SOLVED Open ports in firewall
imc67 last edited by girish
I was searching through help files and forum but didn't found a clear answer so maybe someone knows:
I want to install Zabbix Agent on the Cloudron server, it communicates to the 'external' Zabbix Server via ports 10050 and/or 10051. So I need to open these ports and even better allow only comms to specific IP.
In the Cloudron Docs (https://cloudron.io/documentation/security/#configuring-cloud-firewall) it says NOT to change/use IPtables, it also says you should then use DigitalOcean Cloud Firewall. But here is some discrepancy i.m.h.o.:
- if I want to use DO Cloud Firewall, how do I switch off the "internal" firewall?
- On that Docs page is a table of standard open ports I must configure in DO Cloud Firewall, but how do I know which extra ports are configured by or after installing an app as these have to be manually changed in the DO Cloud Firewall?
- Is it a desired feature if Cloudron is able to configure (is there an API?) the DO Cloud Firewall?
Thanks already for your answers and opinions.
imc67 last edited by
For something like this, it's usually unsupported by the community as it goes beyond what cloudron is used for. That said, you will need to modify IPTables to add the ports. This might change in the future though as the project I believe was stated somewhere else that might move away from IPT.
necrevistonnezr last edited by necrevistonnezr
You can open ports but again, it's unsupported. See for an example: https://forum.cloudron.io/post/3278 and then make the rule persistent: https://forum.cloudron.io/topic/1780/cloudron-overrides-iptables-persistent/ (see the last 4 posts in that thread)
necrevistonnezr last edited by
This might change in the future though as the project I believe was stated somewhere else that might move away from IPT.
I think Cloudron intends to move to ufw which still uses iptables, see https://forum.cloudron.io/topic/1838/replace-iptables-with-nftables
@necrevistonnezr That is true, however the configuration steps are different than what has been described before when trying to work around this issue.