Manage the firewall of a simple application server - Simple Application Server

The firewall of a simple application server is a virtual firewall that uses firewall rules to control the inbound traffic of the simple application server. This ensures the security of the server. This topic describes how to create, modify, disable, enable, and delete firewall rules for a simple application server. This topic also provides information about the ports preset for the firewall feature, FAQ about firewalls, and related documents.

Description

By default, the firewall of a simple application server enables specific ports based on the operating system of the server and disables other ports. You can create firewall rules to enable more ports based on your business requirements. The following list describes the default ports that are enabled on a simple application server:

Servers that use the TCP protocol:
- Windows servers: ports 3389, 80, and 443.
- Linux servers: ports 22, 80, and 443.
Servers that use the ICMP protocol: The value for the port range is -1, which specifies that all ports are enabled and access from all IP addresses is allowed.

If you remove or disable these default ports in the Simple Application Server console, the Firewall tab of the Servers page displays a message similar to You disabled or deleted the default port 22 allow rule on the firewall, which affects the remote connection feature. You can add or enable the corresponding ports based on your requirements.

Limits

You can create a maximum of 50 firewall rules for a simple application server.
Port 25 is the default email service port. For security reasons, this port is disabled for simple application servers by default. To send emails, use port 465.
A firewall controls only the inbound traffic of a simple application server. All outbound traffic of a simple application server is allowed by default.
Note
- Inbound traffic: the traffic generated when data is transmitted to a simple application server over the Internet or an internal network.
- Outbound traffic: the traffic generated when data is transmitted from a simple application server over the Internet or an internal network.

Manage a firewall

Note

If you have created a firewall template, you can quickly configure firewall rules based on the firewall template. For more information, see the "Configure firewall rules based on a firewall template" section of the Manage firewall templates topic.

Log on to the Simple Application Server console.
In the left-side navigation pane, click Servers.
Find the simple application server for which you want to create a firewall rule, and click the server ID in the card of the server.
Click the Firewall tab.
In the upper-left corner of the Firewall tab, click Add Rule.

In the Add Firewall Rule dialog box, configure parameters based on your business requirements and click OK.

Warning

When you create a firewall rule, configure the port range and IP addresses that are allowed to access the server based on your requirements and follow the principle of least privilege to prevent network attacks.
If the ports, protocol, and IP addresses that you specify for the firewall rule are the same as the ports, protocol, and IP addresses of an existing rule, the existing rule is overwritten regardless of whether the existing rule is enabled or disabled.

Select a preset firewall rule

You can create a firewall rule with ease by selecting a preset firewall rule. The following table describes the parameters.

Parameter	Description
Application Type	The application type. Select an application type such as RDP, FTP, TELNET, MYSQL, All Use TCP, All Use UDP, or All Use TCP and UDP from the drop-down list based on your business requirements. For more information, see the "Preset port information" section of this topic.
Protocol	The protocol. The displayed protocol is used by default and the value cannot be changed.
Port Range	The port range. The displayed port range is used by default and the value cannot be changed.
Source IP Address	The source IP addresses. The default value is 0.0.0.0/0, which specifies all IPv4 addresses. Important Configure IP addresses based on your requirements and follow the principle of least privilege to prevent network attacks on your server.
Remarks	Enter the remarks of the firewall rule for subsequent management.

Create a custom firewall rule

If the preset firewall rules cannot meet your business requirements, you can create one or more custom firewall rules. The following table describes the parameters.

Parameter	Description
Application Type	The application type. Select Specify a custom value.
Protocol	The protocol. Select TCP, UDP, or ICMP.
Port Range	The port range. Valid values: 1 to 65535. You can use one of the following methods to configure this parameter: Specify a single port. Enter the number of the port that you want to enable. For example, if you want to allow traffic on MySQL listening port 3306, enter `3306` in the Port Range field. Specify a port range. Use a forward slash (/) to separate the start port number and the end port number. For example, if you want to allow traffic over the port range 20000 to 30000 that you specify in the FTP configuration file, enter `20000/30000` in the Port Range field.
Source IP Address	The source IP addresses. The default value is 0.0.0.0/0, which specifies all IPv4 addresses. You can also specify the IPv4 addresses that are allowed to access the server: Specify a single IPv4 address. Enter a single IPv4 address. Example: 192.168.0.100. Specify the IPv4 addresses within a CIDR block. Enter an IPv4 CIDR block. Example: 192.168.0.0/24.
Remarks	Enter the remarks of the firewall rule for subsequent management.

You can click Add Rule to create firewall rules and the icon to delete firewall rules as needed.

Modify, disable, enable, and delete a firewall rule

After you create a firewall rule, you can perform the following operations based on your business requirements.

Operation	Description	Procedure
Modify a firewall rule	If the firewall rules that are created or automatically created do not meet your business requirements, you can modify the firewall rules.	Click Modify in the Actions column of the firewall rule that you want to modify. In the Modify dialog box, modify the Protocol, Port Range, Source IP Address, and Remarks parameters based on your business requirements. Click Confirm.
Disable a firewall rule	You can temporarily disable a port. If you want to allow traffic on the port later, you can enable it directly without the need to create a firewall rule again. Important If a firewall rule is disabled, the port specified in the rule cannot be accessed. This affects your business. We recommend that you disable a firewall rule with caution. Make sure that this operation does not affect your business.	Click Disable in the Actions column of the firewall rule that you want to disable. In the Disable message, click Confirm.
Enable a firewall rule	You can enable a disabled port.	Click Enable in the Actions column of the disabled firewall rule that you want to enable. In the Enable message, click Confirm.
Delete a firewall rule	You can delete a firewall rule that you no longer use. Note If the number of firewall rules does not reach the upper limit of 50, we recommend that you temporarily disable a firewall rule for later use.	Delete a single firewall rule Click Delete in the Actions column of the firewall rule that you want to delete. In the Delete message, click Confirm. Delete multiple firewall rules at a time Select the firewall rules that you want to delete and click Delete in the lower-left corner of the rule list. In the Delete message, click Confirm.

Preset port information

The following table describes the common firewall rules preset in firewalls provided by Alibaba Cloud. You can create firewall rules with ease by using these preset firewall rules. For more information about common ports, see Common ports.

Application type	Protocol	Port range	Source IP address	Description
HTTP	TCP	80	0.0.0.0/0 Important The source IP addresses. The default value is 0.0.0.0/0, which specifies all IPv4 addresses. Configure IP addresses based on your requirements and follow the principle of least privilege to prevent network attacks on your server.	The default HTTP port. The port is used to access website services such as Internet Information Services (IIS), Apache, and NGINX. For more information, see Deploy Apache based on a CentOS OS image.
HTTPS	TCP	443		The default HTTPS port. For more information, see the following topics: Enable HTTPS access Install an SSL certificate in a Node.js environment Install an SSL certificate in a WordPress runtime
RDP	TCP	3389		The default Remote Desktop Protocol (RDP) port. The port is used to connect to a Windows server by using Remote Desktop. For more information, see Connect to a Windows server.
FTP	TCP	21		The default FTP port. The port is used to upload and download files. For more information, see Build an FTP server (Linux).
TELNET	TCP	23		The default Telnet port.
MySQL	TCP	3306		The default MySQL port. For more information, see Use DMS to connect to a database on a simple application server.
SQLServer	TCP	1433		The default SQL Server port.
All Use TCP	TCP	1 to 65535		All TCP ports.
All Use UDP	UDP	1 to 65535		All UDP ports.
All Use TCP and UDP	TCP+UDP	1 to 65535		All TCP and UDP ports.
Specify a custom value	TCP, UDP, or ICMP	1 to 65535		The custom port range.

FAQ

Q1: What is the difference between a simple application server firewall and an operating system firewall?

Simple application server firewall: The Simple Application Server console provides a visualized management interface. You can configure firewall rules with ease. However, the firewall of a simple application server can control only inbound traffic.
Operating system firewall: A system administrator can configure firewall rules for an operating system to control both inbound and outbound traffic. The system administrator must be familiar with the corresponding firewall software, such as iptables on Linux systems. In addition, Linux users must be familiar with CLIs.

Q2: How do I check port connectivity by running the Telnet command?

Run the following command to check whether a port can be accessed:

telnet <IP address> <Port>

In this example, port 80 is used. The following command outputs are returned:

Windows

The port can be accessed.

The port cannot be accessed.

C:\Users\Administrator>telnet 120.55.XX.XX 80
Connecting To 120.55.XX.XX...Could not open connection to the host,   on port 80: Connect failed

Linux

The port can be accessed.

[root@VM-4-10-centos ~]# telnet 120.55.XX.XX 80
Trying 120.55.XX.XX...
Connected to 120.55.XX.XX.
Escape character is '^]'.

The port cannot be accessed.

[root@VM-4-10-centos ~]# telnet 120.55.XX.XX 80
Trying 120.55.XX.XX...
telnet: connect to address 120.55.XX.XX: Connection refused

Q3: How do I check the service status and the listening status of a port?

In this example, the NGINX service on a simple application server is used. The default port is port 80. If you want to check the status of other services, replace the service name and the port number in the commands.

Linux servers

In this example, a Linux simple application server that runs CentOS 7.9 is used. Operations may vary based on the operating system version of your Linux server.

Connect to the Linux simple application server.
For more information, see Connect to a Linux server.
Run the following command to check the status of NGINX:
```
systemctl status nginx
```
- The following sample command output indicates that NGINX is started.
- If NGINX is not started, run the following command to start NGINX:
```
systemctl start nginx
```
Run the following command to check whether port 80 is listened on:
```
netstat -an | grep 80
```
- If the following information is returned, port 80 is listened on.
- If the preceding command output is not displayed, port 80 is not listened on.

Windows servers

In this example, a simple application server that runs Windows Server 2012 is used. Operations for simple application servers that run other Windows Server versions are similar.

Connect to the Windows simple application server.
For more information, see Connect to a Windows server.
Choose Start > Run, enter service.msc, and then click OK. The Services page appears.
Check the status of NGINX.
1. If no status is displayed for NGINX, right-click NGINX and select Start.
2. If the status of NGINX is Running, NGINX is started.
Run the following command in Windows PowerShell to check whether port 80 is listened on:
```
netstat -ano | findstr "80"
```
- If the following information is returned, port 80 is listened on.
- If the preceding command output is not displayed, port 80 is not listened on.

Q4: What do I do if the port of my simple application server cannot be accessed?

If your server is deployed outside the Chinese mainland, such as in the China (Hong Kong) region, unstable connections and high latency may occur due to the congestion of international links and outbound routing restrictions of Internet service providers (ISPs). Cross-border connections are established through the networks of ISPs. The connection quality is affected by many factors and ISPs cannot optimize their networks in a short time.

Solutions:

If your business is mainly for users in the Chinese mainland, we recommend that you unsubscribe from the existing simple application server after you create a server in a Chinese mainland region and migrate the data from the existing server to the new server. For more information, see Migrate data between simple application servers.
You cannot modify the connection of the simple application server by changing an IP address. If your server is deployed in the China (Hong Kong) region, you can use an Elastic Compute Service (ECS) instance that is associated with a BGP (Multi-ISP) Pro elastic IP address (EIP). In this case, a direct cross-border connection can be established without using the services of ISPs to deliver a better user experience. However, cross-border connection issues still exist and cannot be eliminated. For more information, see Migrate data from a simple application server to an ECS instance by using a shared image, Apply for an EIP, and Associate an EIP with an ECS instance.

In other scenarios, troubleshoot the issue by using the following methods:

Run the netstat -tunlp command to check whether the port of the server is listened on. If the port is not listened on, start the corresponding service to ensure that the port is listened on.
Check whether restrictions are configured on the firewall of the server.
- For Ubuntu operating systems, run the sudo ufw status command to check.
- For operating systems of CentOS 7 and later, run the firewall-cmd --list-ports command to check. If the output indicates that ufw or firewall is not running, run the iptables -L;iptables -t nat -L command to check the firewall rules.
Check whether a firewall rule that enables the port for the server is created in the Simple Application Server console.

References

If you cannot access the website or the simple application server after you configure firewall rules, or the firewall of the server does not meet your business requirements, see the following topics: