Configuring the Firewall | SpaceCore WIKI

The Robot control panel has a very intelligently understandable Firewall for dedicated servers. In this article, we will analyze its capabilities.

When we go to the Firewall tab, we see something like this interface:

Protocols:

«‎*» — all protocols.
TCP — It is one of the main data transfer protocols. Its advantages are functions such as receiving data when a connection is pre-established, cutting off duplicate packets, as well as resending them in case of an error. Unlike UDP, it is a higher guarantor of packet transmission(s).
UDP — It is a high-speed protocol designed to transfer large data sets at high speed. As a rule, this is its great advantage over TCP. But at the same time, UDP implies that checking for any errors and similar packet corrections are not required, since they are configured at the application level itself.
GRE — It is a protocol for packet tunneling.
ICMP — It is used by different devices to transmit information about actions and errors on the network.
IPIP — encapsulates one IP packet into another IP packet. Adds additional headers for Source and Destination IP.
AH — it is necessary to ensure the security of transmitted packets. Its function is also to cut off duplicate packets.
ESP — It is a tool for ensuring security by encrypting packets. It also includes the capabilities of the AH protocol.

Next, let's look at what TCP flags are available for installation, namely syn, fin, rst, psh, urg.

They can be specified individually or as a logical combination.

«‎|» — represents a logical «OR» when at least one of the specified flags should be executed.
«‎&» — it represents a logical «And» when all the specified flags must be executed.

An example of such a combination can be:

syn|fin

rst&psh

Actions:

Accept — allow.
Discard — reject it.

The rules are executed by account. From top to bottom.

If rule #1 is not applied, the rule will be checked #2. And if rule #2 also does not apply, then rule #3 will be checked and so on until one of the rules is applied and the packet is either discarded or accepted according to a certain action. If, for example, the second rule is applied, then all subsequent rules will not be checked. If none of the rules apply, the packet will be discarded.

Let's try, for example, to prohibit any SSH connections to our server (on port 22).

To do this, we create such a rule that will exceed the one listed below (accepting all packets over all protocols).

We are waiting for the completion of the application of the new rule sheet.

Upon completion, we try to connect to our server and get an error because our connection was rejected due to the created rule.

To roll back the changes, simply delete the new rule and save the list.

You can experiment with the rules in every possible way and even create some kind of small system of your own DDoS protection, which is not so strong, but will still be partially effective.

Last updated 11 months ago