> ## Documentation Index
> Fetch the complete documentation index at: https://www.latitude.sh/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Firewall

Latitude.sh Firewall provides centralized management of server-level *iptables* rules across your infrastructure. Unlike network firewalls that operate at the perimeter, it runs directly on each server while allowing you to configure all firewall rules from a single interface, reducing operational overhead in multi-server environments.

<Warning>
  Latitude.sh Firewall requires an operating system that supports UFW
  (Uncomplicated Firewall). Make sure your server is running a compatible OS
  before attempting to install and use the firewall service.
</Warning>

## Creating a firewall

Follow these steps to create a firewall:

<Steps>
  <Step title="Create a firewall">
    [Log in to the dashboard](https://www.latitude.sh/dashboard), select a
    project, navigate to **Firewall** in the sidebar menu, and click **Create
    Firewall**. Provide a name for your firewall and click **Create**.
  </Step>
</Steps>

## Navigating a firewall

After you create a firewall, Latitude.sh opens the firewall detail page with a
tabbed layout:

* **Overview**: Summary, rule preview, protected servers preview, and agent
  installation commands
* **Rules**: Create and edit inbound/outbound rules
* **Servers**: Assign or remove protected servers
* **Settings**: Delete the firewall

The right-side **Details** panel shows firewall properties (name, rule count,
server count, ID, and project). You can also rename the firewall from the
**Name** field there.

## Setting firewall rules

After creating a firewall, follow these steps to add rules for inbound and outbound traffic:

<Steps>
  <Step title="Add and configure firewall rules">
    Open the **Rules** tab, click **New rule**, and configure the rule settings:

    • **From**: Search/enter the source IP or select "Any" for all IPs.

    • **To**: Search/enter the destination IP or select "Any".

    • **Protocol**: Choose TCP or UDP.

    • **Port range**: Enter a single port or a range using a hyphen (for example,
    22 or 80-443).

    • **Description**: (Optional) Add a label to make the rule easier to identify (e.g., "Allow SSH from office").

    Click **Apply** to save your changes.
  </Step>
</Steps>

<Note>
  Latitude.sh Firewall is built on UFW and only exposes **TCP** and **UDP** rules. **ICMP traffic is permitted by default** via UFW's preloaded rules, so you don't need (and can't create) an ICMP rule. Port range must be between **1 and 65535**.
</Note>

## Assigning firewall rules to servers

You can assign firewalls to servers using two methods:

### From the Firewall detail page

<Steps>
  <Step title="Assign firewall to servers">
    Open the **Servers** tab and use **Add a server to protect...** to assign the
    firewall to servers in the current project.
  </Step>

  <Step title="Install or uninstall the firewall agent">
    Open the **Overview** tab, expand **Agent Installation**, and copy the
    **Install** or **Uninstall** command.

    Run the command on each server to apply or remove the Latitude.sh firewall
    agent configuration.
  </Step>
</Steps>

### From the Server pages

<Steps>
  <Step title="Assign firewall from server page">
    Navigate to your server's **Overview** or **Network** page and locate the **Firewall assignments** section. Click **Assign** to select from existing firewalls in your project, or create a new firewall directly from this interface.

    To remove a firewall assignment, click the delete icon next to the assigned firewall in the **Firewall assignments** section.
  </Step>
</Steps>

<Note>
  Managing firewall assignments from server pages provides the same
  functionality as the centralized Firewall dashboard, allowing you to choose
  the workflow that best fits your needs.
</Note>

## Renaming a firewall

<Steps>
  <Step title="Rename the firewall">
    Edit the **Name** field in the right-side **Details** panel, or use
    **Actions > Rename**.
  </Step>
</Steps>

## Deleting a firewall

<Steps>
  <Step title="Delete the firewall">
    Open the **Settings** tab, click **Delete**, then type the firewall name to
    confirm the deletion.
  </Step>
</Steps>

## Using Firewall alongside Docker

Docker manages its own networking rules through iptables, which can interact unexpectedly with server-level firewalls like UFW. By default, Docker inserts its rules at a higher priority in the iptables chain than UFW, meaning incoming traffic to Docker containers bypasses UFW's restrictions entirely. This behavior ensures Docker containers can communicate but may create security gaps if not properly managed.

To maintain security when using Docker with Latitude.sh Firewall, you should explicitly control container networking through Docker's own configuration:

1. Use Docker's published ports (`-p` or `--publish` flag) to specify exactly which container ports should be accessible
2. Avoid using `--network host` mode unless absolutely necessary, as it bypasses Docker's network isolation
3. Consider using Docker's built-in network policies and internal networks for container-to-container communication

For detailed configuration options and best practices, refer to the Docker documentation on container networking and security.

## Firewall billing

Charges apply when you assign a firewall to a server. For the current rate, see the [pricing page](https://www.latitude.sh/network/pricing#addon).
If you remove all server assignments, billing stops at the end of the current billing cycle.