Skip to main content
by shop owners, for shop owners

Firewall for Magento — network hardening with OPNsense

by shop owners for shop owners.

How we secure network access to Magento with OPNsense: packet filtering, port restriction, VPN access and internal segmentation of the layers.

While the WAF inspects HTTP traffic at the application layer, the firewall works one level deeper: it decides at the network level which traffic is allowed to flow at all. At PARC, OPNsense handles this.

Network firewall vs. WAF

The two layers complement each other but don’t replace each other:

  • WAF (SafeLine) — Layer 7, understands HTTP, blocks injection, XSS, bots.
  • Firewall (OPNsense) — Layer 3/4, filters packets by source, destination, port and protocol. What isn’t let through here never reaches the higher layers in the first place.

Why OPNsense

OPNsense is an open-source firewall built on FreeBSD — fitting seamlessly into our line:

  • Open source, no licence costs, no cloud dependency.
  • Mature packet-filter engine, VPN support, logging and monitoring out of the box.
  • Runs on our own infrastructure — all traffic stays under our control.

Principle: only what’s necessary

Our firewall philosophy is default-deny — everything is blocked by default, only what a component genuinely needs is allowed:

  • From the outside, normally only the WAF is reachable — everything else is closed off from the internet side.
  • Between internal layers traffic is segmented: each component may only talk to the neighbours it needs for its job. A compromised component therefore can’t move freely across the network.
  • Administrative access (SSH, management) is not reachable from the open internet, only via VPN.

We document the concrete rules, ports and segment boundaries internally — not publicly, for security reasons.

VPN access

Administrative access runs exclusively through an encrypted VPN tunnel:

  • No open SSH port on the internet — the most common brute-force attack surface is eliminated entirely.
  • Access only for defined people with their own keys.
  • Combined with Fail2ban and further hardening measures on the hosts themselves.

Working together

Internet → SafeLine WAFOPNsense → Varnish → Nginx → Magento

First the network firewall, then the WAF, then the application — several independent layers an attacker would have to get through one by one. This depth of staggering (defense in depth) is the core of our security architecture.

Get in touch