Windows Hardware Firewall Service

To setup your firewall service, please submit a request that includes any specific rules you want in your firewall configuration. If you prefer, you can choose the standard configuration without any custom rules. The standard configuration includes the most common services ran on dedicated or virtual private servers, which is included at the end of this article. Your setup request should be submitted to the Technical Support Department via verified ticket through the WebControlCenter.

The following information describes the fundamental structure of the firewall rules and how to format your rules for a firewall change request.

Our Hardware Firewall Service utilizes two terms to define both sides of the firewall.

TRUST - All IP addresses on your dedicated server are considered trusted hosts or trusted IP addresses.

OUTSIDE - Hosts or IP addresses at an outside host... (your clients and third party services) are considered OUTSIDE hosts.

Special Note: It is important to understand that all connections from Trust -> Outside are automatically allowed by the firewall. That is, applications on your server (being from the Trusted host group in your firewall configuration) that are making connections to Outside IP addresses (dns, smtp, etc) are automatically allowed. Since connections from your server to the internet are automatically allowed, it is not necessary to submit firewall change requests to open ports for the Trust -> Outside path.

The path of concern for security and the focus of the firewall configuration is the Outside -> Trust path or connections initiated from outside hosts (clients and third party services) to your server (Trusted hosts or IP addresses).

The following list includes descriptions of some firewall rules you can add to your configuration.

ALLOW OUTSIDE -> TRUST TCP/80

All standard http traffic uses port TCP/80. This rule will allow any OUTSIDE host or IP address access to your web site. This is typical for hosting a web site and is part of the standard configuration.

ALLOW OUTSIDE -> TRUST TCP/443

SSL web activity uses port TCP/443. This rule will allow access to your SSL web site. This is part of the standard configuration.

ALLOW OUTSIDE -> TRUST TCP/8080

For those of you still using the Media House Stats package, you will need to allow traffic to port TCP/8080. This is NOT part of the standard configuration.

ALLOW OUTSIDE -> TRUST TCP/8889

ALLOW OUTSIDE -> TRUST TCP/9998

ALLOW OUTSIDE -> TRUST TCP/9999

SmarterStats and SmarterMail both require TCP ports 8889, 9998, and 9999. All traffic to these TCP ports are in the standard configuration under the name SMARTERTOOLS.

ALLOW OUTSIDE -> TRUST UDP/53

ALLOW OUTSIDE -> TRUST TCP/53

DNS traffic uses port UDP/53 for regular dns queries while zone transfers are performed through TCP/53. Both UDP/53 and TCP/53 are part of the standard configuration. If you do not need to support zone transfers on your server, you are encouraged to only allow UDP/53.

Special Note: If the service is common, like FTP, HTTP, HTTPS, and SMTP, you can specify the service name itself rather than the ports in your rules. The following rules illustrate this.

ALLOW OUTSIDE -> TRUST FTP

FTP requires access to port TCP/20-21 and one or more additional connections for active and passive mode FTP.

ALLOW OUTSIDE -> TRUST SMTP

Every standard mail server requires port TCP/25 open for SMTP. SMTP is included in the standard configuration.

ALLOW OUTSIDE -> TRUST TERMINAL SERVICES

Terminal Services uses port TCP/3389. Terminal Services gives you the ability to connect to your dedicated server for remote administration. TS is in the standard configuration. If you can, we recommend you only allow Terminal Services traffic from specific IP addresses.

ALLOW OUTSIDE -> TRUST POP3

POP3 traffic uses port TCP/110. OUTSIDE access for POP3 TCP/110 is in the standard configuration.

ALLOW OUTSIDE -> TRUST IMAP

IMAP traffic uses port TCP/143. OUTSIDE access for IMAP TCP/143 is in the standard configuration.

ALLOW OUTSIDE -> TRUST PING

ALLOW OUTSIDE -> TRUST TRACEROUTE

PING and TRACEROUTE are allowed in the standard configuration to allow you to monitor your server.

ALLOW OUTSIDE -> TRUST MS-SQL

Microsoft SQL Server uses ports TCP/1433 and UDP/1434. These ports are NOT open in the standard configuration.

CUSTOM OUTSIDE OR TRUST OBJECTS:

ALLOW 192.168.1.5 -> TRUST TCP/UDP 5000

DENY OUTSIDE -> TRUST TCP/UDP 5000

Instead of using the less specific OUTSIDE or TRUST keywords, you can specify a single IP address or a network such as 192.168.1.5 or 192.168.1.0/24. The two rules above will allow the IP of 192.168.1.5 to access port 5000 on any IP address in the TRUST group (all IP addresses on your server) and deny everyone else access to port 5000. You can also change the TRUST keyword in the same manner as OUTSIDE to create a custom rule that only allows certain traffic to a specific IP address on your server.

If you have any questions regarding the Hardware Firewall Service or need to submit any firewall change requests, please submit a verified ticket to the Technical Support Department with your request through the WebControlCenter.  When submitting change requests, please use the same format as the rules shown in this document.

For instructions on how to submit a verified ticket through the WebControlCenter, please see our article on the subject.

For your reference, the following list defines the standard configuration for Windows servers in detail:

------------------------------------------------------------------------------

ALLOW OUTSIDE -> TRUST FTP (TCP/20-21, + PASV mode callbacks)

ALLOW OUTSIDE -> TRUST SMTP (TCP/25)

ALLOW OUTSIDE -> TRUST DNS (TCP/53 and UDP/53)

ALLOW OUTSIDE -> TRUST HTTP (TCP/80)

ALLOW OUTSIDE -> TRUST POP3 (TCP/110)

ALLOW OUTSIDE -> TRUST HTTPS (TCP/443)

ALLOW OUTSIDE -> TRUST TERMINAL SERVICES (TCP/3389)

ALLOW OUTSIDE -> TRUST SMARTERTOOLS (TCP/8889, TCP/9998-9999)

ALLOW OUTSIDE -> TRUST PING

ALLOW OUTSIDE -> TRUST TRACEROUTE

DENY OUTSIDE -> TRUST ANY (ALL OTHER TRAFFIC DISCARDED)

------------------------------------------------------------------------------

Please note: Non-Urgent Firewall change requests are only processed within the hours of 6:00AM - 5:00PM MST, Monday-Friday. If your request is Urgent and after-hours, please contact Technical Support and we will be happy to assist you further!

Add Feedback