You're viewing documentation for the legacy version of Firezone, now End-of-Life. View the latest docs here.

Security considerations

Disclaimer: Firezone is still beta software. The codebase has not yet received a formal security audit. For highly sensitive and mission-critical production deployments, we recommend disabling local authentication as detailed below.

List of services and ports

Shown below is a table of default ports used by Firezone services.

ServicePortListen addressDescription
Caddy443/tcpallPublic HTTPS port for administering Firezone and facilitating authentication.
Caddy80/tcpallPublic HTTP port used for ACME. Disabled when ACME is disabled.
WireGuard51820/udpallPublic WireGuard port used for VPN sessions.
Postgresql5432/tcp-Containerized port used for bundled Postgresql server.
Phoenix13000/tcp-Containerized port used by upstream elixir app server.

Production deployments

For production deployments of Firezone, we recommend you disable local authentication altogether by setting default['firezone']['authentication']['local']['enabled'] = false (Omnibus-based deployments) or LOCAL_AUTH_ENABLED=false (Docker-based deployments). Local authentication can also be disabled on the /settings/security page.

Ensure you've set up a working OIDC or SAML-based authentication provider before disabling the local authentication method.

Reporting security issues

To report any security-related bugs, see our security bug reporting policy .