lift firewall

Manage server firewall rules, banned IPs, and IP whitelists from the CLI.

lift firewall

Manage OS-level firewall rules, banned IPs, and IP whitelists on the server. All operations run over SSH with sudo privileges.

Subcommands

Command	Description
`lift firewall list`	List all UFW rules
`lift firewall add`	Add a UFW allow rule
`lift firewall remove`	Remove a UFW allow rule
`lift firewall status`	Show ban status and banned IPs
`lift firewall unban <ip>`	Unban an IP address
`lift firewall whitelist <domain>`	Manage IP whitelist for a domain

lift firewall list

List all active UFW firewall rules with numbers, targets, actions and sources.

lift firewall list
lift firewall list --output jsonl

Example output:

UFW Status: active

  NUM  TO          ACTION    FROM            COMMENT
  ---  --          ------    ----            -------
  [1]  22/tcp      ALLOW IN  Anywhere        SSH
  [2]  80/tcp      ALLOW IN  Anywhere        HTTP
  [3]  443/tcp     ALLOW IN  Anywhere        HTTPS
  [4]  5432/tcp    ALLOW IN  10.0.0.0/8      database

lift firewall add

Add a UFW allow rule for a port, protocol and optional source IP.

Flag	Description	Default
`--port`	Port number or range, e.g. `5432` or `3000:3100` (required for tcp/udp; omit for icmp)	-
`--protocol`	Protocol: `tcp`, `udp`, or `icmp`	`tcp`
`--from`	Source IP, CIDR, or `my-ip` to auto-detect	`any`
`--comment`	Optional rule comment	-

Use --from my-ip to automatically detect your current SSH client IP address.

# Allow port 5432 from anywhere
lift firewall add --port 5432

# Allow from a specific subnet
lift firewall add --port 5432 --from 10.0.0.0/8

# Auto-detect your IP with a comment
lift firewall add --port 8080 --from my-ip --comment "office access"

# Port range
lift firewall add --port 3000:3100 --protocol tcp --from 192.168.1.0/24

# UDP (e.g. WireGuard)
lift firewall add --port 51820 --protocol udp --comment "WireGuard"

# Allow ICMP (ping) from a specific subnet
lift firewall add --protocol icmp --from 10.0.0.0/8 --comment "allow ping"

lift firewall remove

Remove an existing UFW allow rule by port, protocol and source.

Flag	Description	Default
`--port`	Port number or range (required for tcp/udp; omit for icmp)	-
`--protocol`	Protocol: `tcp`, `udp`, or `icmp`	`tcp`
`--from`	Source IP or CIDR (must match the original rule)	`any`
`--force`	Allow removing SSH rule (port 22)	`false`

Removing port 22 (SSH) requires --force to prevent accidental lockout.

lift firewall remove --port 5432
lift firewall remove --port 5432 --from 10.0.0.0/8
lift firewall remove --port 22 --force

# Remove ICMP rule (no --port needed)
lift firewall remove --protocol icmp --from 10.0.0.0/8

lift firewall status

Show ban status, active jails, and currently banned IPs.

lift firewall status
lift firewall status --output jsonl

Example output:

Fail2ban Status
  Jails: 2 (sshd, traefik-auth)

  [sshd]
    Currently failed: 2  |  Total failed: 15
    Currently banned: 1  |  Total banned: 5
    Banned IPs: 203.0.113.5

  [traefik-auth]
    Currently failed: 0  |  Total failed: 3
    Currently banned: 0  |  Total banned: 1
    Banned IPs: none

lift firewall unban <ip>

Unban an IP address from a jail.

Flag	Description	Default
`--jail`	Specific jail to unban from	`sshd`

# Unban from sshd (default)
lift firewall unban 203.0.113.5

# Unban from a specific jail
lift firewall unban 203.0.113.5 --jail traefik-auth

lift firewall whitelist <domain>

Manage the Traefik ipAllowList middleware for a specific domain. Creates/updates a dynamic config file at /etc/lift/traefik/dynamic/<domain>-whitelist.yml.

Flag	Description
`--list`	List current whitelist entries
`--add <ip\|my-ip>`	Add IP to whitelist (`my-ip` auto-detects)
`--remove <ip>`	Remove IP from whitelist
`--comment`	Comment for the `--add` operation

Only one of --list, --add, or --remove can be used at a time.

# List whitelist for a domain
lift firewall whitelist myapp.example.com --list

# Add your current IP
lift firewall whitelist myapp.example.com --add my-ip --comment "deploy server"

# Add a specific IP
lift firewall whitelist myapp.example.com --add 10.0.0.1

# Remove an IP
lift firewall whitelist myapp.example.com --remove 203.0.113.5

Web Dashboard

Firewall management is also available in the web dashboard under Project > Firewall & Security:

Tab	Features
Rules	Unified or separate view of provider + OS firewall, add/delete rules, auto-configure
Quick Actions	One-click presets: restrict SSH to your IP, web-only mode, add your IP to a port
Fail2ban	View jails, banned IPs, one-click unban, configure max retries / ban time / find time
Rate Limit	Traefik rate limiting — average rate, burst size, period
IP Whitelist	Per-tool IP access control via Traefik ipAllowList

Testing

CLI Testing

# 1. List current rules (read-only, safe)
lift firewall list

# 2. Add a test rule
lift firewall add --port 9999 --comment "test rule"

# 3. Verify it appears
lift firewall list

# 4. Remove the test rule
lift firewall remove --port 9999

# 5. Check ban status
lift firewall status

# 6. Test whitelist (non-destructive)
lift firewall whitelist myapp.example.com --list

Web Dashboard Testing

Navigate to Project > Firewall & Security
Rules tab: Toggle between Unified/Separate mode, add a test rule, delete it
Quick Actions: Verify your IP is detected, test "Add My IP" with a custom port
Fail2ban: Check jail status, test unban if there are banned IPs
Rate Limit: Toggle on, set values, save, refresh to verify persistence
IP Whitelist: Select a tool, add your IP, remove it

lift harden — Server hardening (includes SSH and firewall setup)
Architecture: Security — Security architecture overview
Rate Limiting — Rate limiting architecture

Previouslift lifecycle Nextlift update