Firewall Setup
Security · 5 min
A firewall is your first line of defense. Heres how to secure your AI stack.
UFW Basics
# Install UFW
sudo apt install ufw
# Enable
sudo ufw enable
# Default policies
sudo ufw default deny incoming
sudo ufw default allow outgoing
# Allow SSH (rate limited)
sudo ufw limit 22/tcp
# Allow HTTP/HTTPS
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
# Check status
sudo ufw status verboseDocker + UFW
# Edit /etc/docker/daemon.json
{
"iptables": false
}
# Then UFW will manage Docker containersFail2Ban
# Install
sudo apt install fail2ban
# Copy config
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
# Edit /etc/fail2ban/jail.local
[sshd]
enabled = true
port = ssh
filter = sshd
maxretry = 3
bantime = 1h
# Restart
sudo systemctl restart fail2banNetwork Segmentation
| Zone | Services | Access |
|---|---|---|
| DMZ | Traefik | Public |
| Internal | n8n, Ollama | VPN only |
| Database | PostgreSQL | Internal only |
Checklist
- UFW enabled and configured
- SSH rate-limited
- Fail2Ban installed
- Unnecessary ports closed
- Docker network isolated
Next step: move from knowledge to implementation
If you want more than theory: setups, workflows and templates from real operations for teams that want local, documented AI systems.
Why AI Engineering
- Local and self-hosted by default
- Documented and auditable
- Built from our own runtime
- Made in Austria
Not legal advice.