Cloudron Forum

Thanks for reporting. I have added a rule in the firewall for outbound turn - https://git.cloudron.io/platform/box/-/commit/83d7535d84791cf27e0d1ded5fe700233947a1d9

@girish said in Use floating IP address only for outbound Cloudron Docker container communication: Thanks for sharing! I think if this works. But maybe the systemd service needs to be adjusted to run after cloudron-firewall.service (which also after docker.service) ? Oh that’s interesting, I can definitely make that change then just to be safe. I haven’t noticed any issues so far but I’ll adjust it regardless to test that out. Hoping something like this can be added to Cloudron more formally down the road so we don’t have to manually set these scripts up.

@joseph Many thanks for the clear and detailed explanation!

Here my 2cents; I personally host my Cloudron at Hetzner I enabled in front of Cloudron Cloudflare and Enable proxying for new DNS records (that is inside Cloudron at the domain level) Enable Firewall at Hetzner for my Server HTTPS only between my Cloudron and CloudFlare [image: 1756114585161-brave_9vbg9hsube.png] you can find the IP here Why ? So even if someone retrieve the IP (example via mail service) it cannot try to hack any webapps. Of course; I have others Rules at Hetzner Firewall Level; that basically replicate Cloudron's Firewall: SSH, Mails, STUN, TURN, ... After that; you mostly need to choose wisely the apps you deploy; trust the due diligence of these developers. Having a WAF; bring more complexity that would probably slow down the integration of new apps...

I was about to write a long time ago that the parameter for resetting SSH has changed: sudo systemctl restart ssh.socket

Closed due to inactivity

@cocam123 Cloudron does not support installing external software as such. With that warning, https://docs.cloudron.io/networking/#whitelist-ports will help you expose the port. Cloudron has it's own firewall written on top of iptables and does not use ufw.

We haven't added a way to add custom persistent iptables rules . For SSH though, just move it port 202 and disable root auth and password auth. This usually cuts down all bots to 0.

@thoresson yes. If you have a Cloud firewall, you can also whitelist just your IP for port 222.

@girish ah ok, thanks, will try that!

Yes i adjusted firewall. Added 443 port and now it works

@darsh_parsana /home/yellowtent/box/setup/start/cloudron-firewall.sh is on the root system, not inside any container. You can just edit the file directly via ssh.

@tgatellier I had to activate a Cloudflare DNS Proxy to achieve this on one Wordperss instance. Now I'm testing 8G Firewall suggested from @jagan . I think Cloudron should have some feature to achieve this ...

I voted for this excellent idea long time ago but now I wished it was here: I (need to) use Cloudflare WAF to protect acces to my NextCloud on Cloudron . I also want a local/external application to make backups via WebDAV to NextCloud .... here it gets stuck .... Cloudflare has a 500MB limit on their free proxy. Isn't it very '80s to have no build-in WAF/IP restriction to Cloudron in the current 2025 mad world of zero days, hackers, .........

Interesting. So, from @necrevistonnezr's like the hosts.allow/hosts.deny may not work in the future. "Note: this might not be an option on modern distributions, as support for tcpwrappers was removed from OpenSSH 6.7"

Yeah. I know what you mean. Ok I will start afresh With this information now it will be ok to configure from scratch. Many thanks Jan

@d19dotca said in Blocked IP addresses in Cloudron but still able to access WordPress sites: I know that this feature was likely originally intended to be a manual update rather than importing a giant list and works well for that, but as threats/spam become more common place, I think we’ll need Cloudron to keep up. Is it possible to prioritize improving this feature soon for us to allow thousands of IP addresses being added? Fully agree! A strong network filter / block would be another USP

@d19dotca right, the 30d one seems to be 54975 size. I have increased the size of the ipset now to 262144 elements. If these things are growing more, we can look into making this size dynamic .

@bigvictorio At this point, no. But feel free to open feature requests and we can add firewall features as needed.

Yes I think so can confirm it works thank you. [image: 1684921191514-9b24435c-6125-4a47-8604-b2257673828e-image-resized.png]