Alternate firewall configuration

Alternate firewall configuration


In some cases, it is necessary to completely block network access to the server. For example, if the server is in a local network and NAT is used.

However, for the panel and its modules to run correctly, they need access to the external network.

The necessary settings can be made manually, through your network firewall, or in the system firewall – through the panel interface in the Administration → Firewall section.

The configuration commands depend on your task and environment.



The following TCP ports must be opened:

  • 20 - for data transfer via FTP;
  • 21 - for command transfer via FTP;
  • 22 - for remote access to servers via SSH protocol;
  • 110, 143, 993, 995, 587, 465, 25 - for sending and receiving mail messages;
  • 80 and 443 - for servicing user requests to sites on the server with ispmanager;
  • 53 - for running domain name servers;
  • 3306 - for remote access to the database server;
  • 5432 - to connect directly to a PostgreSQL process;
  • 1500 - to access the ispmanager web interface;
  • 3310 - 3330 - for alternative DBMS operation;
  • 35000 - 35999 - passive ports for FTP server operation.

You will also need to open port 53 for UDP operation.

If you use your own port for SSH protocol, also add it to the exceptions.

IP addresses

For the panel itself to run, you need to grant access to the following IP addresses:

In order for Docker to work, and be able to install alternative DBMSs, allow the following addresses:

For Cloudflare and Let's Encrypt services to work correctly, add the addresses from the official Cloudflare list.


You will also need to add the IP addresses of your operating system’s repositories.

You can find the repository files in the following paths:

  • For DEB-distributions:
    • /etc/apt/sources.list - file with main system repositories;
    • /etc/apt/sources.list.d/ - directory with other repository files, including ispmanager repositories.
  • For Red Hat distributions:
    • /etc/yum.repos.d/ - common directory for all repository files.

Since the IP addresses of the domain names of repositories and their mirrors are subject to change, you should learn their addresses during configuration.

You can do this with the "dig" utility. For example:

:~$ dig archive.ubuntu.com +short

If you want to get IPv6 addresses, add the "AAAA" parameter:

:~$ dig AAAA archive.ubuntu.com +short

Please note that all the lists are subject to change. Please note that all lists are subject to change.

In this article