The latest version of GitHub Enterprise enables a firewall—Ubuntu's UFW—on the virtual appliance.
The default incoming policy is configured to be deny and the default outgoing policy is configured to be allow. Furthermore, stateful tracking is enabled for NEW connections (packets with the SYN bit set).
Default whitelisted services
The following TCP/UDP ports are automatically opened when you install or upgrade to GitHub Enterprise 11.10.330.
* 80/TCP (HTTP)
* 443/TCP (HTTP)
* 22/TCP (SSH)
* 9418/TCP (Git)
* 13337/TCP (Enterprise Recovery Console)
* 123/UDP (NTP)
* 161/UDP (SNMP)
UFW automatically opens some other ports—such as 68/UDP (DHCP client)—that are required for the proper operation of GitHub Enterprise. For more details, refer to the Default ruleset section in /usr/share/doc/ufw/README.gz on your virtual appliance (or online).
Here is the default UFW output:
$ sudo ufw status
Status: active
To Action From
-- ------ ----
ghe-80 ALLOW Anywhere
ghe-161 ALLOW Anywhere
ghe-443 ALLOW Anywhere
ghe-22 ALLOW Anywhere
ghe-13337 ALLOW Anywhere
ghe-9418 ALLOW Anywhere
ghe-123 ALLOW Anywhere
ghe-80 (v6) ALLOW Anywhere (v6)
ghe-161 (v6) ALLOW Anywhere (v6)
ghe-443 (v6) ALLOW Anywhere (v6)
ghe-22 (v6) ALLOW Anywhere (v6)
ghe-13337 (v6) ALLOW Anywhere (v6)
ghe-9418 (v6) ALLOW Anywhere (v6)
ghe-123 (v6) ALLOW Anywhere (v6)
Custom rules
Every GitHub Enterprise release automatically updates the whitelist of allowed services, but admin users with SSH access to the instance can safely fine-tune their firewall configuration by prepending new rules to it with the ufw command. We recommend that you script these commands in case you want to reset the firewall rules to their pre-configured state and re-apply them later.
For example, here is how you would block all SSH connections from IP addresses outside the 172.0.0.0/16 network:
$ ufw insert 1 allow proto tcp from 172.0.0.0/16 to any port 22
$ ufw insert 2 deny 22/tcp
$ ufw status numbered
Status: active
To Action From
-- ------ ----
[ 1] 22/tcp ALLOW IN 172.0.0.0/16
[ 2] 22/tcp DENY IN Anywhere
[ 3] ghe-80 ALLOW IN Anywhere
[ 4] ghe-443 ALLOW IN Anywhere
[ 5] ghe-22 ALLOW IN Anywhere
[ 6] ghe-9418 ALLOW IN Anywhere
[ 7] ghe-80 (v6) ALLOW IN Anywhere (v6)
[ 8] ghe-161 (v6) ALLOW IN Anywhere (v6)
[ 9] ghe-443 (v6) ALLOW IN Anywhere (v6)
[10] ghe-22 (v6) ALLOW IN Anywhere (v6)
[11] ghe-9418 (v6) ALLOW IN Anywhere (v6)
[12] 22/tcp DENY IN Anywhere (v6)
Here is how you would block SSH connections from an IP address that has attempted to initiate 6 or more connections in the last 30 seconds:
$ ufw limit ghe-22
Here is how you would block the Git server port:
$ ufw insert 1 deny ghe-9418
Note that any required default rules will be restored when you upgrade or configure the GitHub Enterprise appliance (via the Management Console). As a result, you can prepend your custom rules to the ones included by default to guarantee that they will be respected.
Restoring the default firewall rules
If something goes wrong while you are adding or removing firewall rules, you can use ghe-firewall-reset -f to clear the firewall state and restore the default set of rules.
$ ghe-firewall-reset -f
Resetting the firewall state and removing custom rules...
--> Are you sure? (y/n) y
Firewall defaults restored. Firewall is DISABLED.
It is recommended to trigger an appliance re-configuration
via CURL or open the management console (/setup/settings)
and hit save to re-enable the firewall again.
Don't forget to specify the -f flag: failure to do so will cause the firewall state to be cleared without deleting custom rules. As a result, the current firewall configuration would be restored when you reload the firewall service.
