Firewall Management¶
enconf uses nftables as its firewall backend and fail2ban for automatic IP blocking on brute-force attacks.
Overview¶
The firewall management page shows the current status and all configured rules.
Firewall Status¶
| Field | Description |
|---|---|
| Status | Active or Inactive |
| Backend | nftables |
Firewall disabled
When the firewall is disabled, all server ports are openly accessible. Enable the firewall for production use.
Server Selection¶
In multi-server configurations, use the server selector at the top to choose which server's firewall you want to manage.
Firewall Rules¶
The rule table shows all active nftables rules:
| Column | Description |
|---|---|
| Chain | input or output |
| Protocol | TCP or UDP |
| Port | Destination port |
| Source | Source IP or network (empty = all) |
| Action | accept or drop |
| Comment | Description of the rule |
| Protected | System-critical rules (cannot be deleted) |
Protected Rules¶
Certain rules are marked as protected and cannot be deleted:
- SSH (Port 22)
- HTTP (Port 80)
- HTTPS (Port 443)
- DNS (Port 53)
- SMTP (Port 25, 465, 587)
- IMAP (Port 143, 993)
- POP3 (Port 110, 995)
- FTP (Port 21)
- Panel API (Port configurable)
- Agent (Port 50000)
Protected Rules
These rules are required for the operation of the panel and the managed services. Deleting them would prevent access to the server.
Create Rule¶
- Click Create Rule
- Fill out the form:
| Field | Required | Description |
|---|---|---|
| Chain | Yes | input (incoming) or output (outgoing) |
| Protocol | Yes | tcp or udp |
| Port | Yes | Destination port number |
| Source IP | No | Source IP or CIDR network (empty = all) |
| Action | Yes | accept (allow) or drop (block) |
| Comment | No | Description of the rule |
- Click Create
Examples¶
Restrict SSH to a specific IP¶
| Field | Value |
|---|---|
| Chain | input |
| Protocol | tcp |
| Port | 22 |
| Source IP | 203.0.113.10 |
| Action | accept |
Block outgoing SMTP¶
| Field | Value |
|---|---|
| Chain | output |
| Protocol | tcp |
| Port | 25 |
| Source IP | (empty) |
| Action | drop |
Order
Rules are processed in the order they were created. More specific rules should be placed before more general ones.
Delete Rule¶
- Click the delete icon in the action column
- Confirm the deletion
Caution when deleting
Deleting an accept rule may cause the affected port to be blocked if a default-drop policy is active.
Enable / Disable Firewall¶
- Use the toggle at the top of the page
- After disabling, all ports are open
- After enabling, all configured rules take effect
fail2ban¶
fail2ban monitors log files and automatically blocks IP addresses after repeated failed login attempts.
View Status¶
fail2ban information is displayed under System > fail2ban:
| Information | Description |
|---|---|
| Jail | Name of the monitoring jail (e.g. sshd, postfix) |
| Total Banned | Total number of bans |
| Currently Banned | List of currently banned IP addresses |
Unban IP Address¶
- Navigate to System > fail2ban
- Select the relevant jail
- Click Unban next to the IP address
Monitored Services¶
fail2ban monitors the following services by default:
- SSH — Failed SSH logins
- Postfix — Failed SMTP authentications
- Dovecot — Failed IMAP/POP3 logins
- ProFTPD — Failed FTP logins
- Panel — Failed panel logins
Block IP Addresses¶
To manually block an IP address:
- Create a new firewall rule
- Set the source IP to the address to be blocked
- Select action
drop
Use firewall rules for permanent IP blocks. Use fail2ban for temporary blocks.