Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


    Cloudron Forum

    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular

    Solved "Cloudron Error Response Timeout" after activated Hetzner Firewall on dedi server

    Support
    networking hetzner
    2
    5
    796
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      p44 translator last edited by girish

      Dear All,

      I know this could be an Hetzner specific related question.

      I activated Hetzner Firewall on a dedicated server with above rules:

      s.png

      About Out-going TCP connections Hetzner guide says:

      "Therefore, the firewall doesn't "keep track of" whether or not an incoming packet belongs to an out-going connection from the server. For this reason, unless you enter an additional rule, all out-going connections from the server will not work. Server services (for example, enabling webservers for port 80) are not affected."

      And suggest:

      You can use the following rule to generally allow all responses to TCP connections:

       Source IP: No entry
       Destination IP: No entry
       Source port: No entry
       Destination port: 32768-65535 (Ephemeral Port Range)
       Protocol: tcp
       TCP flags: ack
       Action: accept
      

      I followed this, but:

      • Cannot send any email using 587 port
      • I get "Cloudron Error Response Timeout"

      Schermata 2021-04-04 alle 15.32.00.png

      It seems that Cloudron cannot "see" outside.

      Can you help me understanding how to manage this situation?

      I know, Cloudron has is own firewall, but I want to block additional opened port I'm not using, eg. TURN server ports.

      Thank's a lot for help!

      1 Reply Last reply Reply Quote 0
      • nebulon
        nebulon Staff last edited by

        Hi, for a start, Cloudron manages the firewall on the server already, so there is no need as such to use an external one. If you still want to additionally use the external one, then can you confirm that, if you disable that one, Cloudron works as expected?

        Further all required basic ports for Cloudron to work well, are mentioned at https://docs.cloudron.io/security/#cloud-firewall
        Of course if you install other apps, which require additional ports, then those have to be also manually setup in the external firewall.

        P 3 Replies Last reply Reply Quote 0
        • P
          p44 translator @nebulon last edited by

          @nebulon I want to apply additional rules to lock not needed ports. I need only:

          80 TCP, 443 TCP, 25 TCP, 587 TCP and 993 TCP.

          All other ports I don't need. I well know that further ports are needed in case of other services. In my case I don't have any app using other services like SOLR or TURN.

          Why add additional rules? Because I want to limit all internet traffic on opened ports, like port scans, logins attempts.

          I know that if I install additional apps, as specified on Cloudron Firewall Guide, I need to open that specified port.

          That said, If with VPN-Firewall (new released feature) all works fine, with Robot-Firewall (for dedicated server), I cannot manage outgoing traffic.

          I mean, when Firewall is ON, it blocks IN and OUT traffic...

          I asked Hetzner customer services and they didn't provided any answer, only a generic answer to follow their guide (see above), I posted also on their forum waiting for an answer...

          1 Reply Last reply Reply Quote 0
          • P
            p44 translator @nebulon last edited by p44

            @nebulon It seems that problem is related to DNS queries... With active firewall if I ping 1.1.1.1 give me answer, but if I ping a domainname.tld... not working...

            root@Ubuntu-1804-bionic-64-minimal ~ # ping wsj.com
            ping: wsj.com: Temporary failure in name resolution
            
            1 Reply Last reply Reply Quote 0
            • P
              p44 translator @nebulon last edited by p44

              @nebulon I find the solution taking infos from this forum .

              In fact, I opened port 53 TCP and UDP and Cloudron can resolve domain names.

              Configuration now is:

              firewall template.png

              All seems to working fine... I marked this thread as "Solved" 🙂

              1 Reply Last reply Reply Quote 2
              • First post
                Last post
              Powered by NodeBB