The latest version of GitHub Enterprise enables a firewall—Ubuntu's UFW—on the virtual appliance.

The default incoming policy is configured to be deny and the default outgoing policy is configured to be allow. Furthermore, stateful tracking is enabled for NEW connections (packets with the SYN bit set).

Default whitelisted services

The following TCP/UDP ports are automatically opened when you install or upgrade to GitHub Enterprise 11.10.330.

* 80/TCP    (HTTP)
* 443/TCP   (HTTP)
* 22/TCP    (SSH)
* 9418/TCP  (Git)
* 13337/TCP (Enterprise Recovery Console)
* 123/UDP   (NTP)
* 161/UDP   (SNMP)

UFW automatically opens some other ports—such as 68/UDP (DHCP client)—that are required for the proper operation of GitHub Enterprise. For more details, refer to the Default ruleset section in /usr/share/doc/ufw/README.gz on your virtual appliance (or online).

Here is the default UFW output:

$ sudo ufw status

Status: active

To                         Action      From
--                         ------      ----
ghe-80                     ALLOW       Anywhere
ghe-161                    ALLOW       Anywhere
ghe-443                    ALLOW       Anywhere
ghe-22                     ALLOW       Anywhere
ghe-13337                  ALLOW       Anywhere
ghe-9418                   ALLOW       Anywhere
ghe-123                    ALLOW       Anywhere
ghe-80 (v6)                ALLOW       Anywhere (v6)
ghe-161 (v6)               ALLOW       Anywhere (v6)
ghe-443 (v6)               ALLOW       Anywhere (v6)
ghe-22 (v6)                ALLOW       Anywhere (v6)
ghe-13337 (v6)             ALLOW       Anywhere (v6)
ghe-9418 (v6)              ALLOW       Anywhere (v6)
ghe-123 (v6)               ALLOW       Anywhere (v6)

Custom rules

Every GitHub Enterprise release automatically updates the whitelist of allowed services, but admin users with SSH access to the instance can safely fine-tune their firewall configuration by prepending new rules to it with the ufw command. We recommend that you script these commands in case you want to reset the firewall rules to their pre-configured state and re-apply them later.

For example, here is how you would block all SSH connections from IP addresses outside the 172.0.0.0/16 network:

$ ufw insert 1 allow proto tcp from 172.0.0.0/16 to any port 22
$ ufw insert 2 deny 22/tcp

$ ufw status numbered
Status: active

     To                         Action      From
     --                         ------      ----
[ 1] 22/tcp                     ALLOW IN    172.0.0.0/16
[ 2] 22/tcp                     DENY IN     Anywhere
[ 3] ghe-80                     ALLOW IN    Anywhere
[ 4] ghe-443                    ALLOW IN    Anywhere
[ 5] ghe-22                     ALLOW IN    Anywhere
[ 6] ghe-9418                   ALLOW IN    Anywhere
[ 7] ghe-80 (v6)                ALLOW IN    Anywhere (v6)
[ 8] ghe-161 (v6)               ALLOW IN    Anywhere (v6)
[ 9] ghe-443 (v6)               ALLOW IN    Anywhere (v6)
[10] ghe-22 (v6)                ALLOW IN    Anywhere (v6)
[11] ghe-9418 (v6)              ALLOW IN    Anywhere (v6)
[12] 22/tcp                     DENY IN     Anywhere (v6)

Here is how you would block SSH connections from an IP address that has attempted to initiate 6 or more connections in the last 30 seconds:

$ ufw limit ghe-22

Here is how you would block the Git server port:

$ ufw insert 1 deny ghe-9418

Note that any required default rules will be restored when you upgrade or configure the GitHub Enterprise appliance (via the Management Console). As a result, you can prepend your custom rules to the ones included by default to guarantee that they will be respected.

Restoring the default firewall rules

If something goes wrong while you are adding or removing firewall rules, you can use ghe-firewall-reset -f to clear the firewall state and restore the default set of rules.

$ ghe-firewall-reset -f
Resetting the firewall state and removing custom rules...
 --> Are you sure? (y/n) y

Firewall defaults restored. Firewall is DISABLED.

It is recommended to trigger an appliance re-configuration
via CURL or open the management console (/setup/settings)
and hit save to re-enable the firewall again.

Don't forget to specify the -f flag: failure to do so will cause the firewall state to be cleared without deleting custom rules. As a result, the current firewall configuration would be restored when you reload the firewall service.