Firewall Configuration
Properly configured firewall rules are essential for protecting your ClawBook VPS from unauthorized access.
UFW Basics
ClawBook uses UFW (Uncomplicated Firewall), a user-friendly interface for iptables.
Check Status
sudo ufw status verbose
# Output:
# Status: active
# Logging: on (low)
# Default: deny (incoming), allow (outgoing)
#
# To Action From
# -- ------ ----
# 22/tcp ALLOW IN Anywhere
# 80/tcp ALLOW IN Anywhere
# 443/tcp ALLOW IN Anywhere
# 8443/tcp ALLOW IN Anywhere
Enable/Disable
# Enable firewall
sudo ufw enable
# Disable firewall (not recommended)
sudo ufw disable
# Reset to defaults
sudo ufw reset
Required Ports
Minimum ports for ClawBook:
| Port | Protocol | Service | Required |
|---|---|---|---|
| 22 | TCP | SSH | Yes |
| 80 | TCP | HTTP (Let's Encrypt) | Yes |
| 443 | TCP | HTTPS | Yes |
| 8443 | TCP | Dashboard | Yes |
Basic Setup
# Start fresh
sudo ufw reset
# Set defaults
sudo ufw default deny incoming
sudo ufw default allow outgoing
# Allow required ports
sudo ufw allow 22/tcp # SSH
sudo ufw allow 80/tcp # HTTP
sudo ufw allow 443/tcp # HTTPS
sudo ufw allow 8443/tcp # Dashboard
# Enable
sudo ufw enable
Advanced Rules
Allow by IP Address
# Allow all traffic from specific IP
sudo ufw allow from 203.0.113.50
# Allow specific port from IP
sudo ufw allow from 203.0.113.50 to any port 22
# Allow subnet
sudo ufw allow from 192.168.1.0/24
Restrict SSH to Your IP
If you have a static IP:
# Remove general SSH rule
sudo ufw delete allow 22/tcp
# Allow only your IP
sudo ufw allow from YOUR_HOME_IP to any port 22
Port Ranges
# Allow port range
sudo ufw allow 6000:6007/tcp
# Allow UDP port range
sudo ufw allow 6000:6007/udp
Specific Interfaces
# Allow on specific interface
sudo ufw allow in on eth0 to any port 80
Rate Limiting
Protect against brute force attacks:
# Limit SSH connections (6 connections per 30 seconds)
sudo ufw limit ssh
# Custom rate limit
sudo ufw limit 8443/tcp
Deny Rules
Block specific traffic:
# Block IP address
sudo ufw deny from 45.33.32.156
# Block subnet
sudo ufw deny from 10.0.0.0/8
# Block port from IP
sudo ufw deny from 45.33.32.156 to any port 22
Managing Rules
List Rules with Numbers
sudo ufw status numbered
# Output:
# Status: active
#
# To Action From
# -- ------ ----
# [ 1] 22/tcp ALLOW IN Anywhere
# [ 2] 80/tcp ALLOW IN Anywhere
# [ 3] 443/tcp ALLOW IN Anywhere
# [ 4] 8443/tcp ALLOW IN Anywhere
Delete Rules
# Delete by number
sudo ufw delete 4
# Delete by rule
sudo ufw delete allow 8443/tcp
Insert Rules
# Insert at specific position
sudo ufw insert 1 deny from 45.33.32.156
Logging
Enable Logging
# Set logging level
sudo ufw logging on
sudo ufw logging medium # low, medium, high, full
View Logs
# UFW logs
sudo tail -f /var/log/ufw.log
# Grep for blocks
sudo grep "UFW BLOCK" /var/log/ufw.log
Application Profiles
UFW has predefined application profiles:
# List available profiles
sudo ufw app list
# View profile details
sudo ufw app info "OpenSSH"
# Allow by profile
sudo ufw allow "OpenSSH"
Create Custom Profile
# Create profile
sudo nano /etc/ufw/applications.d/clawbook
# Content:
[ClawBook]
title=ClawBook Dashboard
description=OpenClaw Dashboard Service
ports=8443/tcp
# Use profile
sudo ufw allow ClawBook
IPv6
UFW supports IPv6 by default:
# Check IPv6 is enabled
grep IPV6 /etc/default/ufw
# Should show: IPV6=yes
# Rules apply to both IPv4 and IPv6
Backup Rules
Save your firewall configuration:
# Export rules
sudo cp /etc/ufw/user.rules ~/ufw-backup.rules
sudo cp /etc/ufw/user6.rules ~/ufw6-backup.rules
# Restore rules
sudo cp ~/ufw-backup.rules /etc/ufw/user.rules
sudo cp ~/ufw6-backup.rules /etc/ufw/user6.rules
sudo ufw reload
Common Configurations
Paranoid Mode
Maximum security:
sudo ufw reset
sudo ufw default deny incoming
sudo ufw default deny outgoing
# Only allow essentials
sudo ufw allow out 53/udp # DNS
sudo ufw allow out 80/tcp # HTTP
sudo ufw allow out 443/tcp # HTTPS
sudo ufw allow in from YOUR_IP to any port 22
sudo ufw allow in 80/tcp
sudo ufw allow in 443/tcp
sudo ufw allow in 8443/tcp
sudo ufw enable
Behind Load Balancer
If using a load balancer:
# Allow only from load balancer
sudo ufw allow from LOAD_BALANCER_IP to any port 8443
# Delete public access
sudo ufw delete allow 8443/tcp
Internal Network Only
For private deployments:
# Allow only internal network
sudo ufw allow from 10.0.0.0/8 to any port 8443
sudo ufw deny 8443/tcp
Troubleshooting
Locked Out?
If you lock yourself out via SSH:
- Access via VPS provider console
- Run:
sudo ufw disable - Fix your rules
- Re-enable:
sudo ufw enable
Rules Not Working
# Check rule order (first match wins)
sudo ufw status numbered
# Ensure firewall is active
sudo ufw status
# Check for conflicting iptables rules
sudo iptables -L -n
Connection Timeout
# Check if port is open
sudo ufw status | grep 8443
# Test locally
curl -v http://localhost:8443
# Test from outside
nmap -p 8443 YOUR_VPS_IP
Integration with Fail2Ban
Fail2Ban can add temporary UFW rules:
# /etc/fail2ban/jail.local
[DEFAULT]
banaction = ufw
Check bans:
sudo fail2ban-client status sshd
Best Practices
- Deny by default - Only allow what's needed
- Use rate limiting - Protect against brute force
- Restrict by IP - When possible
- Log everything - For forensics
- Backup rules - Before making changes
- Test carefully - Don't lock yourself out
Next Steps
- Security Best Practices - Complete guide
- SSH Keys - Secure authentication
- API Key Management - Protect your keys