Unifi Controller on Core OS with Terraform (Part 5: Firewall)

tl;dr The code for the complete Unifi setup is available in the niels-s/unifi-terraform-example repo

This post is part of a small series, go and read the previous post to setup the unifi controller

In the final post, we configure the Digital Ocean Firewall. We used the guidelines from Ubiquiti to configure the right inbound rules. I was lazy and didn’t specify any specific outbound rules. That’s not the best practice, so I should improve them soon.

We use the digitalocean_firewall terraform resource to configure the rules. The only remarks I have is that we allow inbound connections on port 2222 for our ssh server, and we apply port range 1-65535 for outbound traffic.

resource "digitalocean_firewall" "unifi" {
  name = "unifi-controller"

  droplet_ids = [digitalocean_droplet.unifi_controller.id]

  inbound_rule {
    protocol         = "tcp"
    port_range       = "80"
    source_addresses = ["0.0.0.0/0"]
  }

  inbound_rule {
    protocol         = "tcp"
    port_range       = "443"
    source_addresses = ["0.0.0.0/0"]
  }

  # SSH
  inbound_rule {
    protocol         = "tcp"
    port_range       = "2222"
    source_addresses = ["0.0.0.0/0"]
  }

  inbound_rule {
    protocol         = "udp"
    port_range       = "3478"
    source_addresses = ["0.0.0.0/0"]
  }

  inbound_rule {
    protocol         = "tcp"
    port_range       = "6789"
    source_addresses = ["0.0.0.0/0"]
  }

  inbound_rule {
    protocol         = "tcp"
    port_range       = "8080"
    source_addresses = ["0.0.0.0/0"]
  }

  inbound_rule {
    protocol         = "icmp"
    source_addresses = ["0.0.0.0/0"]
  }

  # Outbound
  outbound_rule {
    protocol              = "icmp"
    destination_addresses = ["0.0.0.0/0", "::/0"]
  }

  outbound_rule {
    protocol              = "udp"
    port_range            = "1-65535"
    destination_addresses = ["0.0.0.0/0", "::/0"]
  }

  outbound_rule {
    protocol              = "tcp"
    port_range            = "1-65535"
    destination_addresses = ["0.0.0.0/0", "::/0"]
  }
}

The code for the complete Unifi setup is available in the niels-s/unifi-terraform-example repo , the changes of this post can be found in this commit

This post is part of a small series, go and read the next post on my failed attempts