DocsICP FilingConsole
官方文档
首页

Manage the system firewall on a Linux instance

更新时间:
复制 MD 格式
产品详情
我的收藏

Check, enable, configure, and disable the Linux OS firewall without locking yourself out.

How it works

A security group filters all traffic to and from an ECS instance first, then the OS firewall processes it. Traffic must pass both to reach the application.

  • Security group (cloud network layer)

    • Function: A security group acts as a virtual firewall that controls inbound and outbound traffic outside the OS — the first line of defense.

    • Logic: If a security group denies traffic on a port (such as port 22 for SSH), all external requests to that port are blocked, regardless of the OS firewall settings.

  • System firewall (instance layer)

    • Function: Firewall software such as firewalld or ufw runs inside the Linux OS and is disabled by default. It provides granular control over traffic already allowed by the security group.

    • Logic: Traffic must pass the security group before reaching the OS firewall. The two form an AND relationship — your application receives traffic only if both allow it.

Procedure

Check firewall status

Check the current firewall status before making changes.

Alibaba Cloud Linux, CentOS, or Red Hat

Run the following command to check firewalld status.

sudo firewall-cmd --state

  • not running: The firewall is disabled.

  • running: The firewall is enabled.

  • If the output is command not found, firewalld is not installed. Install it by running sudo yum install firewalld -y or sudo dnf install firewalld -y.

Ubuntu or Debian

Run the following command to check ufw status.

sudo ufw status

  • Status: active: The firewall is enabled.

  • Status: inactive: The firewall is disabled.

  • On Debian, if the output is command not found, ufw is not installed. Run sudo apt update && sudo apt install ufw -y to install it.

Enable the firewall

Important

Never enable the firewall before you add rules to allow necessary traffic. Doing so may lock you out of the instance. Always allow first, then enable.

Alibaba Cloud Linux, CentOS, or Red Hat

  1. Permanently allow SSH to keep your remote session open.

    sudo firewall-cmd --permanent --add-service=ssh

  2. Reload the firewall to apply the new rules.

    sudo firewall-cmd --reload

  3. Start the firewall service.

    sudo systemctl start firewalld

  4. (Optional): Enable the firewall to start on boot.

    sudo systemctl enable firewalld

Ubuntu or Debian

  1. Allow SSH connections.

    sudo ufw allow ssh

  2. Enable the firewall. ufw automatically loads existing allow rules and starts on boot by default.

    sudo ufw enable

    The system warns that the operation may disrupt existing connections. Enter y to confirm. SSH is already allowed, so your session stays connected.

Open a specific port or service

Alibaba Cloud Linux, CentOS, or Red Hat

  1. Open a specific port or service:

    • By service name (recommended):

      # Permanently allow the HTTP and HTTPS services
sudo firewall-cmd --permanent --add-service=http
sudo firewall-cmd --permanent --add-service=https

    • By port number:

      # Permanently allow port 8080/TCP
sudo firewall-cmd --permanent --add-port=8080/tcp

  2. Apply the new rules: Reload the firewall after you add or remove rules.

    sudo firewall-cmd --reload

  3. Verify that the rules are in effect:

    Lists all active rules in the current zone, including services, ports, and protocols.

    sudo firewall-cmd --list-all

Ubuntu or Debian

With ufw, rules take effect immediately and persist across reboots.

  1. Open a specific port or service:

    • By service name (recommended):

      # Allow the HTTP and HTTPS services
sudo ufw allow http
sudo ufw allow https

    • By port number:

      # Allow port 3306/TCP
sudo ufw allow 3306/tcp

  2. Verify that the rules are in effect:

    Run the following command to view all active rules.

    sudo ufw status

Disable the firewall

Temporarily disable the firewall to determine whether a blocking policy causes a connectivity issue.

Important

Do not disable the firewall in production. Re-enable it after testing or resolving the issue.

CentOS, Red Hat, or Alibaba Cloud Linux

sudo systemctl stop firewalld

Ubuntu or Debian

sudo ufw disable

Apply in production

  • Best practices

    • Principle of least privilege: Only open ports essential for your application. For core services such as databases, allow access only from trusted internal IP addresses and avoid exposure to the Internet.

    • Maintain a backup connection: Before changing firewall rules, establish a remote connection to the instance. An existing session persists after rule changes and serves as a backup channel.

  • Risk prevention

    • Logging and monitoring: Audit firewall logs regularly to detect unusual access attempts.

      • firewalld: Logs are managed by journald. View them with sudo journalctl -u firewalld.

      • ufw: Logs are in /var/log/ufw.log.

FAQ

  • Service still inaccessible after disabling the OS firewall

    Check the following in order:

    1. Check the security group: Log on to the ECS console - Security Groups page. Confirm that the inbound rules allow traffic on the required port from the appropriate source IPs.

    2. Check the service listening status: Confirm that the application listens on the expected address (such as 0.0.0.0) and port. Run ss -tunlp | grep <port_number> or netstat -tunlp | grep <port_number> on the instance.

    3. Check the network ACL: If your instance is associated with a network ACL, verify that its rules permit the relevant traffic.

  • Resolve a command not found error

    The firewall management tool is not installed. Install it:

    • On CentOS/Red Hat/Alibaba Cloud Linux, run sudo yum install firewalld -y or sudo dnf install firewalld -y.

    • On Ubuntu/Debian, run sudo apt update && sudo apt install ufw -y.

Previous:Configure firewall rules for WindowsNext:Cross-account key sharing in ECS