Skip to main content

Network & Firewall Configuration

Configure network settings, firewall rules, and system limits to prepare your server for ORISO Platform deployment.
1

Check Network Configuration

Verify network connectivity and configuration before proceeding.
# Check IP address
ip addr show

# Check default gateway
ip route show

# Check DNS
cat /etc/resolv.conf

# Test internet connectivity
ping -c 4 8.8.8.8
ping -c 4 google.com
Ensure you can ping external addresses and DNS resolution is working correctly.
2

Install and Configure UFW Firewall

Install UFW (Uncomplicated Firewall) and configure rules for all required services.
IMPORTANT: Always allow SSH (port 22) first before enabling the firewall, or you may lock yourself out!
# Install UFW
sudo apt install -y ufw

# Set default policies
sudo ufw default deny incoming
sudo ufw default allow outgoing

# Allow SSH (IMPORTANT - do this first!)
sudo ufw allow 22/tcp
sudo ufw allow ssh

# Allow HTTP/HTTPS (optional, for external access)
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp

# Allow main entry point (Nginx proxy)
sudo ufw allow 8089/tcp

# Allow Frontend and Admin
sudo ufw allow 9001/tcp
sudo ufw allow 9002/tcp

# Allow Keycloak Admin Console
sudo ufw allow 8080/tcp

# Allow Element.io
sudo ufw allow 8087/tcp

# Allow Redis Commander (optional)
sudo ufw allow 9021/tcp

# Allow Redis Exporter (optional)
sudo ufw allow 9020/tcp

# Allow Health Dashboard (optional)
sudo ufw allow 9100/tcp

# Allow SignOZ (optional)
sudo ufw allow 3001/tcp

# Allow Matrix Synapse (if direct access needed)
sudo ufw allow 8008/tcp

# Enable UFW
sudo ufw enable

# Check status
sudo ufw status verbose
Expected output should show all ports as ALLOW IN with status active. Verify SSH is listed first.
3

Configure System Limits

Increase system file and process limits required for Kubernetes operation.
# Increase file limits for Kubernetes
sudo tee -a /etc/security/limits.conf <<EOF
* soft nofile 65536
* hard nofile 65536
* soft nproc 32768
* hard nproc 32768
EOF

# Increase kernel limits
sudo tee -a /etc/sysctl.conf <<EOF
fs.file-max = 2097152
fs.inotify.max_user_watches = 524288
fs.inotify.max_user_instances = 512
vm.max_map_count = 262144
net.ipv4.ip_forward = 1
EOF

# Apply sysctl settings
sudo sysctl -p

# Verify
ulimit -n
The ulimit -n command should output 65536.
You may need to log out and log back in for the limits.conf changes to take full effect.

Firewall Port Summary

The following ports are configured to allow incoming connections:
PortServiceRequired
22SSH✅ Required
80HTTPOptional (for Let’s Encrypt)
443HTTPSOptional
8089Nginx Proxy✅ Required
9001Frontend✅ Required
9002Admin✅ Required
8080Keycloak✅ Required
8087Element.io✅ Required
8008Matrix SynapseOptional
9021Redis CommanderOptional
9020Redis ExporterOptional
9100Health DashboardOptional
3001SignOZOptional

Troubleshooting

If you’re locked out of SSH after enabling the firewall:
  1. Access your server via console (not SSH)
  2. Disable UFW: sudo ufw disable
  3. Re-add SSH rule: sudo ufw allow 22/tcp
  4. Re-enable UFW: sudo ufw enable

Next Steps