Administrative Access Rules

Administrative Access Rules

Securing administrative access represents one of the most critical aspects of firewall configuration. SSH (port 22), RDP (port 3389), and other management protocols should never be exposed to the entire internet. Instead, implement strict source IP restrictions and additional authentication layers.

For SSH access, start with a restrictive approach that only allows connections from known IP addresses:

Allow TCP from admin_network to web_server_ip port 22
Deny TCP from any to web_server_ip port 22

Better yet, implement jump hosts or bastion servers, where administrative access must first connect to a hardened intermediate system:

Allow TCP from jump_host_ip to web_server_ip port 22
Deny TCP from any to web_server_ip port 22

Consider implementing port knocking or single packet authorization (SPA) for additional security. These techniques hide administrative ports until a specific sequence of connection attempts or a cryptographically signed packet opens temporary access. While adding complexity, they effectively eliminate port scanning and automated attacks against management interfaces.