====== Runbook: Firewall Rules ======

<WRAP round info>
**Duration:** ~10 minutes \\
**Role:** Network Admin, Security Admin \\
**Prerequisite:** Root/Admin rights
</WRAP>

Access control for the Data Gateway at network level.

----

===== Workflow =====

<mermaid>
flowchart TD
    A[Start] --> B[Identify ports]
    B --> C{Platform?}
    C -->|Windows| D[Windows Firewall]
    C -->|Linux| E[iptables/firewalld]
    C -->|Cloud| F[Security Groups]
    D --> G[Create rule]
    E --> G
    F --> G
    G --> H[Test]
    H --> I{Access OK?}
    I -->|Yes| J[Document]
    I -->|No| K[Adjust rule]

    style J fill:#e8f5e9
    style K fill:#ffebee
</mermaid>

----

===== Required Ports =====

| Port | Protocol | Direction | Description |
|------|----------|-----------|-------------|
| 443 | TCP | Inbound | HTTPS (production) |
| 5000 | TCP | Inbound | HTTP (development only) |
| 9090 | TCP | Outbound | Prometheus (optional) |
| 1433 | TCP | Outbound | SQL Server |
| 5432 | TCP | Outbound | PostgreSQL |
| 3306 | TCP | Outbound | MySQL |

----

===== 1. Windows Firewall =====

**PowerShell (as Admin):**

<code powershell>
# Inbound: Allow HTTPS
New-NetFirewallRule -DisplayName "Data Gateway HTTPS" `
    -Direction Inbound -Action Allow -Protocol TCP -LocalPort 443

# Inbound: Only from specific IPs
New-NetFirewallRule -DisplayName "Data Gateway HTTPS Restricted" `
    -Direction Inbound -Action Allow -Protocol TCP -LocalPort 443 `
    -RemoteAddress "10.0.0.0/8","192.168.0.0/16"

# Outbound: Allow SQL Server
New-NetFirewallRule -DisplayName "Data Gateway to SQL Server" `
    -Direction Outbound -Action Allow -Protocol TCP -RemotePort 1433

# List rules
Get-NetFirewallRule -DisplayName "Data Gateway*" | Format-Table Name, Enabled, Direction, Action

# Remove rule
Remove-NetFirewallRule -DisplayName "Data Gateway HTTPS"
</code>

----

===== 2. Linux: firewalld (RHEL/CentOS) =====

<code bash>
# Open HTTPS port
sudo firewall-cmd --permanent --add-port=443/tcp

# Only from specific network
sudo firewall-cmd --permanent --add-rich-rule='
    rule family="ipv4"
    source address="10.0.0.0/8"
    port protocol="tcp" port="443"
    accept'

# Apply changes
sudo firewall-cmd --reload

# Show rules
sudo firewall-cmd --list-all

# Remove rule
sudo firewall-cmd --permanent --remove-port=443/tcp
sudo firewall-cmd --reload
</code>

----

===== 3. Linux: ufw (Ubuntu/Debian) =====

<code bash>
# Allow HTTPS
sudo ufw allow 443/tcp

# From specific network
sudo ufw allow from 10.0.0.0/8 to any port 443 proto tcp

# Show status
sudo ufw status verbose

# Remove rule
sudo ufw delete allow 443/tcp
</code>

----

===== 4. Linux: iptables (manual) =====

<code bash>
# Allow HTTPS
sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT

# Only from specific network
sudo iptables -A INPUT -p tcp --dport 443 -s 10.0.0.0/8 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 443 -j DROP

# Save rules
sudo iptables-save > /etc/iptables/rules.v4

# Show rules
sudo iptables -L -n --line-numbers

# Remove rule (by number)
sudo iptables -D INPUT 3
</code>

----

===== 5. Cloud: AWS Security Group =====

<code bash>
# Create Security Group
aws ec2 create-security-group \
    --group-name gateway-sg \
    --description "Data Gateway Security Group" \
    --vpc-id vpc-12345678

# HTTPS from anywhere
aws ec2 authorize-security-group-ingress \
    --group-id sg-12345678 \
    --protocol tcp \
    --port 443 \
    --cidr 0.0.0.0/0

# HTTPS only from VPN
aws ec2 authorize-security-group-ingress \
    --group-id sg-12345678 \
    --protocol tcp \
    --port 443 \
    --cidr 10.0.0.0/8
</code>

----

===== 6. Cloud: Azure NSG =====

<code bash>
# Create NSG
az network nsg create \
    --resource-group rg-gateway \
    --name gateway-nsg

# HTTPS rule
az network nsg rule create \
    --resource-group rg-gateway \
    --nsg-name gateway-nsg \
    --name AllowHTTPS \
    --priority 100 \
    --direction Inbound \
    --access Allow \
    --protocol Tcp \
    --destination-port-ranges 443 \
    --source-address-prefixes '10.0.0.0/8'
</code>

----

===== 7. IP Whitelist in Gateway =====

Alternative to firewall: Filter in application.

**appsettings.json:**

<code json>
{
  "Security": {
    "AllowedIPs": [
      "10.0.0.0/8",
      "192.168.0.0/16",
      "172.16.0.0/12"
    ]
  }
}
</code>

----

===== 8. Test =====

<code bash>
# Local
curl https://localhost/health

# From allowed network
curl https://gateway.example.com/health

# From outside (should be blocked)
curl --connect-timeout 5 https://gateway.example.com/health
# Expected: Connection refused or Timeout
</code>

----

===== 9. Checklist =====

| # | Check | Done |
|---|-------|------|
| 1 | Port 443 inbound allowed | [ ] |
| 2 | Port 5000 (HTTP) blocked | [ ] |
| 3 | Only necessary IPs allowed | [ ] |
| 4 | Outbound to DB allowed | [ ] |
| 5 | Tested from outside | [ ] |
| 6 | Rules documented | [ ] |

----

===== Troubleshooting =====

| Problem | Cause | Solution |
|---------|-------|----------|
| ''Connection refused'' | Port not open | Add firewall rule |
| ''Connection timeout'' | Firewall blocking | Check rule/source IP |
| Access from everywhere | No restriction | Limit source IP |
| DB connection failed | Outbound blocked | Add outbound rule |

----

===== Best Practices =====

<WRAP round important>
**Principle of Least Privilege:**
  * Only open necessary ports
  * Only allow necessary IPs
  * Block HTTP (5000) in production
  * Regularly audit rules
</WRAP>

----

===== Related Runbooks =====

  * [[.:tls-einrichten|Set Up TLS]] - Enable HTTPS
  * [[..:automatisierung:kubernetes|Kubernetes]] - NetworkPolicies
  * [[..:monitoring:alerting|Alerting]] - Connection monitoring

----

<< [[.:zertifikat-erneuern|<- Renew Certificate]] | [[..:start|-> Operator Overview]] >>

----
//Wolfgang van der Stille @ EMSR DATA d.o.o. - Data Gateway Professional//

{{tag>operator runbook firewall sicherheit netzwerk}}