Guides
Firewall & Ports

Firewall & Ports

Required ports and firewall configuration for OEC.sh managed servers.

Automatic Firewall Configuration

If your server does not have a firewall set up (or is running CSF/LFD, which is incompatible with Docker networking), the preflight check will show a Warning with a Configure button.

Clicking Configure runs the platform's automatic firewall setup:

  1. Detects and disables CSF/LFD if present (CSF interferes with Docker's iptables rules)
  2. Installs UFW if not already installed
  3. Opens your SSH port (auto-detected from /etc/ssh/sshd_config — handles non-standard ports)
  4. Opens ports 80 and 443
  5. Falls back to firewalld on CentOS/RHEL, or iptables as a last resort if neither UFW nor firewalld is available

The fix completes in about 30 seconds and the preflight check re-runs automatically to confirm.

The configure button only appears when the preflight check detects that no compatible firewall is active. If UFW or firewalld is already running with the right rules, you will see Passed and no action is needed.

To run the preflight check manually: go to Servers → select your server → Preflight Checks.

Required Ports

These ports must be open for OEC.sh to function:

PortProtocolDirectionPurpose
22TCPInboundSSH access for OEC.sh management
80TCPInboundHTTP traffic (redirects to HTTPS)
443TCPInboundHTTPS traffic (main Odoo access)
⚠️

Critical: If port 22 is blocked, OEC.sh cannot manage your server. Deployments, backups, and monitoring will fail.

Optional Ports

These ports may be needed depending on your configuration:

PortProtocolDirectionPurposeWhen Needed
8069TCPInboundDirect Odoo HTTPDebugging, bypassing proxy
8072TCPInboundOdoo longpollingReal-time features (discuss, chat)
5432TCPInboundPostgreSQLExternal database access, BI tools
19999TCPInboundNetdataDirect access to monitoring dashboard
6432TCPInboundPgBouncer (primary)Connection pooling access
6433TCPInboundPgBouncer (replica)Read replica access (Odoo 18+)

Cloud Provider Configuration

AWS EC2 Security Groups:

  1. Go to EC2 → Security Groups
  2. Select your instance's security group
  3. Click Inbound rules → Edit inbound rules
  4. Add these rules:
TypeProtocolPort RangeSourceDescription
SSHTCP22Your IP or 0.0.0.0/0OEC.sh management
HTTPTCP800.0.0.0/0Web traffic
HTTPSTCP4430.0.0.0/0Secure web traffic
# AWS CLI example
aws ec2 authorize-security-group-ingress \
  --group-id sg-xxxxx \
  --protocol tcp \
  --port 22 \
  --cidr 0.0.0.0/0
 
aws ec2 authorize-security-group-ingress \
  --group-id sg-xxxxx \
  --protocol tcp \
  --port 80 \
  --cidr 0.0.0.0/0
 
aws ec2 authorize-security-group-ingress \
  --group-id sg-xxxxx \
  --protocol tcp \
  --port 443 \
  --cidr 0.0.0.0/0

UFW Configuration (Server-Level)

If your server uses UFW (Uncomplicated Firewall):

# Allow required ports
sudo ufw allow 22/tcp comment 'SSH'
sudo ufw allow 80/tcp comment 'HTTP'
sudo ufw allow 443/tcp comment 'HTTPS'
 
# Enable firewall
sudo ufw enable
 
# Verify rules
sudo ufw status verbose

Expected output:

Status: active

To                         Action      From
--                         ------      ----
22/tcp                     ALLOW       Anywhere        # SSH
80/tcp                     ALLOW       Anywhere        # HTTP
443/tcp                    ALLOW       Anywhere        # HTTPS

iptables Configuration

For servers using raw iptables:

# Allow established connections
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 
# Allow loopback
iptables -A INPUT -i lo -j ACCEPT
 
# Allow SSH
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
 
# Allow HTTP/HTTPS
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
 
# Drop everything else (optional, be careful!)
# iptables -A INPUT -j DROP
 
# Save rules (Debian/Ubuntu)
iptables-save > /etc/iptables/rules.v4
⚠️

Caution: Incorrect iptables rules can lock you out of your server. Always test in a screen/tmux session and have console access available.

Restricting SSH Access

For enhanced security, restrict SSH to specific IPs:

OEC.sh Management IPs

OEC.sh connects from these IP ranges:

UFW Example

# Allow SSH only from specific IPs
sudo ufw allow from 1.2.3.4 to any port 22 comment 'OEC.sh management'
sudo ufw allow from 5.6.7.8 to any port 22 comment 'Office IP'
 
# Block SSH from everywhere else (if no default deny)
sudo ufw deny 22/tcp

Database Access (Port 5432)

⚠️

Security Risk: Opening port 5432 exposes your database to the internet. Only do this if you need external database access (e.g., BI tools).

If you need external PostgreSQL access:

  1. Restrict to specific IPs only:

    sudo ufw allow from 10.0.0.5 to any port 5432 comment 'BI Server'

  2. Consider using SSH tunnel instead:

    ssh -L 5432:localhost:5432 user@your-server

  3. Use a read-only database user for reporting queries

Outbound Ports

OEC.sh servers need outbound access for:

PortProtocolDestinationPurpose
80, 443TCPInternetDocker Hub, package repos
443TCPapi.oec.shOEC.sh API communication
25, 465, 587TCPMail serversOutgoing email (if configured)

Most cloud providers allow all outbound traffic by default.

Testing Connectivity

Test from your machine

# Test SSH
nc -zv your-server-ip 22
 
# Test HTTP/HTTPS
curl -I http://your-server-ip
curl -I https://your-domain.com

Test from the server

# Test outbound connectivity
curl -I https://api.oec.sh
curl -I https://hub.docker.com

Troubleshooting

"Connection refused" on port 22

Causes:

  1. Firewall blocking the port
  2. SSH service not running
  3. Wrong IP address

Solutions:

  1. Check cloud firewall rules
  2. Use provider's console to access server
  3. Run: sudo systemctl status sshd

"Connection timed out" on port 80/443

Causes:

  1. Firewall blocking the port
  2. No web server running
  3. Server not reachable

Solutions:

  1. Verify firewall rules (both cloud and server-level)
  2. Check if Traefik is running: docker ps | grep traefik

OEC.sh shows "Server Unreachable"

Causes:

  1. Port 22 blocked
  2. SSH credentials changed
  3. Server powered off

Solutions:

  1. Verify port 22 is open
  2. Test SSH manually: ssh user@server-ip
  3. Check server status in cloud provider console

Security Best Practices

  1. Use SSH keys instead of passwords
  2. Disable root login via SSH
  3. Change default SSH port (optional, update OEC.sh settings)
  4. Use fail2ban to block brute force attempts
  5. Keep firewall rules minimal - only open what's needed
  6. Regularly audit open ports: sudo netstat -tlnp
  7. Use cloud firewalls in addition to server firewalls (defense in depth)

Need Help?

For firewall configuration assistance:

  • Email: support@oec.sh
  • Include: Cloud provider, current firewall rules, error messages
OS CompatibilityAi Dev Terminal