A really good thing about setting up blogs and small websites these days is that dedicated servers and dedicated IPs from cloud vendors are an affordable option for most.1 Setting up your own server instance is pretty easy, but often very insecure by default. Setting up security through Linux firewalls is possible, but can be somewhat daunting for many who are simply looking for an inexpensive and flexible web host.

Fortunately, there is an outstanding option for those looking to simply secure a single server (or many servers) from Dome9. Dome9 is essentially a system for managing system firewalls – removing the complexities of installing and configuring firewalls on individual nodes as well as providing some automation to firewall management.

First, What Is A Firewall?

You might be somewhat familiar with firewall software already – most operating systems ship with some form of firewall software built in. In personal computing use, firewall configurations often block certain types of internet traffic altogether. In a server configuration firewall configuration becomes a bit more complicated: while there are some services you want to block, some you want to leave completely open (such as web server traffic), or restricted to a certain range of IP addresses – such as allowing SSH traffic only from your home or office internet address.

Let’s take a look at a simple example:

Firewall Illustration

This would be a desired configuration for a simple web application (such as a WordPress site). The rules that we want to enforce:

  • All HTTP (and possibly HTTPS) traffic is open to the world. We want people to visit our website!
  • SSH access is limited to a certain IP range. (The image displays – for example – a ‘local’ set of SSH addresses behind a a router. In a cloud deployment, you might want to limit SSH access to your home internet connection IP, or from where you might actually access your servers.)
  • Blocking all access from ‘the outside’ to port 3306 – the default MySQL server.
  • … and finally, blocking all attempts at network connections other than the HTTP and HTTPS connections that you want external connections to make. (i.e. only allow global access on ports 80 and 443 – the ports that web browsers use to access a website.)

These rules can be set up on individual servers using firewall configurations (such as iptables on Linux servers) – but direct firewall management can be something of a chore, especially if you have more than one server to maintain. This is where a firewall management system comes in handy – in this example we’ll look at using Dome9.2

How Does Dome9 Manage Firewalls?

Dome9 manages firewalls through an agent infrastructure. To use Dome9 on a server instance, you will need to install a software agent that will manage local firewall settings. The agents themselves can be controlled either individually or in groups through a web interface.

Let’s get started.

Sign Up For A Dome9 Account

I won’t cover this in any detail – you’ll find the signup process at Dome9 to be similar to other web account signups. If this is your first account at Dome9, you’ll be given a free trial of their enterprise features, after which you’ll likely have to talk with their sales group about your needs. Large accounts will be encouraged to buy a plan, but they do have a “Lite Cloud” plan that you can use for your own personal websites for five servers or less.

Install The Dome9 Agent On Your Server

Once you have logged in and have an account, you’ll need to install the Dome9 agent on the servers you wish to manage.

Dome9 Main Interface

The Install New Agent Button (or menu option) will guide you through a series of steps for installing an agent for the appropriate system type (Windows or Linux). The instructions will basically give you a set of copy-paste commands that you can use to install and start the Dome9 agent.

Create a Security Group

Dome9 installs a ‘default’ security group, though you will likely want to create your own group for firewall management. Let’s take a look at a few rules for a “WordPress” server. Note that only rules listed will have an ‘allow’ option. You can set up a rule that ‘blocks’ traffic – minus the “On Demand” feature of Dome9 that we’ll cover later on. Here is an example rule set:

Example Dome9 Rules For WordPress Site

In this case, we’re only managing three services – leaving all others blocked. HTTP and HTTPS are open to the world, while SSH is limited to (the greyed out) block of IP addresses. To add a new service (such as MySQL), simply choose the Add New Service button. When you choose this option, you are presented a menu of common services you can choose from – as well as the ability to specify custom ports and port ranges for any other services you may wish to access.

Service Port Dome9

If we complete the example, we can specify a few settings for this port. In this case, we’ll leave the port protected and only allow “On Demand” access to the MySQL port. You can also add specific IP addresses or IP blocks if you have a set that you would like to leave open full time.3

Service Port Dome9

With this in place, a new rule has been added to the Inbound Policy Rule set.

MySQL Added to Dome9 Security List

Adding Your Server To The Security Group

Now that we have a security group in place, we’ll need to add our web server to the group. This will prompt the agent to apply the firewall rules specified by the group.

This is a relatively simple operation. From the list of servers where agents have been installed (if you installed the agent, this should be visible rather quickly), choose the server listed (this defaults to your hostname).

Choosing A Server in the Dome9 Interface

This will open a dialog that will allow you to choose your security group (Dome9 requires that a server belong to at least one security group) along with a list of the rules that are currently applied.

Choosing A Security Group

You will also want to remove the default security group (with the big black ‘x’) to have your server be protected by only the single web-server group.

With this in place, you now have a web server that is open to the world for HTTP, restricted on the SSH ports to a couple of IP addresses (meaning that SSH is only available from those IP address/ranges) and ‘blocked’ for MySQL connections. This is good enough for day-to-day site operation, but let’s take a look at another Dome9 feature: “on demand” access.

Granting On Demand Access to A Resource

Let’s take a look at setting up on demand access to the MySQL database. This might be a situation where I am troubleshooting some data setups, or just want easier access to the MySQL database through a tool like MySQL Workbench.

I’ll need to ensure that the MySQL user itself is setup to allow access from remote hosts (such as ‘%’) and have the MySQL database set to bind to in the my.cnf file. (I won’t cover this exact problem in detail here.) Now MySQL access is only blocked by the firewall configuration. Sure enough:

MySQL Workbench Denied Access

Now, let’s configure ‘dynamic access’ to the MySQL resource. First, go to the Dynamic Access tab in the Dome9 interface.

Access Control Dome9

Note the Get Access button. You can use this button to give yourself access for a certain period of time or you can send an invitation to someone else to access the resource. Let’s see now that works. First, choose to send an invitation:

Send Dome9 Invitation

Now, select a few options about this access. Access can be limited for a certain amount of time and the invitation can be set to expire as well. Dome9 also allows you to send an invitation via e-mail to others or yourself – or generate a link that can be sent over instant messaging, etc.

Create Dome9 Invitation

This action will give you a bit of detail about the invitation as well as send an e-mail to the party you wish to grant access to (if you chose the e-mail option). The e-mail contains a simple link that when clicked will create a ‘lease’ for accessing the resource.

Access Lease Created Dome9

Once this access is granted, I can now use the MySQL workbench to access the database running on the web server. My access will only last an hour before the Dome9 agent again reasserts the global rule of denying access to port 3306.

Access Granted to MySQL Resource

With the ability to generate timed firewall rules you can limit access in a controlled manner rather than having to manually edit groups or firewall rules. The effect of this is that you are better able to provide access when it is needed – and for no longer than the access is needed. Centralized management will also make it much easier to know what access has been granted across your entire infrastructure at a glance.


We’ve only touched the surface of the capabilities and advantages of managing firewall rules through Dome9. This management is critical for larger organizations with many machines – but Dome9 offers some very useful features for personal websites. If you are (for example) running your personal website through a cloud instance provider, you may find tools such as Dome9 to be extraordinarily useful in preventing your cloud instance from being accessed (or hacked) by others. Dome9 is a tool that will give you the ability to lock down your instances without being terribly hard to use.4

  • There are a number of affordable vendors. I use Digital Ocean, Linode recently announced some pretty big price breaks and even Amazon Web Services EC2 Instances can be pretty inexpensive on a monthly basis if you have cash up front for a reserved instance. 
  • More specifically, we’ll look at the Dome9 “Lite Cloud” offering which will allow you to manage firewalls for five servers or less in their “free” plan. Managing more servers requires a paid plan, but the free plan is extraordinarily useful for managing firewalls for personal or low traffic sites. Dome9’s paid-tier plans are even more useful for organizations that manage large numbers of servers. 
  • If you are looking for your own IP address, a good utility without the extra spam (and the ability to curl!) is the Amazon Check IP Utility
  • If you’ve managed firewalls in the cloud, you’ve likely also experienced what happens when the SSH port is misconfigured and you have no method for getting back into your instance without starting over from scratch.  </fn></footnotes>