You can view default firewall rules and customize rules for your GitHub Enterprise instance.
In this guide:
- About your GitHub Enterprise instance's firewall
- Viewing the default firewall rules
- Adding custom firewall rules
- Restoring the default firewall rules
About your GitHub Enterprise instance's firewall
GitHub Enterprise uses Ubuntu's Uncomplicated Firewall (UFW) on the virtual appliance. For more information see "UFW" in the Ubuntu documentation. GitHub Enterprise automatically updates the firewall whitelist of allowed services with each release.
After you install GitHub Enterprise, all required network ports are automatically opened to accept connections. Every non-required port is automatically configured as deny
, and the default outgoing policy is configured as allow
. Stateful tracking is enabled for any new connections; these are typically network packets with the SYN
bit set. For more information, see "Network ports."
The UFW firewall also opens several other ports that are required for GitHub Enterprise to operate properly. For more information on the UFW ruleset, see the UFW README.
Viewing the default firewall rules
-
SSH into your GitHub Enterprise instance:
ssh -p 122 admin@hostname
-
To view the default firewall rules, use the
sudo ufw status
command. You should see output similar to this:sudo ufw status Status: active To Action From -- ------ ---- ghe-1194 ALLOW Anywhere ghe-122 ALLOW Anywhere ghe-161 ALLOW Anywhere ghe-22 ALLOW Anywhere ghe-25 ALLOW Anywhere ghe-443 ALLOW Anywhere ghe-80 ALLOW Anywhere ghe-8080 ALLOW Anywhere ghe-8443 ALLOW Anywhere ghe-9418 ALLOW Anywhere ghe-1194 (v6) ALLOW Anywhere (v6) ghe-122 (v6) ALLOW Anywhere (v6) ghe-161 (v6) ALLOW Anywhere (v6) ghe-22 (v6) ALLOW Anywhere (v6) ghe-25 (v6) ALLOW Anywhere (v6) ghe-443 (v6) ALLOW Anywhere (v6) ghe-80 (v6) ALLOW Anywhere (v6) ghe-8080 (v6) ALLOW Anywhere (v6) ghe-8443 (v6) ALLOW Anywhere (v6) ghe-9418 (v6) ALLOW Anywhere (v6)
Adding custom firewall rules
Warning: Before you add custom firewall rules, back up your current rules in case you need to reset to a known working state. If you're locked out of your server, contact GitHub Enterprise Support to reconfigure the original firewall rules. Restoring the original firewall rules involves downtime for your server.
- Configure a custom firewall rule.
-
Check the status of each new rule with the
status numbered
command.sudo ufw status numbered
-
To back up your custom firewall rules, use the
cp
command to move the rules to a new file:sudo cp -r /lib/ufw ~/ufw.backup
After you upgrade your GitHub Enterprise instance, you must reapply your custom firewall rules. We recommend that you create a script to reapply your firewall custom rules.
Restoring the default firewall rules
If something goes wrong after you change the firewall rules, you can reset the rules from your original backup.
Warning: If you didn't back up the original rules before making changes to the firewall, contact GitHub Enterprise Support for further assistance.
-
SSH into your GitHub Enterprise instance:
ssh -p 122 admin@hostname
-
To restore the previous backup rules, copy them back to the firewall with the
cp
command.sudo cp -f ~/ufw.backup/*rules /lib/ufw
-
Restart the firewall with the
systemctl
command:sudo systemctl restart ufw
-
Confirm that the rules are back to their defaults with the
ufw status
command.sudo ufw status Status: active To Action From -- ------ ---- ghe-1194 ALLOW Anywhere ghe-122 ALLOW Anywhere ghe-161 ALLOW Anywhere ghe-22 ALLOW Anywhere ghe-25 ALLOW Anywhere ghe-443 ALLOW Anywhere ghe-80 ALLOW Anywhere ghe-8080 ALLOW Anywhere ghe-8443 ALLOW Anywhere ghe-9418 ALLOW Anywhere ghe-1194 (v6) ALLOW Anywhere (v6) ghe-122 (v6) ALLOW Anywhere (v6) ghe-161 (v6) ALLOW Anywhere (v6) ghe-22 (v6) ALLOW Anywhere (v6) ghe-25 (v6) ALLOW Anywhere (v6) ghe-443 (v6) ALLOW Anywhere (v6) ghe-80 (v6) ALLOW Anywhere (v6) ghe-8080 (v6) ALLOW Anywhere (v6) ghe-8443 (v6) ALLOW Anywhere (v6) ghe-9418 (v6) ALLOW Anywhere (v6)