Cassette
Guides

Firewall Configuration

Configure firewall rules and expose services

Firewall Configuration

Every Cassette comes with a firewall enabled by default. Three ports are open out of the box - you can add more as needed.

Default Open Ports

Port 22 (SSH) - Remote terminal access
Port 80 (HTTP) - Web traffic
Port 443 (HTTPS) - Secure web traffic

These can be disabled but not deleted. If you disable SSH, you'll only have web console access.

Adding a Custom Port

From your instance page:

  1. Click Add Port in the Firewall section
  2. Enter the port number (1-65535)
  3. Select protocol: TCP (most common) or UDP
  4. Add a description (optional but recommended)
  5. Click Add Port

The rule takes effect in seconds.

Common Ports to Open

3000 - Rails/Node dev servers
5432 - PostgreSQL database
6379 - Redis
8080 - Alternative HTTP
3306 - MySQL
27017 - MongoDB

TCP vs UDP

Use TCP for: Web servers, databases, APIs, SSH, most applications (default choice)

Use UDP for: Game servers, VoIP, DNS, streaming protocols

If you're not sure, use TCP.

Enabling/Disabling Rules

Each rule has a toggle switch:
- Green (on) = Accepting connections
- Gray (off) = Blocking connections

Toggle to temporarily block a port without deleting the rule. Useful for debugging or scheduled maintenance.

Deleting Rules

Custom rules show a trash icon on hover - click to delete permanently.

Default rules (SSH, HTTP, HTTPS) can be disabled but not deleted.

Security Best Practices

Only open what you need. Each open port is a potential entry point. If you're not actively using a port, remove it.

Use non-standard ports carefully. Running SSH on port 2222 doesn't add much security - key-based auth is what matters.

Database ports should usually stay closed. Access databases from your app on localhost, not over the internet. If you must expose a database, use strong passwords and allowlists.

Troubleshooting

Connection refused after opening a port

  1. Verify the service is actually running: sudo systemctl status servicename
  2. Check it's listening on the right port: sudo netstat -tlnp | grep PORT
  3. Confirm the firewall rule is enabled (toggle should be green)
  4. Wait 10 seconds for the rule to propagate

Port already in use

Each port+protocol combination can only have one rule. Delete the existing rule first, or choose a different port.

Can't connect to SSH after disabling port 22

Use the web console from your instance page - click the Console button. Re-enable port 22 from there.

Related Guides

Previous
Managing SSH Keys
Next
API Authentication