Firewall access rules

Table of Contents

  1. Whitelisting
  2. Port forwarding

MageStack has an exhaustive 3-tier firewall policy that provides superb security and protection for your stack and store. However, in some cases, it may be necessary to bypass some of these security measures for trusted hosts. There are two ways that hosts can be trusted to allow traffic to flow.

These two methods are whitelisting and port forwarding, each are slightly different and serve a different purpose.


Whitelisting is different to port forwarding, as it doesn't permit access to internal services (ie. you cannot whitelist FTP), it merely guarantees access to the web server for a given port/protocol and ensures a firewall block can never occur.

When an IP/Range is whitelisted, it will not be blocked by the firewall. This provides guaranteed access to the source address to all standard services (HTTP/HTTPS/VPN). There is also a secondary function that whitelisted hosts also circumvent the DOS filter; regardless of request volume, a whitelisted host will not be blocked by the DOS filter.

A member of the support team can add your IP/Range to the whitelist, the only information that we require is,

  • Source IP/Range

Once you have the information, create a DOS filter entry via our control panel.

Port forwarding

Initial access to MageStack requires a VPN connection to be established, however for some services (like Beanstalk or DeployHQ) cannot facilitate a VPN connection. So for these services, we can put a rule in place on the firewall to permit access to SSH/SCP/SFTP/FTP.

You can create a port forward by visiting the port forwarding section of our control panel: Port forwarding

You will require the Source IP/Range in order to add the port forward.

! As FTP is a plain text service, forwards cannot be created for it.