What ports should I open for Odoo?

Only open ports 80 (HTTP), 443 (HTTPS), and 22 (SSH). Never expose 8069 or 8072 externally. Nginx reverse proxy handles all HTTP traffic to Odoo internally.

Should I use UFW or iptables for Odoo?

UFW is simpler and recommended for most Odoo deployments. It is a frontend for iptables. Use raw iptables only if you need advanced rules or are on RHEL-based systems using firewalld.

How do I protect PostgreSQL on an Odoo server?

PostgreSQL listens on localhost by default. Add an explicit firewall rule to deny port 5432. If remote DB access is needed, allow only from specific internal IPs.

Odoo Firewall Rules: UFW & iptables (2026 Guide)

Firewall for Odoo Servers

An Odoo production server should only expose ports 80 (HTTP), 443 (HTTPS), and 22 (SSH). The Odoo ports 8069 and 8072 must be internal-only, accessed through Nginx reverse proxy. Proper firewall rules prevent unauthorized access and common attacks.

UFW Quick Setup

# Install UFW (Ubuntu/Debian)
sudo apt install -y ufw

# Default policies
sudo ufw default deny incoming
sudo ufw default allow outgoing

# Allow SSH (do this FIRST!)
sudo ufw allow 22/tcp comment 'SSH'

# Allow HTTP/HTTPS
sudo ufw allow 80/tcp comment 'HTTP'
sudo ufw allow 443/tcp comment 'HTTPS'

# Enable firewall
sudo ufw enable

# Verify rules
sudo ufw status verbose

# IMPORTANT: Do NOT open 8069 or 8072
# Nginx proxies to these ports locally

SSH Hardening

# Limit SSH attempts (rate limiting)
sudo ufw limit 22/tcp comment 'SSH rate-limited'

# Or restrict to specific IP
sudo ufw allow from 203.0.113.10 to any port 22 comment 'Office SSH'
sudo ufw delete allow 22/tcp

# Change SSH port (optional)
sudo ufw allow 2222/tcp comment 'SSH custom port'
# Update /etc/ssh/sshd_config: Port 2222

iptables Rules

# For servers not using UFW:

# Flush existing rules
sudo iptables -F
sudo iptables -X

# Default policies
sudo iptables -P INPUT DROP
sudo iptables -P FORWARD DROP
sudo iptables -P OUTPUT ACCEPT

# Allow loopback
sudo iptables -A INPUT -i lo -j ACCEPT

# Allow established connections
sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow SSH
sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT

# Allow HTTP/HTTPS
sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT

# Block external access to Odoo ports
sudo iptables -A INPUT -p tcp --dport 8069 -j DROP
sudo iptables -A INPUT -p tcp --dport 8072 -j DROP

Rate Limiting

# Limit connection rate (iptables)
sudo iptables -A INPUT -p tcp --dport 443 \
  -m connlimit --connlimit-above 50 -j REJECT

# SYN flood protection
sudo iptables -A INPUT -p tcp --syn \
  -m limit --limit 1/s --limit-burst 3 -j ACCEPT

# Nginx rate limiting (preferred for HTTP):
# In nginx.conf:
limit_req_zone $binary_remote_addr zone=odoo:10m rate=10r/s;

# In server block:
location / {
  limit_req zone=odoo burst=20 nodelay;
  proxy_pass http://odoo;
}

PostgreSQL Port Protection

# PostgreSQL (5432) should NEVER be exposed
# Default: listens on localhost only

# Verify in postgresql.conf:
listen_addresses = 'localhost'

# Explicit firewall block:
sudo ufw deny 5432/tcp comment 'Block external PostgreSQL'

# If remote DB access needed:
sudo ufw allow from 10.0.0.0/24 to any port 5432 \
  comment 'Internal DB access'

Persist iptables Rules

# Save rules (Debian/Ubuntu)
sudo apt install -y iptables-persistent
sudo netfilter-persistent save

# Or manually:
sudo iptables-save > /etc/iptables/rules.v4
sudo ip6tables-save > /etc/iptables/rules.v6

DeployMonkey

DeployMonkey configures firewall rules automatically on every server — only HTTP, HTTPS, and SSH exposed, with rate limiting and PostgreSQL protection built in.

Odoo Firewall Rules: UFW & iptables Configuration