# How to configure a firewall for your project environment

# Why use a firewall?

AWS comes with come some default denial-of-service attack (opens new window) (DoS) protection through AWS Shield Standard (opens new window). That said, to protect yourself against more sophisticated attacks or just having peace of mind, you can have Ymir configure a firewall for you. This firewall uses AWS WAF (opens new window) to protect your Ymir-managed project environment.

# Cost

Enabling a firewall on your project environment will incur some additional costs. There's a fixed cost per month as well as a charge of $0.60 per 1 million requests. If you enable bot protection, this costs an additional $10/month as well as $1.00 per 1 million requests.

You can read more about costs on the AWS WAF pricing page (opens new window).

# Caching required

To use a firewall, your project environment must have the caching option set to enabled. If it isn't set to enabled, your firewall will get configured (and you'll pay for it), but it won't protect your project environment.

# Basic environment firewall configuration

To have Ymir configure a basic firewall for your project environment, you need to have a project configuration similar to the one below.

id: 42
name: firewall-project
type: wordpress
environments:
  production: ~
  staging:
    cdn:
      caching: enabled
    firewall: true

The caching option is set to enabled and firewall is set to true. This will configure the firewall for the staging environment with some basic managed rules. These rules are described below, but you can also read about them here (opens new window).

Managed Rule Description
AWSManagedRulesAmazonIpReputationList Amazon IP reputation list rule group contains rules that are based on Amazon internal threat intelligence
AWSManagedRulesKnownBadInputsRuleSet Known bad inputs rule group contains rules to block request patterns that are known to be invalid and are associated with exploitation or discovery of vulnerabilities
AWSManagedRulesPHPRuleSet PHP application rule group contains rules that block request patterns associated with the exploitation of vulnerabilities specific to the use of the PHP programming language, including injection of unsafe PHP functions
AWSManagedRulesSQLiRuleSet SQL database rule group contains rules to block request patterns associated with exploitation of SQL databases, like SQL injection attacks
AWSManagedRulesWordPressRuleSet WordPress application rule group contains rules that block request patterns associated with the exploitation of vulnerabilities specific to WordPress sites

# Advanced firewall configuration

Ymir also offers advanced firewall configuration options if you want to protect yourself against more specific threats.

# Bot protection

With the bots option, you can turn on bot protection on your firewall. This comes at an additional cost (as discussed earlier) on top of your regular firwall cost. Here's an example configuration where we protect the staging environment against web scrapping frameworks.

id: 42
name: firewall-project
type: wordpress
environments:
  production: ~
  staging:
    cdn:
      caching: enabled
    firewall:
      bots:
        - CategoryScrapingFramework

Below is a list of all bot categories you can block using bot protection. If you want to turn on all bot categories, you can set bots to true instead of listing them all.

Category Description
CategoryAdvertising Bots used for advertising purposes
CategoryArchiver Bots used for archiving purposes
CategoryContentFetcher Bots fetching content on behalf of an end-user
CategoryHttpLibrary HTTP libraries often used by bots
CategoryLinkChecker Bots that check for broken links
CategoryMiscellaneous Miscellaneous bots
CategoryMonitoring Bots used for monitoring purposes
CategoryScrapingFramework Web scraping frameworks
CategorySecurity Security-related bots
CategorySeo Bots used for search engine optimization
CategorySocialMedia Bots used by social media platforms to provide content summaries (Verified social media bots are not blocked)
CategorySearchEngine Search engine bots (Verified search engines are not blocked)
SignalAutomatedBrowser Automated web browser
SignalKnownBotDataCenter Data centers typically used by bots
SignalNonBrowserUserAgent User-agent strings that don't seem to be from a web browser

# Rate limit

Ymir can also configure a rate limit rule for your firewall. This is a useful tool to prevent serious application layer (opens new window) (layer 7) DDoS attacks. For example, here's a configuration enabling a rate limit rule of 100 requests per IP in a 5 minute time span.

id: 42
name: firewall-project
type: wordpress
environments:
  production: ~
  staging:
    cdn:
      caching: enabled
    firewall:
      rate_limit: 100

The range of allowed values for rate_limit is between 100 and 20,000,000. It's always for 5 minute intervals. For most use cases, you should set rate_limit to 100 since 100 requests in 5 minutes time span is a lot already.