docs/content/admin/configuration/configuring-network-settings/configuring-built-in-firewall-rules.md

title, intro, redirect_from, versions, type, topics, shortTitle

title	intro	redirect_from	versions	type	topics	shortTitle
Configuring built-in firewall rules	You can view default firewall rules and customize rules for {% data variables.product.product_location %}.	/enterprise/admin/guides/installation/configuring-firewall-settings/ /enterprise/admin/installation/configuring-built-in-firewall-rules /enterprise/admin/configuration/configuring-built-in-firewall-rules /admin/configuration/configuring-built-in-firewall-rules	ghes *	how_to	Enterprise Fundamentals Infrastructure Networking	Configure firewall rules

About {% data variables.product.product_location %}'s firewall

{% data variables.product.prodname_ghe_server %} uses Ubuntu's Uncomplicated Firewall (UFW) on the virtual appliance. For more information see "UFW" in the Ubuntu documentation. {% data variables.product.prodname_ghe_server %} automatically updates the firewall allowlist of allowed services with each release.

After you install {% data variables.product.prodname_ghe_server %}, all required network ports are automatically opened to accept connections. Every non-required port is automatically configured as deny, and the default outgoing policy is configured as allow. Stateful tracking is enabled for any new connections; these are typically network packets with the SYN bit set. For more information, see "Network ports."

The UFW firewall also opens several other ports that are required for {% data variables.product.prodname_ghe_server %} to operate properly. For more information on the UFW rule set, see the UFW README.

Viewing the default firewall rules

{% data reusables.enterprise_installation.ssh-into-instance %} 2. To view the default firewall rules, use the sudo ufw status command. You should see output similar to this:

$ sudo ufw status
> Status: active
> To                         Action      From
> --                         ------      ----
> ghe-1194                   ALLOW       Anywhere
> ghe-122                    ALLOW       Anywhere
> ghe-161                    ALLOW       Anywhere
> ghe-22                     ALLOW       Anywhere
> ghe-25                     ALLOW       Anywhere
> ghe-443                    ALLOW       Anywhere
> ghe-80                     ALLOW       Anywhere
> ghe-8080                   ALLOW       Anywhere
> ghe-8443                   ALLOW       Anywhere
> ghe-9418                   ALLOW       Anywhere
> ghe-1194 (v6)              ALLOW       Anywhere (v6)
> ghe-122 (v6)               ALLOW       Anywhere (v6)
> ghe-161 (v6)               ALLOW       Anywhere (v6)
> ghe-22 (v6)                ALLOW       Anywhere (v6)
> ghe-25 (v6)                ALLOW       Anywhere (v6)
> ghe-443 (v6)               ALLOW       Anywhere (v6)
> ghe-80 (v6)                ALLOW       Anywhere (v6)
> ghe-8080 (v6)              ALLOW       Anywhere (v6)
> ghe-8443 (v6)              ALLOW       Anywhere (v6)
> ghe-9418 (v6)              ALLOW       Anywhere (v6)

Adding custom firewall rules

{% warning %}

Warning: Before you add custom firewall rules, back up your current rules in case you need to reset to a known working state. If you're locked out of your server, contact {% data variables.contact.contact_ent_support %} to reconfigure the original firewall rules. Restoring the original firewall rules involves downtime for your server.

{% endwarning %}

1. Configure a custom firewall rule.
2. Check the status of each new rule with the status numbered command.

$ sudo ufw status numbered

3. To back up your custom firewall rules, use the cpcommand to move the rules to a new file.

$ sudo cp -r /etc/ufw ~/ufw.backup

After you upgrade {% data variables.product.product_location %}, you must reapply your custom firewall rules. We recommend that you create a script to reapply your firewall custom rules.

Restoring the default firewall rules

If something goes wrong after you change the firewall rules, you can reset the rules from your original backup.

{% warning %}

Warning: If you didn't back up the original rules before making changes to the firewall, contact {% data variables.contact.contact_ent_support %} for further assistance.

{% endwarning %}

{% data reusables.enterprise_installation.ssh-into-instance %} 2. To restore the previous backup rules, copy them back to the firewall with the cp command.

$ sudo cp -f ~/ufw.backup/*rules /etc/ufw

3. Restart the firewall with the systemctl command.

$ sudo systemctl restart ufw

4. Confirm that the rules are back to their defaults with the ufw status command.

$ sudo ufw status
> Status: active
> To                         Action      From
> --                         ------      ----
> ghe-1194                   ALLOW       Anywhere
> ghe-122                    ALLOW       Anywhere
> ghe-161                    ALLOW       Anywhere
> ghe-22                     ALLOW       Anywhere
> ghe-25                     ALLOW       Anywhere
> ghe-443                    ALLOW       Anywhere
> ghe-80                     ALLOW       Anywhere
> ghe-8080                   ALLOW       Anywhere
> ghe-8443                   ALLOW       Anywhere
> ghe-9418                   ALLOW       Anywhere
> ghe-1194 (v6)              ALLOW       Anywhere (v6)
> ghe-122 (v6)               ALLOW       Anywhere (v6)
> ghe-161 (v6)               ALLOW       Anywhere (v6)
> ghe-22 (v6)                ALLOW       Anywhere (v6)
> ghe-25 (v6)                ALLOW       Anywhere (v6)
> ghe-443 (v6)               ALLOW       Anywhere (v6)
> ghe-80 (v6)                ALLOW       Anywhere (v6)
> ghe-8080 (v6)              ALLOW       Anywhere (v6)
> ghe-8443 (v6)              ALLOW       Anywhere (v6)
> ghe-9418 (v6)              ALLOW       Anywhere (v6)