Firewall Rules (UFW)
ACT uses UFW (Uncomplicated Firewall) to secure your servers. During the commissioning process, ACT takes over firewall management to ensure a secure baseline.
Enforced Rules
To maintain security and functionality, ACT enforces the following rules:
Default Policy
- Incoming:
DENY(Block all unsolicited traffic) - Outgoing:
ALLOW(Allow server to reach the internet)
Allow List
| Port | Protocol | Service | Reason |
|---|---|---|---|
| 22 | TCP | SSH | Remote management and deployments |
| 80 | TCP | HTTP | Web traffic (redirects to HTTPS) |
| 443 | TCP | HTTPS | Secure web traffic |
| 51820 | UDP | WireGuard | Private Mesh Network communication |
[!IMPORTANT] WireGuard Port: The default configuration setup by ACT should allow port 51820/udp. If you find connectivity issues between servers, verify that this port is open in both UFW (
sudo ufw status) and your cloud provider’s firewall.
Docker Security Fix (ufw-docker)
By default, Docker manipulates iptables directly, which can inadvertently bypass UFW rules. This means a container exposing a port (e.g., -p 8080:8080) might be accessible from the internet even if UFW says “Deny”.
ACT solves this by automatically applying the ufw-docker patch during commissioning. This ensures that:
- Docker traffic is routed through UFW chains.
- Only ports explicitly allowed in UFW are accessible.
- Internal network isolation is respected.
Customizing Rules
You can add custom rules (e.g., allowing specific IPs) using standard UFW commands on the server:
# Example: Allow MySQL only from a specific IP
sudo ufw allow from 1.2.3.4 to any port 3306 proto tcp
ACT will not overwrite your custom rules during re-commissioning, as long as the base requirements are met.