Firewalls
- Firewalls
This article details firewall configuration for a MediaWiki 1.40 installation. Protecting your MediaWiki server with a properly configured firewall is crucial for security. This guide will cover common firewall concepts and specific considerations for MediaWiki.
What is a Firewall?
A firewall acts as a barrier between your server and the outside world, controlling network traffic based on pre-defined rules. It examines incoming and outgoing network packets and either allows or blocks them based on these rules. Firewalls can be hardware-based, software-based, or a combination of both. For most MediaWiki installations, software firewalls like `iptables` (Linux) or the Windows Firewall are sufficient. Understanding Network Security is vital when configuring a firewall.
Types of Firewalls
There are several types of firewalls, each with its own strengths and weaknesses:
- Packet Filtering Firewall: Examines individual packets and allows or blocks them based on source and destination IP addresses, ports, and protocols. This is the most basic type.
- Stateful Inspection Firewall: Keeps track of the state of network connections and allows packets based on whether they are part of an established connection. This is more secure than packet filtering.
- Proxy Firewall: Acts as an intermediary between your server and the outside world, hiding your server's IP address.
- Next-Generation Firewall (NGFW): Combines features of traditional firewalls with advanced features like intrusion prevention and application control.
Common Firewall Configurations for MediaWiki
The following ports are commonly required for a functioning MediaWiki installation. These should be opened in your firewall:
| Port | Protocol | Description |
|---|---|---|
| 80 | TCP | HTTP (Standard web traffic - unencrypted) |
| 443 | TCP | HTTPS (Secure web traffic - encrypted) - Highly recommended! See HTTPS Configuration |
| 22 | TCP | SSH (Secure Shell) - For remote administration. Restrict access to trusted IPs! |
| 25 | TCP | SMTP (Simple Mail Transfer Protocol) - For sending email notifications. If using an external SMTP server, this might not be needed. See Email Configuration |
It’s important to note that opening ports can increase your server’s attack surface. Only open the ports necessary for your MediaWiki installation to function.
Example Firewall Rules (iptables - Linux)
The following are example `iptables` rules. These should be adapted to your specific network configuration. *Always test your firewall rules carefully to avoid locking yourself out of your server!* See Linux Server Administration for more information.
```
- Allow incoming HTTP traffic
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
- Allow incoming HTTPS traffic
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
- Allow incoming SSH traffic from trusted IP address (replace with your IP)
iptables -A INPUT -p tcp --dport 22 -s 192.168.1.100 -j ACCEPT
- Allow outgoing traffic
iptables -A OUTPUT -j ACCEPT
- Drop all other incoming traffic
iptables -A INPUT -j DROP ```
These rules are a very basic example. More advanced configurations may be necessary depending on your security requirements. Consider using a firewall management tool like `ufw` to simplify configuration. See Server Security for further details.
Windows Firewall Configuration
The Windows Firewall can be configured through the Windows Firewall with Advanced Security interface. You will need to create inbound rules to allow traffic on ports 80, 443, and 22 (if needed). Ensure the rules specify TCP as the protocol. Refer to the official Microsoft Windows Server Documentation for detailed instructions.
Advanced Firewall Considerations
- Rate Limiting: Implement rate limiting to prevent denial-of-service (DoS) attacks.
- Intrusion Detection/Prevention Systems (IDS/IPS): Consider using an IDS/IPS to detect and block malicious traffic. See Intrusion Detection Systems.
- Web Application Firewall (WAF): A WAF can protect your MediaWiki installation from web-based attacks like SQL injection and cross-site scripting (XSS).
- Regular Audits: Regularly audit your firewall rules to ensure they are still appropriate and effective. See Security Audits.
Firewall Rule Table Example - Specific Applications
The following table outlines rules for specific applications that might interact with your MediaWiki server.
| Application | Port | Protocol | Description |
|---|---|---|---|
| phpMyAdmin | 8080 | TCP | Access to phpMyAdmin for database management. Restrict access! See Database Administration. |
| Redis (Cache) | 6379 | TCP | Access to Redis cache server. Only allow access from the MediaWiki server. See Caching. |
| Memcached (Cache) | 11211 | TCP | Access to Memcached cache server. Only allow access from the MediaWiki server. |
Firewall and Load Balancers
If you are using a load balancer in front of your MediaWiki servers, the firewall configuration becomes more complex. The firewall should typically be placed in front of the load balancer to protect the entire infrastructure. The load balancer then distributes traffic to the backend MediaWiki servers. Consult the documentation for your specific load balancer and firewall for detailed configuration instructions. See Load Balancing.
Resources
- Iptables Documentation: Official documentation for iptables.
- Windows Firewall Documentation: Official documentation for the Windows Firewall.
- Server Hardening: General server security practices.
Intel-Based Server Configurations
| Configuration | Specifications | Benchmark |
|---|---|---|
| Core i7-6700K/7700 Server | 64 GB DDR4, NVMe SSD 2 x 512 GB | CPU Benchmark: 8046 |
| Core i7-8700 Server | 64 GB DDR4, NVMe SSD 2x1 TB | CPU Benchmark: 13124 |
| Core i9-9900K Server | 128 GB DDR4, NVMe SSD 2 x 1 TB | CPU Benchmark: 49969 |
| Core i9-13900 Server (64GB) | 64 GB RAM, 2x2 TB NVMe SSD | |
| Core i9-13900 Server (128GB) | 128 GB RAM, 2x2 TB NVMe SSD | |
| Core i5-13500 Server (64GB) | 64 GB RAM, 2x500 GB NVMe SSD | |
| Core i5-13500 Server (128GB) | 128 GB RAM, 2x500 GB NVMe SSD | |
| Core i5-13500 Workstation | 64 GB DDR5 RAM, 2 NVMe SSD, NVIDIA RTX 4000 |
AMD-Based Server Configurations
| Configuration | Specifications | Benchmark |
|---|---|---|
| Ryzen 5 3600 Server | 64 GB RAM, 2x480 GB NVMe | CPU Benchmark: 17849 |
| Ryzen 7 7700 Server | 64 GB DDR5 RAM, 2x1 TB NVMe | CPU Benchmark: 35224 |
| Ryzen 9 5950X Server | 128 GB RAM, 2x4 TB NVMe | CPU Benchmark: 46045 |
| Ryzen 9 7950X Server | 128 GB DDR5 ECC, 2x2 TB NVMe | CPU Benchmark: 63561 |
| EPYC 7502P Server (128GB/1TB) | 128 GB RAM, 1 TB NVMe | CPU Benchmark: 48021 |
| EPYC 7502P Server (128GB/2TB) | 128 GB RAM, 2 TB NVMe | CPU Benchmark: 48021 |
| EPYC 7502P Server (128GB/4TB) | 128 GB RAM, 2x2 TB NVMe | CPU Benchmark: 48021 |
| EPYC 7502P Server (256GB/1TB) | 256 GB RAM, 1 TB NVMe | CPU Benchmark: 48021 |
| EPYC 7502P Server (256GB/4TB) | 256 GB RAM, 2x2 TB NVMe | CPU Benchmark: 48021 |
| EPYC 9454P Server | 256 GB RAM, 2x2 TB NVMe |
Order Your Dedicated Server
Configure and order your ideal server configuration
Need Assistance?
- Telegram: @powervps Servers at a discounted price
⚠️ *Note: All benchmark scores are approximate and may vary based on configuration. Server availability subject to stock.* ⚠️