The container management approach of RunCloud Docker differs from offerings from other cloud providers. RunCloud operates on a containerized core system, meaning it manages containers on behalf of the user to provide them a smooth experience, whereas some other providers require users to manage their own containers.

When setting up a fresh server using RunCloud Docker, ports for services such as Redis and MySQL are open by default and should be secured using a cloud or network firewall. Running a firewall on the RunCloud server itself can conflict with Docker’s routing rules, therefore it’s recommended to use an external firewall.

If you have a server connected to the internet, you can use port scanning tools such as online checker, WhatIsMyIP, or iplocation to check if any particular port is open to the internet.

In the above example, we can see that port 3306 is openly accessible via the internet, which is not recommended. For maximum security of your server, turn off internet access on all ports except 80, 443, and 34210.

Configuring Firewall via RunCloud Dashboard

When configuring firewall settings for Docker containers on RunCloud, it’s important to understand that the process differs slightly from traditional servers. Instead of adding individual IP addresses, you may need to specify a CIDR (Classless Inter-Domain Routing) block.

A CIDR block allows you to define an IP address range suitable for your network needs. It’s a more efficient way to allocate IP addresses within networks and route traffic.

Docker containers on RunCloud fetch firewall configurations directly from the server provider. Unlike traditional servers that use firewalld, containerized servers rely on the provider’s settings. This means that the requirement to use a CIDR block can vary depending on the provider’s configuration.

It’s important to note that not all providers mandate the use of CIDR blocks. Some may allow the use of plain IP addresses without the need for CIDR notation.

If your cloud provider requires CIDR blocks, the network panel will consistently display the /0 suffix at the end of the IP addresses. Let’s see how to add a firewall rule when a cloud provider requires using CIDR blocks.

Creating Firewall Rules

When adding IP addresses to your firewall settings, sometimes you might need to write them in CIDR notation. This is very simple – for individual IP addresses, you just append /32 at the end of the IP address.

For example, if you want to add a single IP address such as 111.111.111.111 in CIDR block notation, you just need to write 111.111.111.111/32.

If you want to add a range of addresses, then you will need to use a different suffix (the exact value will be provided to you by your ISP).

If you attempt to add an IP address without a CIDR block, RunCloud will display an error message indicating that the IP address has a missing or invalid CIDR.

In the above example, we can see that the RunCloud dashboard displays an error when the IP address is added using an improper format.

Here’s an example of how firewall settings might appear in RunCloud:

RunCloud dashboard error.

In this example, The IP addresses in some rules are followed by /0, indicating that traffic from any IP address is allowed. This is a common setting for public services such as HTTP and HTTPS.

On the other hand, the custom rule that we created is followed by /32 which means that all 32 bits of the IP address should match for this rule to pass. In other words, no one except the specified IP address can access the server on the specified port.

Configuring Firewall Via Cloud Provider’s Dashboard

The RunCloud dashboard is constantly being updated with new features, and sometimes the RunCloud dashboard may not support your specific cloud provider. In such cases, you’ll need to manage your firewall rules directly through your cloud provider’s dashboard panel.

In the above example, it is not possible to manage firewall rules via the RunCloud dashboard to servers deployed on Hetzner. To set up a firewall rule in Hetzner Cloud, follow these steps:

  1. Access the Hetzner Cloud Console: Open your project within the Hetzner Cloud Console and locate your server.
  1. Navigate to Firewalls: Open your server settings and select ‘Firewalls’ from the menu bar. On this screen, click on ‘CREATE FIREWALL’ to start setting up your new firewall.
  1. Configure Rules: Customize your firewall with inbound and outbound rules to manage traffic:
    • Inbound Rules: Here you can specify which inbound traffic is allowed – if no IP address is added, all connections will be dropped. For RunCloud, you must port 80, 443, and 34210 with TCP for proper functioning. Optionally, you can also add any other ports you need.
    • Outbound Rules: In this section, you can define the outbound traffic your server can access. Without any specified IP addresses, all outbound traffic will be permitted.
  1. Apply to Resources: After configuring the rules, you need to either assign the firewall to servers manually, or use label selectors for automatic activation on servers with matching labels.
  2. Create the Firewall: Finally, give your firewall a unique name within the project, and once satisfied with the settings, click ‘CREATE FIREWALL’ to finalize the creation.

After creating the firewall, it will be automatically connected to the servers that you selected, and if you deploy any new servers in the future, you can re-use this firewall for those as well.

Finally, go back to your port scanner tool and run another scan. If the firewall was applied correctly, then it will show that all the other ports are now closed.