The File Firewall GUI enables you to create and manage firewall rule sets from your ownCloud admin page. The File Firewall gives you finer-grained control of access and sharing, with rules for allowing or denying access, and restrictions per group, upload size, client devices, IP address, time of day, and many more criteria. For additional flexibility the File Firewall also supports regular expressions.
Each rule consists of one or more conditions. A request matches a rule if all conditions evaluate to true. If a request matches at least one of the defined rules, the request is blocked and the file content can not be read or written.
Note
As of ownCloud 9.0, the File Firewall app cannot lock out administrators from the Web interface when rules are misconfigured.
Figure 1 shows an empty firewall configuration panel. Set your logging level to Failures Only for debugging, and create a new ruleset by clicking the Add Group button. After setting up your rules you must click the Save Rules button.
Figure 1: Empty File Firewall configuration panel
Figure 2 shows two rules. The first rule, No Support outside office hours, prevents members of the support group from logging into the ownCloud Web interface from 5pm-9am, and also blocks client syncing.
The second rule prevents members of the qa-team group from accessing the Web UI from IP addresses that are outside of the local network.
Figure 2: Two example rules that restrict logins per user group
All other users are not affected, and can log in anytime from anywhere.
You can combine multiple rules into one rule. E.g., if a rule applies to both the support and the qa-team you could write your rule like this:
Regular Expression > ^(support|qa-team)$ > is > User group
We do not recommend modifying the configuration values directly in your config.php. These use JSON encoding, so the values are difficult to read and a single typo will break all of your rules.
The easiest way to block access to a folder, starting with ownCloud 9.0, is to use a system tag. A new rule type was added which allows you to block access to files and folders, where at least one of the parents has a given tag. Now you just need to add the tag to the folder or file, and then block the tag with the File Firewall.
This example blocks access to any folder with the tag “Confidential”.
Block by System Tag:
System file tag: is "Confidential"
Subnet IPv4: is not "255.255.255.0/24"
If you are using branded ownCloud clients, you may define firewall.branded_clients in your config.php to identify your branded clients in the firewall “User Device” rule.
The configuration is a User-Agent => Device map. Device must be one of the following:
The User-Agent is always compared all lowercase. By default the agent is compared with equals. When a trailing or leading asterisk, *, is found, the agent is compared with starts with or ends with. If the agent has both a leading and a trailing *, the string must appear anywhere. For technical reasons the User-Agent string must be at least 4 characters (including wildcards). (When you build your branded client you have the option to create a custom User Agent.)
In this example configuration you need to replace the example User Agent strings, for example 'android_branded', with your own User Agent strings:
// config.php
'firewall.branded_clients' => array(
'my ownbrander android user agent string' => 'android_branded',
'my ownbrander second android user agent string' => 'android_branded',
'my ownbrander ios user agent string' => 'ios_branded',
'my ownbrander second ios user agent string' => 'ios_branded',
'my ownbrander desktop user agent string' => 'desktop_branded',
'my ownbrander second desktop user agent string' => 'desktop_branded',
),
The Web UI dropdown then expands to the following options:
Then these options operate this way: