Configuring firewall to protect public IPs

I’ve just ended configuring Nethserver as Gateway, DNS, DHCP, MultiWan etc… I’m literally in love with it, so simple that even one like me, without any special skills in linux is able to get astonishing results: thank you all.
Anyway, today I was inspecting the server’s logs and I’ve been afraid discovering that some internet IPs are brute forcing SSH and other services!
Frankly, I thought that out of the box there should have been some kind of firewall rules preventing any kind of traffic toward public IPs (red network).

So, I’ve tried to set up a simple rule:
Source: Any
Destination: Public IP
Action: Drop

Sadly, it was not effective, I was able to ssh to the server from internet.
As a quick work around, I’ve changed sshd.conf.
Here comes the question: can I create a firewall rule to deny any kind of traffic (except OpenVPN) toward our public IPs? Could anyone please provide a quick explanation about how to do it?



Start here. make sure no service is allowed on red that you don’t want available from the net.


Which NethServer release?

In NS7 individual network services can be restricted by zone, from Security -> Network services (or from Gateway -> Firewall rules when the basic firewall module is installed).

Ping from Red zone can be disabled from Gateway -> Firewall rules -> Configure (in dropdown menu), but it will difficult future network troubleshooting.

A rule to block all external traffic might look like this:
Source: Red, Destination: Firewall, Action: Drop

To allow only OpenVPN, create a rule above the other one:

Stacking order matters:

Be aware I’m not good at this so there could be better ways to do it. A good starting point is to follow @fasttech’s advice (sorry, didn’t notice your post while writing this), cherry-picking the access to network services.


@fasttech and @dnutan hit the nail head on. Couldn’t have said it better.

Being new to linux, we’re glad you’ve been able to catch the intrusions.

1 Like

That’s exactly was I was looking for, thank you very much!


Very interesting: could you please explain the Firewall host’s definition?

Thank you,

The firewall zone represents the firewall itself (NethServer), therefore rules applied to it will affect its network traffic, like the access to the services it is providing (ssh, httpd, vpn, et cetera).