"Cloudron Error Response Timeout" after activated Hetzner Firewall on dedi server

p44

Dear All,

I know this could be an Hetzner specific related question.

I activated Hetzner Firewall on a dedicated server with above rules:

About Out-going TCP connections Hetzner guide says:

"Therefore, the firewall doesn't "keep track of" whether or not an incoming packet belongs to an out-going connection from the server. For this reason, unless you enter an additional rule, all out-going connections from the server will not work. Server services (for example, enabling webservers for port 80) are not affected."

And suggest:

You can use the following rule to generally allow all responses to TCP connections:

 Source IP: No entry
 Destination IP: No entry
 Source port: No entry
 Destination port: 32768-65535 (Ephemeral Port Range)
 Protocol: tcp
 TCP flags: ack
 Action: accept

I followed this, but:

• Cannot send any email using 587 port
• I get "Cloudron Error Response Timeout"

It seems that Cloudron cannot "see" outside.

Can you help me understanding how to manage this situation?

I know, Cloudron has is own firewall, but I want to block additional opened port I'm not using, eg. TURN server ports.

Thank's a lot for help!

nebulon

Hi, for a start, Cloudron manages the firewall on the server already, so there is no need as such to use an external one. If you still want to additionally use the external one, then can you confirm that, if you disable that one, Cloudron works as expected?

Further all required basic ports for Cloudron to work well, are mentioned at https://docs.cloudron.io/security/#cloud-firewall
Of course if you install other apps, which require additional ports, then those have to be also manually setup in the external firewall.

p44

@nebulon I want to apply additional rules to lock not needed ports. I need only:

80 TCP, 443 TCP, 25 TCP, 587 TCP and 993 TCP.

All other ports I don't need. I well know that further ports are needed in case of other services. In my case I don't have any app using other services like SOLR or TURN.

Why add additional rules? Because I want to limit all internet traffic on opened ports, like port scans, logins attempts.

I know that if I install additional apps, as specified on Cloudron Firewall Guide, I need to open that specified port.

That said, If with VPN-Firewall (new released feature) all works fine, with Robot-Firewall (for dedicated server), I cannot manage outgoing traffic.

I mean, when Firewall is ON, it blocks IN and OUT traffic...

I asked Hetzner customer services and they didn't provided any answer, only a generic answer to follow their guide (see above), I posted also on their forum waiting for an answer...

p44

@nebulon It seems that problem is related to DNS queries... With active firewall if I ping 1.1.1.1 give me answer, but if I ping a domainname.tld... not working...

root@Ubuntu-1804-bionic-64-minimal ~ # ping wsj.com
ping: wsj.com: Temporary failure in name resolution

p44

@nebulon I find the solution taking infos from this forum .

In fact, I opened port 53 TCP and UDP and Cloudron can resolve domain names.

Configuration now is:

All seems to working fine... I marked this thread as "Solved"