The accepted incoming traffic is reduced to the minimum, and dynamically updated according to the roles you have chosen to install. When uninstalling a role,any firewall rules specific to this role are removed as well.
For instance, when installing the Jabber server, incoming traffic on the Jabber port is accepted, for client connections, and for servers connections if you have chosen to activate server to server communication. When the role is uninstalled, the additional firewall rules are removed as well.
Thanks to the use of nftables, IP address ban on failure is implemented without requiring an additional service like fail2ban. This is activated for services like SSH, as well as IMAP, POP3 and SMTP related services.
Failure to authenticate on the mail server also triggers the automatic ban on IP addresses, which keeps bots away. Conversely, successful authentication whitelist your IP address for a predefined amount of time, ensuring access is not blocked.
You can see the firewall status with the fw-status command:
Banned IP addresses:
Protocol | IPv4 | IPv6
------------- | ----- | -----
SSH | 726 | 0
IMAP | 81 | 0
IMAPS | 121 | 48
POP3 | 12 | 0
POP3S | 139 | 61
Submission | 21 | 0
Submissions | 186 | 49
XMPP (s2s) | 21 | 0
------------- | ----- | -----
Total | 1307 | 158
Trusted IPs
IP address | Whois details
-- | --
37.165.183.212 | Free Mobile SAS
78.241.206.252 | Free Mobile
78.243.131.100 | Free Mobile
88.176.149.202 | Proxad / Free SAS
2a01:e0a:c25:72b0:4685:ff:fe73:e213 | ProXad network / Free SAS
2a01:e0a:c25:72b0:527b:9dff:fee0:7959 | ProXad network / Free SAS
Outbound traffic is filtered as well, restricted to the minimal acceptable.
DNS, web and mail traffic is activated by default. Then, each role installation insert additional rules related to the role functionning. For instance, The Jabber server will automatically installs firewall rules for server to server communication, when activated. Conversely, uninstalling the role will remove the rules and reload the firewall automatically.
All outbound web traffic is filtered by an internal proxy, which means only the sites required are accessible. This includes for instance Debian servers.
Any role that needs access to a non-whitelisted site, will automatically add the domain to the whitelist upon installation, and remove it if uninstalled. For instance, the Clam-AV role automatically adds Clam-AV related sites to the proxy whitelist.