2 x 1 TB | CPU Benchmark: 49969 |
| Core i9-13900 Server (64GB) | 64 GB RAM, 2x2 TB NVMe SSD | |
| Core i9-13900 Server (128GB) | 128 GB RAM, 2x2 TB NVMe SSD | |
| Core i5-13500 Server (64GB) | 64 GB RAM, 2x500 GB NVMe SSD | |
| Core i5-13500 Server (128GB) | 128 GB RAM, 2x500 GB NVMe SSD | |
| Core i5-13500 Workstation | 64 GB DDR5 RAM, 2 NVMe SSD, NVIDIA RTX 4000 |
AMD-Based Server Configurations
| Configuration | Specifications | Benchmark |
|---|---|---|
| Ryzen 5 3600 Server | 64 GB RAM, 2x480 GB NVMe | CPU Benchmark: 17849 |
| Ryzen 7 7700 Server | 64 GB DDR5 RAM, 2x1 TB NVMe | CPU Benchmark: 35224 |
| Ryzen 9 5950X Server | 128 GB RAM, 2x4 TB NVMe | CPU Benchmark: 46045 |
| Ryzen 9 7950X Server | 128 GB DDR5 ECC, 2x2 TB NVMe | CPU Benchmark: 63561 |
| EPYC 7502P Server (128GB/1TB) | 128 GB RAM, 1 TB NVMe | CPU Benchmark: 48021 |
| EPYC 7502P Server (128GB/2TB) | 128 GB RAM, 2 TB NVMe | CPU Benchmark: 48021 |
| EPYC 7502P Server (128GB/4TB) | 128 GB RAM, 2x2 TB NVMe | CPU Benchmark: 48021 |
| EPYC 7502P Server (256GB/1TB) | 256 GB RAM, 1 TB NVMe | CPU Benchmark: 48021 |
| EPYC 7502P Server (256GB/4TB) | 256 GB RAM, 2x2 TB NVMe | CPU Benchmark: 48021 |
| EPYC 9454P Server | 256 GB RAM, 2x2 TB NVMe |
Order Your Dedicated Server
Configure and order your ideal server configuration
Need Assistance?
- Telegram: @powervps Servers at a discounted price
⚠️ *Note: All benchmark scores are approximate and may vary based on configuration. Server availability subject to stock.* ⚠️