External Firewall Setup & UFW
The Palo Alto FW PBR-FW-KL1 has been configred to allow the websecure-external interface via Traefik to be accessible externally
To ensure safety, the UFW firewall has been enabled on the server and only permits certain activities.
pbr_admin@pbr-docker-kl1:/docker$ sudo ufw status numbered
Status: active
To Action From
-- ------ ----
[ 1] Anywhere DENY IN 10.2.0.0/16 #REJECT FREE WIFI
[ 2] 22 ALLOW IN 192.168.0.0/16 #ALLOWS SSH FROM INTERNAL RANGES
[ 3] 22 ALLOW IN 10.0.0.0/8
[ 4] 22 ALLOW IN 172.16.0.0/16
[ 5] 443 ALLOW IN 192.168.0.0/16 #ALLOWS TRAEFIK WEBSECURE-INTERNAL FROM INTERNAL RAGES
[ 6] 443 ALLOW IN 10.0.0.0/8
[ 7] 443 ALLOW IN 172.16.0.0/16
[ 8] 80 ALLOW IN 192.168.0.0/16 #ALLOWS TRAEFIK WEB-INTERNAL FROM INTERNAL RANGES
[ 9] 80 ALLOW IN 10.0.0.0/8
[10] 80 ALLOW IN 172.16.0.0/16
[11] 9443 ALLOW IN 192.168.0.0/16 #ALLOWS PORTAINER ACCESS WITHOUT REQURING TRAEFIK
[12] 9443 ALLOW IN 10.0.0.0/8
[13] 9443 ALLOW IN 172.16.0.0/16
[14] 9505 ALLOW IN 192.168.0.0/16 #ALLOW XIBO XMS PORT FROM INTERNAL RANGES
[15] 9505 ALLOW IN 10.0.0.0/8
[16] 9505 ALLOW IN 172.16.0.0/16
[17] 444 ALLOW IN Anywhere #ALLOW TRAEFIK WEBSECURE-EXTERNAL
[18] 444 (v6) ALLOW IN Anywhere (v6)The Palo Alto FW has a NAT Rule in place to translate incoming external traffic on SSL port 443, to internal IP port 444.
There is also a relevant Security Rule to allow the inbound SSL traffic to permit the NAT translation
To expose services externally, Traefik must be permitted with the WEBSECURE-EXTERNAL interface, and have middlewares associated.
Then add the Public IP record in Cloudflare - ideally proxied.
Test test test :)
No comments to display
No comments to display