Cyrange : firewall configuration

Jan 28, 2022 by Thibault Debatty | 1406 views

Cyrange Cyber Range

The cyrange Cyber Range is composed of multiple docker containers. After installation, here is how to configure your firewall to allow communication between the different components...


First, let's allow SSH, HTTP and HTTPS, and increase firewall logging verbosity:

sudo ufw allow ssh
sudo ufw allow http
sudo ufw allow https
sudo ufw logging medium

Now that SSH is allowed, we can enable the firewall:

sudo ufw enable

First we must find the subnet used by our containers:

docker network inspect cyrange_default | grep Subnet

On my server, the subnet used by the cyrange containers is You should adapt the examples below according to your subnet...

As we can see on the Figure above, we must allow communication from cyrange to vboxweb-srv:

sudo ufw allow from to any port 18083 proto tcp

We must also allow communication from guacamole to RDP ports:

sudo ufw allow from to any port 15000:15999 proto tcp

During the deployment of a VM, cyrange will connect to the VM using ssh (on a port in the range 22000-22999), to configure the guest OS. To allow connections from cyrange to the SSH port used for provisioning:

sudo ufw allow from to any port 22000:22999 proto tcp

Now, your firewall configuration should look like this:

sudo ufw status verbose

Status: active
Logging: on (medium)
Default: deny (incoming), allow (outgoing), deny (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
22/tcp                     ALLOW IN    Anywhere                  
80/tcp                     ALLOW IN    Anywhere                  
443/tcp                    ALLOW IN    Anywhere                  
18083/tcp                  ALLOW IN             
22000:22999/tcp            ALLOW IN             
15000:15999/tcp            ALLOW IN             
22/tcp (v6)                ALLOW IN    Anywhere (v6)             
80/tcp (v6)                ALLOW IN    Anywhere (v6)             
443/tcp (v6)               ALLOW IN    Anywhere (v6)

Finally, if you have NOT configured Apache reverse proxy, you will need to open ports 8080 and 8081 to access the web interface:

sudo ufw allow 8080
sudo ufw allow 8081

This blog post is licensed under CC BY-SA 4.0

This website uses cookies. More information about the use of cookies is available in the cookies policy.