The latest version of GitHub Enterprise enables a firewall—Ubuntu's UFW—on the virtual appliance.
The default incoming policy is configured to be
deny and the default outgoing policy is configured to be
allow. Furthermore, stateful tracking is enabled for NEW connections (packets with the SYN bit set).
The following TCP/UDP ports are automatically opened when you install or upgrade to GitHub Enterprise 11.10.330.
* 80/TCP (HTTP) * 443/TCP (HTTP) * 22/TCP (SSH) * 9418/TCP (Git) * 13337/TCP (Enterprise Recovery Console) * 123/UDP (NTP) * 161/UDP (SNMP)
UFW automatically opens some other ports—such as 68/UDP (DHCP client)—that are required for the proper operation of GitHub Enterprise. For more details, refer to the Default ruleset section in
/usr/share/doc/ufw/README.gz on your virtual appliance (or online).
Here is the default UFW output:
$ sudo ufw status Status: active To Action From -- ------ ---- ghe-80 ALLOW Anywhere ghe-161 ALLOW Anywhere ghe-443 ALLOW Anywhere ghe-22 ALLOW Anywhere ghe-13337 ALLOW Anywhere ghe-9418 ALLOW Anywhere ghe-123 ALLOW Anywhere ghe-80 (v6) ALLOW Anywhere (v6) ghe-161 (v6) ALLOW Anywhere (v6) ghe-443 (v6) ALLOW Anywhere (v6) ghe-22 (v6) ALLOW Anywhere (v6) ghe-13337 (v6) ALLOW Anywhere (v6) ghe-9418 (v6) ALLOW Anywhere (v6) ghe-123 (v6) ALLOW Anywhere (v6)
Every GitHub Enterprise release automatically updates the whitelist of allowed services, but admin users with SSH access to the instance can safely fine-tune their firewall configuration by prepending new rules to it with the
ufw command. We recommend that you script these commands in case you want to reset the firewall rules to their pre-configured state and re-apply them later.
For example, here is how you would block all SSH connections from IP addresses outside the 188.8.131.52/16 network:
$ ufw insert 1 allow proto tcp from 184.108.40.206/16 to any port 22 $ ufw insert 2 deny 22/tcp $ ufw status numbered Status: active To Action From -- ------ ---- [ 1] 22/tcp ALLOW IN 220.127.116.11/16 [ 2] 22/tcp DENY IN Anywhere [ 3] ghe-80 ALLOW IN Anywhere [ 4] ghe-443 ALLOW IN Anywhere [ 5] ghe-22 ALLOW IN Anywhere [ 6] ghe-9418 ALLOW IN Anywhere [ 7] ghe-80 (v6) ALLOW IN Anywhere (v6) [ 8] ghe-161 (v6) ALLOW IN Anywhere (v6) [ 9] ghe-443 (v6) ALLOW IN Anywhere (v6)  ghe-22 (v6) ALLOW IN Anywhere (v6)  ghe-9418 (v6) ALLOW IN Anywhere (v6)  22/tcp DENY IN Anywhere (v6)
Here is how you would block SSH connections from an IP address that has attempted to initiate 6 or more connections in the last 30 seconds:
$ ufw limit ghe-22
Here is how you would block the Git server port:
$ ufw insert 1 deny ghe-9418
Note that any required default rules will be restored when you upgrade or configure the GitHub Enterprise appliance (via the Management Console). As a result, you can prepend your custom rules to the ones included by default to guarantee that they will be respected.
If something goes wrong while you are adding or removing firewall rules, you can use
ghe-firewall-reset -f to clear the firewall state and restore the default set of rules.
$ ghe-firewall-reset -f Resetting the firewall state and removing custom rules... --> Are you sure? (y/n) y Firewall defaults restored. Firewall is DISABLED. It is recommended to trigger an appliance re-configuration via CURL or open the management console (/setup/settings) and hit save to re-enable the firewall again.
Don't forget to specify the
-f flag: failure to do so will cause the firewall state to be cleared without deleting custom rules. As a result, the current firewall configuration would be restored when you reload the firewall service.