Firewall: configuring a server firewall

Configuring virtual server firewall in control panel.

What is this?

You can use a firewall to manage server access and network data packets directly from a control panel. This option is included in server cost and not billed separately.

Currently, the limit is 50 rules; if you need more, please submit a request to technical support.

Network architecture

In order to avoid firewall rule conflicts and configure a firewall correctly, you need to understand the sequence of existing firewall operation. First, you can configure a firewall for a private network. Second, you can configure a firewall for a server via a control panel. And third, you can configure an internal firewall via iptables in Linux or use Windows built-in firewall.

Incoming packets first reach a network-level firewall (if exists). If packets have passed it, a server-level firewall comes into play, and finally an internal software mechanism is used. For outgoing packets, the reverse sequence applies.

Avoid using a server-level firewall and internal software firewall simultaneously:

Rule creation

To configure a firewall in any VPS, go to Firewall section in the server settings.

Important notice:

— Rule order is essential: the less sequential number of a rule, the higher its priority. You may reorder rules by dragging and dropping them in a list.
— By default, all incoming and outgoing data packets are allowed.

To create a rule, click Add:

Add Rule window will open. Fill in the following fields:

  • Name: a meaningful (mnemonic) name (max. 50 characters) usually describing the rule purpose;
  • Direction: direction of packets governed by the rule; can be either Incoming or Outgoing. Incoming means that the rule is applied to incoming data packets, and Outgoing means that it is applied to outgoing data packets;
  • Source/Destination: depending on the direction, contains either server IP address or one of the following values: IP address, CIDR, IP address range, or any;
  • SourcePort/DestinationPort: when TCP, UDP, or TCP and UDP is selected, you may specify a port, port range, or Any;
  • Action: action to be performed; it can be either Allow or Deny. Allow permits data packet transmission, while Deny prohibits it;
  • Protocol: protocol type (ANY, TCP, UDP, TCP and UDP, and ICMP).

To create a rule, click Save.

In our example, the rule blocks all packets coming to a server:

To apply the rule, click Save. You can create several rules and save them all at once:

Then, a page will look as follows:

Rule priority

The less sequential number of a rule, the higher its priority. For example, after you have created a rule to deny all incoming traffic, create a rule to allow incoming TCP packets on port 80. After you save configuration changes, this port will remain inaccessible since the denying rule has higher priority than the allowing one:

To change rule priority, drag the allowing rule to the first place and save changes:

After saving, rule sequential numbers will change, as well as their priorities:

In this configuration, the firewall will allow TCP-packets on port 80 and block all other packets.