Internal Control Center Firewall


Overview

The built-in firewall in dbWatch Control Center provides an additional layer of security, particularly useful in distributed environments or when exposing nodes to untrusted networks (e.g., internet-facing cloud routers or DMZ setups).

This internal firewall allows precise control over:

The firewall is configured per node through the Domain Configuration Dialog.


Accessing the Firewall Configuration

To configure the firewall for a node:

  1. Open the Domain Configuration dialog
  2. Select the node you want to configure
  3. Click “Firewall Configuration”

)

Launching the configuration window:

)

The Firewall GUI is divided into three sections:

)


Section 1: Domain Discovery

Domain Discovery governs whether a node will publicly list its known domains during connection attempts.

This is especially useful when setting up security-hardened environments with limited visibility.


Section 2: Domains

This section defines which domains this node is allowed to forward certificates for.

This configuration is essential for cloud routers or multi-domain nodes. It ensures routing behavior is strictly scoped to expected domain memberships, reducing potential for misrouting or lateral movement across domains.


Section 3: Rules (IP Access Control)

The Rules section enables you to define IP-based access control policies using CIDR notation.

Each rule includes:

Default rule set:

Action From host Limit
---------- -------------- --------
ALLOW 127.0.0.1/32 100
ALLOW 0.0.0.0/0 100
DENY 0.0.0.0/0 -1

Explanation:

> To enhance security, it is recommended to replace the 0.0.0.0/0 rule with more specific subnets using CIDR notation:
>
> * Example: `192.168.0.0/24` for the 192.168.0.* range
> * Example: `192.168.0.3/32` to allow only a single IP


Best Practices


Related Topics