Firewall access rules

MageStack has an exhaustive 3-tier firewall policy that provides superb security and protection for your stack and store. However, in some cases, it may be necessary to bypass some of these security measures for trusted hosts. There are two ways that hosts can be trusted to allow traffic to flow.

These two methods are whitelisting and port forwarding, each are slightly different and serve a different purpose.

Whitelisting

Whitelisting is different to port forwarding, as it doesn't permit access to internal services (ie. you cannot whitelist FTP), it merely guarantees access to the web server for a given port/protocol and ensures a firewall block can never occur.

When an IP/Range is whitelisted, it will not be blocked by the firewall. This provides guaranteed access to the source address to all standard services (HTTP/HTTPS/VPN). There is also a secondary function that whitelisted hosts also circumvent the DOS filter; regardless of request volume, a whitelisted host will not be blocked by the DOS filter.

A member of the support team can add your IP/Range to the whitelist, the only information that we require is,

  • Source IP/Range

Once you have the information, submit a support ticket and our team will add the IP/Range to the whitelist.

Port forwarding

Initial access to MageStack requires a VPN connection to be established, however for some services (like Beanstalk or DeployHQ) cannot facilitate a VPN connection. So for these services, we can put a rule in place on the firewall to permit access to SSH/SCP/SFTP/FTP.

A member of the support team can put the port forwarding rule in place, the only information that we require is,

  • Source IP/Range
  • Protocol (Eg. SSH)

Once you have the information, submit a support ticket and our team will put the rule in place and provide the connection information. Any hosts configured for a port forward are automatically whitelisted for that service.

! FTP is a plain text service, it is not recommended to be port forwarded