Firewall

R2R Security Group and Firewall Configuration Guide

Proper security group and firewall configuration is crucial for securing your R2R deployment while ensuring necessary services remain accessible. This guide covers configurations for both cloud environments and local deployments.

Cloud Environments (AWS, Azure, GCP)

AWS Security Groups

  1. Create a new security group for your R2R deployment:
$aws ec2 create-security-group --group-name R2R-SecurityGroup --description "Security group for R2R deployment"
  1. Configure inbound rules:
$# Allow SSH access (restrict to your IP if possible)
>aws ec2 authorize-security-group-ingress --group-name R2R-SecurityGroup --protocol tcp --port 22 --cidr 0.0.0.0/0
>
># Allow access to R2R API
>aws ec2 authorize-security-group-ingress --group-name R2R-SecurityGroup --protocol tcp --port 7272 --cidr 0.0.0.0/0
>
># Allow access to R2R Dashboard
>aws ec2 authorize-security-group-ingress --group-name R2R-SecurityGroup --protocol tcp --port 8001 --cidr 0.0.0.0/0
>
># Allow access to Hatchet Dashboard
>aws ec2 authorize-security-group-ingress --group-name R2R-SecurityGroup --protocol tcp --port 8002 --cidr 0.0.0.0/0

Azure Network Security Groups

  1. Create a new Network Security Group:
$az network nsg create --name R2R-NSG --resource-group YourResourceGroup --location YourLocation
  1. Add inbound security rules:
$# Allow SSH access
>az network nsg rule create --name AllowSSH --nsg-name R2R-NSG --priority 100 --resource-group YourResourceGroup --access Allow --direction Inbound --protocol Tcp --source-address-prefixes '*' --source-port-ranges '*' --destination-address-prefixes '*' --destination-port-ranges 22
>
># Allow R2R API access
>az network nsg rule create --name AllowR2RAPI --nsg-name R2R-NSG --priority 200 --resource-group YourResourceGroup --access Allow --direction Inbound --protocol Tcp --source-address-prefixes '*' --source-port-ranges '*' --destination-address-prefixes '*' --destination-port-ranges 7272
>
># Allow R2R Dashboard access
>az network nsg rule create --name AllowR2RDashboard --nsg-name R2R-NSG --priority 300 --resource-group YourResourceGroup --access Allow --direction Inbound --protocol Tcp --source-address-prefixes '*' --source-port-ranges '*' --destination-address-prefixes '*' --destination-port-ranges 8001
>
># Allow Hatchet Dashboard access
>az network nsg rule create --name AllowHatchetDashboard --nsg-name R2R-NSG --priority 400 --resource-group YourResourceGroup --access Allow --direction Inbound --protocol Tcp --source-address-prefixes '*' --source-port-ranges '*' --destination-address-prefixes '*' --destination-port-ranges 8002

Google Cloud Platform Firewall Rules

  1. Create firewall rules:
$# Allow SSH access
>gcloud compute firewall-rules create allow-ssh --direction=INGRESS --priority=1000 --network=default --action=ALLOW --rules=tcp:22 --source-ranges=0.0.0.0/0
>
># Allow R2R API access
>gcloud compute firewall-rules create allow-r2r-api --direction=INGRESS --priority=1000 --network=default --action=ALLOW --rules=tcp:7272 --source-ranges=0.0.0.0/0
>
># Allow R2R Dashboard access
>gcloud compute firewall-rules create allow-r2r-dashboard --direction=INGRESS --priority=1000 --network=default --action=ALLOW --rules=tcp:8001 --source-ranges=0.0.0.0/0
>
># Allow Hatchet Dashboard access
>gcloud compute firewall-rules create allow-hatchet-dashboard --direction=INGRESS --priority=1000 --network=default --action=ALLOW --rules=tcp:8002 --source-ranges=0.0.0.0/0

Local Deployments

For local deployments, you’ll need to configure your operating system’s firewall. Here are instructions for common operating systems:

Ubuntu/Debian (UFW)

$# Allow SSH
>sudo ufw allow 22/tcp
>
># Allow R2R API
>sudo ufw allow 7272/tcp
>
># Allow R2R Dashboard
>sudo ufw allow 8001/tcp
>
># Allow Hatchet Dashboard
>sudo ufw allow 8002/tcp
>
># Enable the firewall
>sudo ufw enable

CentOS/RHEL (firewalld)

$# Allow SSH
>sudo firewall-cmd --permanent --add-port=22/tcp
>
># Allow R2R API
>sudo firewall-cmd --permanent --add-port=7272/tcp
>
># Allow R2R Dashboard
>sudo firewall-cmd --permanent --add-port=8001/tcp
>
># Allow Hatchet Dashboard
>sudo firewall-cmd --permanent --add-port=8002/tcp
>
># Reload firewall
>sudo firewall-cmd --reload

Windows (Windows Firewall)

  1. Open Windows Defender Firewall with Advanced Security
  2. Click on “Inbound Rules” and then “New Rule”
  3. Choose “Port” and click “Next”
  4. Select “TCP” and enter the specific ports (22, 7272, 8001, 8002)
  5. Choose “Allow the connection” and click “Next”
  6. Apply the rule to all profiles (Domain, Private, Public)
  7. Give the rule a name (e.g., “R2R Ports”) and click “Finish”

Best Practices

  1. Least Privilege: Only open ports that are absolutely necessary.
  2. IP Restrictions: When possible, restrict access to known IP addresses or ranges.
  3. Use VPN: For added security, consider using a VPN for accessing administrative interfaces.
  4. Regular Audits: Periodically review and update your security group and firewall rules.
  5. Monitoring: Implement logging and monitoring for all allowed ports.
  6. HTTPS: Use HTTPS for all web interfaces and APIs when possible.

Verifying Configuration

After setting up your firewall rules, verify that the necessary ports are open:

$# For Linux systems
>nmap -p 22,7272,8001,8002,7474 your_server_ip
>
># For Windows systems (requires nmap installation)
>nmap -p 22,7272,8001,8002,7474 your_server_ip

This should show the status of each port (open or closed).

Remember to adjust these configurations based on your specific deployment needs and security requirements. Always follow your organization’s security policies and best practices.