All Products
Search
Document Center

Simple Application Server:Manage the firewall of a simple application server

Last Updated:Jan 24, 2024

The firewall of a simple application server is a virtual firewall that uses firewall rules to control the inbound traffic of the simple application server. This ensures the security of the server. This topic describes how to add, modify, disable, enable, and delete firewall rules for a simple application server. This topic also provides information about the ports preset for the firewall feature, frequently asked questions (FAQs) about firewalls, and related documents.

Limits

  • You can create a maximum of 50 firewall rules for each simple application server.

  • Port 25 is the default email service port. For security reasons, this port is disabled for simple application servers by default. If you want to send emails, use port 465.

  • A firewall controls only the inbound traffic of a simple application server. All outbound traffic of a simple application server is allowed by default.

    Note
    • Inbound traffic: the traffic generated when data is transmitted to a simple application server over the Internet or an internal network.

    • Outbound traffic: the traffic generated when data is transmitted from a simple application server over the Internet or an internal network.

Manage a firewall

A simple application server allows traffic on specified ports by default based on the firewall in an operating system. Except for the ports on which traffic is allowed by default, other ports are disabled by default. You can add firewall rules to allow traffic on required ports based on your business requirements.

  • Windows: By default, ports 3389, 80, and 443 are enabled.

  • Linux: By default, ports 22, 80, and 443 are enabled.

If you delete or disable these default ports in the Simple Application Server console, the Firewall tab of the Servers page displays a message similar to You disabled or deleted the default port 22 allow rule on the firewall, which affects the remote connection feature. You can add or enable the corresponding ports as required.

image.png

  1. Log on to the Simple Application Server console.

  2. In the left-side navigation pane, click Servers.

  3. Find the simple application server for which you want to add a firewall rule, and click the instance ID in the card of the server.

  4. In the upper-left corner of the Firewall tab, click Add Rule.

  5. In the Add Firewall Rule dialog box, configure parameters based on your business requirements and click OK.

    Warning
    • When you add a firewall rule, configure the port range and IP addresses that are allowed to access the server as required and follow the principle of least privilege to prevent network attacks.

    • If the ports and protocol you specify for the firewall rule are the same as those of an existing rule, the existing rule is overwritten regardless of whether the existing rule is enabled or disabled.

    Select a preset firewall rule

    You can add a firewall rule with ease by selecting a preset firewall rule. The following table describes the parameters.

    Parameter

    description

    Application Type

    The application type. Select RDP, FTP, TELNET, MYSQL, All Use TCP, All Use UDP, or All Use TCP and UDP from the drop-down list based on your business requirements. For more information, see the Preset port information section in this topic.

    Protocol

    The protocol. The displayed protocol is used by default and the value cannot be changed.

    Port Range

    The port. The displayed port is used by default and the value cannot be changed.

    IP Source to be Used

    The IP addresses. The default value is 0.0.0.0/0, which indicates all IPv4 addresses.

    Important

    Configure IP addresses as required and follow the principle of least privilege to prevent network attacks on your server.

    Remarks

    Enter the remarks of the firewall rule for subsequent management.

    Actions

    • Click Add to add multiple firewall rules.

    • Click Delete to delete the firewall rule.

    Create a custom firewall rule

    If the preset firewall rules cannot meet your business requirements, you can create one or more custom firewall rules. The following table describes the parameters.

    Parameter

    Description

    Application Type

    The application type. Select Specify a custom value.

    Protocol

    The protocol. Select TCP or UDP.

    Port Range

    The port range. Valid values: 1 to 65535. You can use one of the following methods to configure this parameter:

    • Specify a single port.

      Enter the number of the port that you want to enable. For example, if you want to allow traffic on MySQL listening port 3306, enter 3306 in the Port Range field.

    • Specify a port range.

      Use a slash (/) to separate the start port number and the end port number. For example, if you want to allow traffic over the port range 20000 to 30000 that you specify in the FTP configuration file, enter 20000/30000 in the Port Range field.

    IP Source to be Used

    The IP addresses. The default value is 0.0.0.0/0, which indicates all IPv4 addresses. You can also specify the IPv4 addresses that are allowed to access the server:

    • Specify a single IPv4 address.

      Enter a single IPv4 address. Example: 192.168.0.100.

    • Specify the IPv4 addresses within a CIDR block.

      Enter an IPv4 CIDR block. Example: 192.168.0.0/24.

    Remarks

    Enter the remarks of the firewall rule for subsequent management.

    Actions

    • Click Add to add multiple firewall rules.

    • Click Delete to delete the firewall rule.

Modify, disable, enable, and delete a firewall rule

After you add a firewall rule, you can perform the following operations based on your business requirements.

Operation

Description

Procedure

Modify a firewall rule

If the firewall rules that are created or added by default do not meet your business requirements, you can modify the firewall rules.

  1. Click Modify in the Actions column of the firewall rule that you want to manage.

  2. In the Modify dialog box, modify the Protocol, Port Range, IP Source to be Used, and Remarks parameters based on your business requirements.

  3. Click Confirm.

Disable a firewall rule

You can temporarily disable a port. If you want to allow traffic on the port later, you can enable it directly without the need to create a firewall rule again.

Important

If a firewall rule is disabled, the port specified for the rule cannot be accessed. This affects your business. We recommend that you disable a firewall rule with caution. Make sure that this operation does not affect your business.

  1. Click Disable in the Actions column of the firewall rule that you want to manage.

  2. In the Disable message, click Confirm.

Enable a firewall rule

You can enable a disabled port.

  1. Click Enable in the Actions column of the disabled firewall rule that you want to manage.

  2. In the Enable message, click Confirm.

Delete a firewall rule

You can delete a firewall rule that is no longer used.

Note

If the number of firewall rules does not reach the upper limit of 50, we recommend that you temporarily disable a firewall rule for later use.

  1. Click Delete in the Actions column of the firewall rule that you want to manage.

  2. In the Delete message, click Confirm.

Preset port information

The following table describes the common firewall rules preset in firewalls provided by Alibaba Cloud. You can add firewall rules with ease by using these preset firewall rules. For more information about common ports, see Common ports.

Application type

Protocol

Port range

IP source to be used

Description

HTTP

TCP

80

0.0.0.0/0

Important
  • The default value is 0.0.0.0/0, which indicates all IPv4 addresses.

  • Configure IP addresses as required and follow the principle of least privilege to prevent network attacks on your server.

The default HTTP port. It is used to access website services such as Internet Information Services (IIS), Apache, and NGINX. For more information, see Deploy Apache based on a CentOS system image.

HTTPS

TCP

443

The default HTTPS port. For more information, see the following topics:

RDP

TCP

3389

The default Remote Desktop Protocol (RDP) port. It is used to connect to a Windows server by using Remote Desktop. For more information, see Connect to a Windows server.

FTP

TCP

21

The default FTP port. It is used to upload and download files. For more information, see Build an FTP server.

TELNET

TCP

23

The default Telnet port.

MySQL

TCP

3306

The default MySQL port. For more information, see Use DMS to connect to a database on a simple application server.

All Use TCP

TCP

1~65535

All TCP ports.

All Use UDP

UDP

1~65535

All UDP ports.

All Use TCP and UDP

TCP+UDP

1~65535

All TCP and UDP ports.

Specify a custom value

TCP or UDP

1~65535

The custom port range.

FAQ

Q1: What is the difference between a simple application server firewall and an operating system firewall?

  • Simple application server firewall: The Simple Application Server console provides a visualized management interface. You can configure firewall rules with ease. However, the firewall of a simple application server can control only inbound traffic.

  • Operating system firewall: A system administrator can configure firewall rules for the operating system to control both inbound and outbound traffic. The system administrator must be familiar with the corresponding firewall software, such as the iptables of Linux systems. In addition, Linux users must be familiar with CLIs.

Q2: How do I check port connectivity by running the Telnet command?

Run the following command to check whether a port can be accessed:

telnet <IP address> <Port>

In this example, port 80 is used. The following command outputs are returned:

Windows

  • The port can be accessed.

    image.png

  • The port cannot be accessed.

    C:\Users\Administrator>telnet 120.55.XX.XX 80
    Connecting To 120.55.XX.XX...Could not open connection to the host,  on port 80: Connect failed

Linux

  • The port can be accessed.

    [root@VM-4-10-centos ~]# telnet 120.55.XX.XX 80
    Trying 120.55.XX.XX...
    Connected to 120.55.XX.XX.
    Escape character is '^]'.
  • The port cannot be accessed.

    [root@VM-4-10-centos ~]# telnet 120.55.XX.XX 80
    Trying 120.55.XX.XX...
    telnet: connect to address 120.55.XX.XX: Connection refused

Q3: How do I check the service status and the listening status of a port?

In this example, the NGINX service in a simple application server is used. The default port is port 80. If you want to check the status of other services, replace the service name and the port number in the commands.

Linux servers

In this example, a Linux server that runs CentOS 7.9 is used. The operations may vary based on the versions of Linux systems.

  1. Connect to the Linux server.

    For more information, see Connect to a Linux server.

  2. Run the following command to check the NGINX service status:

    systemctl status nginx
    • If the information similar to the following output is returned, NGINX is started.

      2023-06-04_17-06-23..png

    • Otherwise, run the following command to start NGINX:

      systemctl start nginx
  3. Run the following command to check whether the port is listened on:

    netstat -an | grep 80
    • If the following information is returned, port 80 is listened on.

      image.png

    • Otherwise, port 80 is not listened on.

Windows servers

In this example, Windows Server 2012 is used. The operations for different versions of Windows servers are similar.

  1. Connect to the Windows server.

    For more information, see Connect to a Windows server.

  2. Click the Start icon, choose Windows System > Run, enter service.msc, and then click OK to open the Services window.

  3. Check the status of NGINX.

    1. If the NGINX service is stateless, right-click the NGINX service, and then click Start(S).

    2. If the NGINX service is in the Running state, NGINX is started.

  4. Run the following command in Windows PowerShell to check whether the port is listened on:

    netstat -ano | findstr "80"
    • If the following information is returned, port 80 is listened on.

      image.png

    • Otherwise, port 80 is not listened on.

Q4: What do I do if the port of my simple application server cannot be accessed?

If your server is deployed outside the Chinese mainland, such as in the China (Hong Kong) region, unstable connections and high latency may occur due to the congestion of international links and outbound routing restrictions of Internet service providers (ISPs). Cross-border connections are established through the networks of ISPs. The connection quality is affected by many factors and ISPs cannot optimize their networks in a short time.

Solutions:

  • If your business is mainly for users in the Chinese mainland, we recommend that you unsubscribe from the existing simple application server after you create a server in a Chinese mainland region and migrate the data in the existing server to the new server. For more information, see Migrate data between simple application servers.

  • You cannot modify the connection of the simple application server by changing an IP address. If your server is deployed in the China (Hong Kong) region, you can use an Elastic Compute Service (ECS) instance that is associated with a BGP (Multi-ISP) Pro elastic IP address (EIP). In this case, a direct cross-border connection can be established without using the services of ISPs to deliver a better user experience. However, cross-border connection issues still exist and cannot be eliminated. For more information, see Migrate data from a simple application server to an ECS instance by using a shared image, Apply for an EIP, and Associate an EIP with an ECS instance.

In other scenarios, troubleshoot the issue by using the following methods:

  1. Run the netstat -tunlp command to check whether the port of the server is listened on. If the port is not listened on, start the corresponding service to ensure that the port is listened on.

  2. Check whether restrictions are configured on the firewall of the server.

    • For Ubuntu operation systems, run the sudo ufw status command to check.

    • For operating systems of CentOS 7 and later, run the firewall-cmd --list-ports command to check. If the output indicates that ufw or firewall is not running, run the iptables -L;iptables -t nat -L command to check the firewall rules.

  3. Check whether a firewall rule that enables the port for the server is added in the Simple Application Server console.

References

If you cannot access the website or the simple application server after you configure firewall rules, or the firewall of the server does not meet your business requirements, see the following topics: