We manage most of our Laravel servers with Laravel Forge. This allows us to do basic network restrictions and opening up of ports using their GUI. These network options basically allow us to configure the UFW Firewall or uncomplicated firewall that sits on top of iptables.
General UFW Setup
Current UFW status we have for Laravel Web Servers in general is the following:
ufw status verbose Status: active Logging: on (low) Default: deny (incoming), allow (outgoing), disabled (routed) New profiles: skip To Action From -- ------ ---- 22 ALLOW IN Anywhere 80 ALLOW IN Anywhere 443 ALLOW IN Anywhere 3306 ALLOW IN xxx.xx.x.xx 5432 ALLOW IN xxx.xx.x.xx 11211 ALLOW IN xxx.xx.x.xx 6379 ALLOW IN xxx.xx.x.xx 3306 ALLOW IN 10.133.0.3 5432 ALLOW IN 10.133.0.3 11211 ALLOW IN 10.133.0.3 6379 ALLOW IN 10.133.0.3 11300 ALLOW IN 10.133.0.3 22 (v6) ALLOW IN Anywhere (v6) 80 (v6) ALLOW IN Anywhere (v6) 443 (v6) ALLOW IN Anywhere (v6)
Where we allow a connection to our database server you see that a general ip address is allowed access to 3306 (MySQL), 5432, 12211, 6379 (Redis). An internal ip address is allowed access to these ports as well.
Access for all is given to port 22 (SSH), port 80 (HTTP) and port 443 (HTTPS). We need port 80 for most of our Laravel applications as we use Let’s Encrypt for our SSL Certificates and as our domain registrar does not have an easy way to implement DNS confirmation. So we won’t be using
sudo ufw delete allow http any time soon.
You can also see that by default all incoming requests are denied. Which is the same as setting things up with
sudo ufw default deny incoming
sudo ufw default allow outgoing
before adding ports that are allowed to be accessed from the outside.
And then to allow the all important shell access Forge also ran
sudo ufw allow ssh
and then there are the http and https ports that are needed to access the web server
sudo ufw allow http sudo ufw allow https
And once all was setup the firewall had to be enabled using
sudo ufw enable
And this is all done by Laravel Forge really. That and the ports setup run when you allow another server access to it via the internal network.
The only thing we normally do ourselves is limit access to the database server to ssh as the web server only needs access to it.
Database Server UFW Defaults
Here as a bonus the database firewall defaults:
sudo ufw status verbose Status: active Logging: on (low) Default: deny (incoming), allow (outgoing), disabled (routed) New profiles: skip To Action From -- ------ ---- 22 ALLOW IN Anywhere 3306 ALLOW IN xxx.xxx.xx.xxx 5432 ALLOW IN xxx.xxx.xx.xxx 11211 ALLOW IN xxx.xxx.xx.xxx 6379 ALLOW IN xxx.xxx.xx.xxx 3306 ALLOW IN 10.133.0.2 5432 ALLOW IN 10.133.0.2 11211 ALLOW IN 10.133.0.2 6379 ALLOW IN 10.133.0.2 11300 ALLOW IN 10.133.0.2 22 (v6) ALLOW IN Anywhere (v6)
where you can see that the http and https ports are not opened up at all.
To check logs do a
Nov 10 01:18:09 app-xxx-db-2 kernel: [1817276.601088] [UFW BLOCK] IN=eth0 OUT= MAC=xx:xx:d2:06:6d:73:ec:38:73:0c:20:30:08:00 SRC=220.127.116.11 DST=xxx.xx.x.xx LEN=48 TOS=0x00 PREC=0x00 TTL=112 ID=18430 DF PROTO=TCP SPT=29839 DPT=1433 WINDOW=8192 RES=0x00 SYN URGP=0 Nov 10 01:18:29 app-xxx-db-2 kernel: [1817296.572706] [UFW BLOCK] IN=eth0 OUT= MAC=xx:xx:d2:06:6d:73:ec:38:73:0c:20:30:08:00 SRC=18.104.22.168 DST=xxx.xx.x.xx LEN=52 TOS=0x00 PREC=0x00 TTL=108 ID=3919 DF PROTO=TCP SPT=57922 DPT=1433 WINDOW=8192 RES=0x00 SYN URGP=0 Nov 10 01:18:51 app-xxx-db-2 kernel: [1817318.920183] [UFW BLOCK] IN=eth0 OUT= MAC=xx:xx:d2:06:6d:73:ec:38:73:0c:20:30:08:00 SRC=22.214.171.124 DST=xxx.xx.x.xx LEN=44 TOS=0x00 PREC=0x00 TTL=242 ID=54321 PROTO=TCP SPT=52905 DPT=8005 WINDOW=65535 RES=0x00 SYN URGP=0
Where 126.96.36.199 is hailing from Jilin, China with source port SPT=52905 and destination port DPT=800. Especially port 1433 is very popular at the moment, which is the Microsoft SQL Server default port.
See https://askubuntu.com/a/1116155 for great details reading ufw logs.
See https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-with-ufw-on-ubuntu-20-04 on how to set ufw manually for servers in general with even more details.