Sie befinden sich hier: start » en » Internal Documentation » WvdS Data-Gateway » Operator Handbook » Security » Runbook: Firewall Rules

Inhaltsverzeichnis

Runbook: Firewall Rules

Duration: ~10 minutes
Role: Network Admin, Security Admin
Prerequisite: Root/Admin rights

Access control for the Data Gateway at network level.

Workflow

flowchart TD A[Start] --> B[Identify ports] B --> C{Platform?} C -->|Windows| D[Windows Firewall] C -->|Linux| E[iptables/firewalld] C -->|Cloud| F[Security Groups] D --> G[Create rule] E --> G F --> G G --> H[Test] H --> I{Access OK?} I -->|Yes| J[Document] I -->|No| K[Adjust rule] style J fill:#e8f5e9 style K fill:#ffebee

Required Ports

Port Protocol Direction Description
—————-———–————-
443 TCP Inbound HTTPS (production)
5000 TCP Inbound HTTP (development only)
9090 TCP Outbound Prometheus (optional)
1433 TCP Outbound SQL Server
5432 TCP Outbound PostgreSQL
3306 TCP Outbound MySQL

1. Windows Firewall

PowerShell (as Admin): 

# Inbound: Allow HTTPS
New-NetFirewallRule -DisplayName "Data Gateway HTTPS" `
    -Direction Inbound -Action Allow -Protocol TCP -LocalPort 443
 
# Inbound: Only from specific IPs
New-NetFirewallRule -DisplayName "Data Gateway HTTPS Restricted" `
    -Direction Inbound -Action Allow -Protocol TCP -LocalPort 443 `
    -RemoteAddress "10.0.0.0/8","192.168.0.0/16"
 
# Outbound: Allow SQL Server
New-NetFirewallRule -DisplayName "Data Gateway to SQL Server" `
    -Direction Outbound -Action Allow -Protocol TCP -RemotePort 1433
 
# List rules
Get-NetFirewallRule -DisplayName "Data Gateway*" | Format-Table Name, Enabled, Direction, Action
 
# Remove rule
Remove-NetFirewallRule -DisplayName "Data Gateway HTTPS"

2. Linux: firewalld (RHEL/CentOS)

# Open HTTPS port
sudo firewall-cmd --permanent --add-port=443/tcp
 
# Only from specific network
sudo firewall-cmd --permanent --add-rich-rule='
    rule family="ipv4"
    source address="10.0.0.0/8"
    port protocol="tcp" port="443"
    accept'
 
# Apply changes
sudo firewall-cmd --reload
 
# Show rules
sudo firewall-cmd --list-all
 
# Remove rule
sudo firewall-cmd --permanent --remove-port=443/tcp
sudo firewall-cmd --reload

3. Linux: ufw (Ubuntu/Debian)

# Allow HTTPS
sudo ufw allow 443/tcp
 
# From specific network
sudo ufw allow from 10.0.0.0/8 to any port 443 proto tcp
 
# Show status
sudo ufw status verbose
 
# Remove rule
sudo ufw delete allow 443/tcp

4. Linux: iptables (manual)

# Allow HTTPS
sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT
 
# Only from specific network
sudo iptables -A INPUT -p tcp --dport 443 -s 10.0.0.0/8 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 443 -j DROP
 
# Save rules
sudo iptables-save > /etc/iptables/rules.v4
 
# Show rules
sudo iptables -L -n --line-numbers
 
# Remove rule (by number)
sudo iptables -D INPUT 3

5. Cloud: AWS Security Group

# Create Security Group
aws ec2 create-security-group \
    --group-name gateway-sg \
    --description "Data Gateway Security Group" \
    --vpc-id vpc-12345678
 
# HTTPS from anywhere
aws ec2 authorize-security-group-ingress \
    --group-id sg-12345678 \
    --protocol tcp \
    --port 443 \
    --cidr 0.0.0.0/0
 
# HTTPS only from VPN
aws ec2 authorize-security-group-ingress \
    --group-id sg-12345678 \
    --protocol tcp \
    --port 443 \
    --cidr 10.0.0.0/8

6. Cloud: Azure NSG

# Create NSG
az network nsg create \
    --resource-group rg-gateway \
    --name gateway-nsg
 
# HTTPS rule
az network nsg rule create \
    --resource-group rg-gateway \
    --nsg-name gateway-nsg \
    --name AllowHTTPS \
    --priority 100 \
    --direction Inbound \
    --access Allow \
    --protocol Tcp \
    --destination-port-ranges 443 \
    --source-address-prefixes '10.0.0.0/8'

7. IP Whitelist in Gateway

Alternative to firewall: Filter in application.

appsettings.json: 

{
  "Security": {
    "AllowedIPs": [
      "10.0.0.0/8",
      "192.168.0.0/16",
      "172.16.0.0/12"
    ]
  }
}

8. Test

# Local
curl https://localhost/health
 
# From allowed network
curl https://gateway.example.com/health
 
# From outside (should be blocked)
curl --connect-timeout 5 https://gateway.example.com/health
# Expected: Connection refused or Timeout

9. Checklist

# Check Done
——-——
1 Port 443 inbound allowed [ ]
2 Port 5000 (HTTP) blocked [ ]
3 Only necessary IPs allowed [ ]
4 Outbound to DB allowed [ ]
5 Tested from outside [ ]
6 Rules documented [ ]

Troubleshooting

Problem Cause Solution
—————-———-
Connection refused Port not open Add firewall rule
Connection timeout Firewall blocking Check rule/source IP
Access from everywhere No restriction Limit source IP
DB connection failed Outbound blocked Add outbound rule

Best Practices

Principle of Least Privilege:

  • Only open necessary ports
  • Only allow necessary IPs
  • Block HTTP (5000) in production
  • Regularly audit rules

« <- Renew Certificate | -> Operator Overview »

Wolfgang van der Stille @ EMSR DATA d.o.o. - Data Gateway Professional

, , , ,
Zuletzt geändert: on 2026/01/29 at 11:37 PM

Seiten-Werkzeuge