In the past using iptables was common as the main way of firewalling an instance. In Civo we have a firewall built-in ready for you to use. Or you can still run a firewall inside the machine, using Ubuntu's easy-to-configure UFW.

Using Civo's firewalls

The first step is to click on Firewalls in the left navigation of your logged in account.

firewall-intro.png

This instruction tells you that by default the system firewall is an "allow anything in" type of firewall. If you create a new firewall by clicking the "+Create firewall" button, you'll then get a popup to enter a name for the new firewall:

new-firewall.png

After typing a name and clicking "Create", it will create the firewall and list it along with two buttons. The first button lets you manage the rules for this firewall, the second one deletes it.

firewall-listing.png

You should then click on the rules button and you can complete rules and click the "+" button to add them.

firewall-rules.png

After that you can now choose this firewall when creating a new instance or you can click to view an instance and change the firewall from there.

firewall-choose.png

Using UFW on Ubuntu

The first step in installing and configuring Ubuntu is to update the list of packages available from the repository. So SSH to your instance and let's do it:

ssh civo@your.ip.address
sudo apt update

Now we're ready to install. We've trimmed the output below, but as long as you don't get an obvious error it should be fine:

$ sudo apt install ufw
Setting up ufw (0.35-0ubuntu2) ...

Now we can check the status of the UFW system with:

$ sudo ufw status
Status: inactive

Before we go too far, let's enable incoming SSH using a shorthand for known protocols and set default policies to reject any unspecified incoming connections and allow any outbound connections:

$ sudo ufw allow ssh
Rules updated
Rules updated (v6)

$ sudo ufw default deny incoming
Default incoming policy changed to 'deny'
(be sure to update your rules accordingly)

$ sudo ufw default allow outgoing
Default outgoing policy changed to 'allow'
(be sure to update your rules accordingly)

At this point, we can now enable UFW and be protected against incoming connections on running services:

$ sudo ufw enable
Command may disrupt existing ssh connections. Proceed with operation (y|n)? y
Firewall is active and enabled on system startup

When we run this command there is no disruption to existing SSH connections. Now we can open the ports for web traffic (as we did with Civo's Firewall feature earlier). This time we'll specify ports and protocols:

$ sudo ufw allow 80/tcp
Rules updated
Rules updated (v6)

$ sudo ufw allow 443/tcp
Rules updated
Rules updated (v6)

Again, we can check the current status of UFW with:

$ sudo ufw status
Status: active

To                         Action      From
--                         ------      ----
22                         ALLOW       Anywhere                  
80/tcp                     ALLOW       Anywhere                  
443/tcp                    ALLOW       Anywhere                  
22 (v6)                    ALLOW       Anywhere (v6)             
80/tcp (v6)                ALLOW       Anywhere (v6)             
443/tcp (v6)               ALLOW       Anywhere (v6)

To remove a rule, you can just run the same command to allow it, but with delete inserted before the rule description:

$ sudo ufw delete allow 80/tcp

Finally, if you want to disable the firewall and completely leave the instance back in its default "everything open" state:

sudo ufw disable