How do I use the Firewall in Spinup Spaces?

Owned by Tenyo Grozev (Unlicensed)
Last updated: Feb 21, 2020 by Kay Ratanasaka
2 min read

Problem

I need to configure firewall rules for my Spinup Space

Solution

Currently, any new Spinup Space will automatically get a firewall (AWS security group) which protects all servers within that Space from external connections. All servers in the same Space can still communicate among each other (as long as traffic is allowed by their host-based firewall, such as iptables).

By default, this space firewall blocks all inbound connections (except for SSH and RDP) and allows all outbound connections. SSH and RDP connections are allowed from anywhere but those rules can be removed or changed later to only allow specific IPs. You can also allow additional ports as needed for your application. Note that for moderate and high-risk spaces you should only open ports that have encrypted traffic in order to protect sensitive data. If you believe you need to allow unencrypted traffic to a high-risk space you must get a policy exception from ISO (see https://cybersecurity.yale.edu/policyexceptions).


Please use the following steps to add/remove firewall rules:

  • After you open the Space, click the Firewall tab
  • To add a new rule, click the Add button and select the Service (port) and Source IP subnet
    • The Service is one of the pre-defined services or Other, which allows you to enter an arbitrary port
    • The Source IP subnet needs to be in CIDR format (ending in /XX, where XX is the subnet mask). For example, to allow from anywhere enter "0.0.0.0/0", and to allow only from one IP - "172.16.10.11/32"
    • You can enter an optional description for the rule which will show up in the Inbound rules table
  • To remove a rule click the Trash bin next to the rule and confirm
  • Note that rule changes take effect immediately and affect all resources in that space (except for S3 buckets and websites)

Best Practices