Configuring the Network Firewall

Last updated 20th December 2022

Objective

To protect its global infrastructure and its customers’ servers, OVHcloud offers a firewall that can be configured and integrated into the Anti-DDoS solution: the Network Firewall. This is an option you can use to limit your service's exposure to attacks from the public network.

This guide will show you how to configure your Network Firewall.

You can read more information on our Anti-DDoS solution here: https://www.ovhcloud.com/en-ie/security/anti-ddos/.

VAC in detail

Requirements

This feature might be unavailable or limited on servers of the Eco product line.

Please visit our comparison page for more information.

Instructions

Enable the Network Firewall

The Network Firewall protects the IPs that are associated with a server. As a result, you need to configure each IP separately. You cannot configure the server as a whole.

In the OVHcloud Control Panel, click on the Bare Metal Cloud menu and open IP. You can use the drop-down menu underneath "My public IP addresses and associated services" to filter your services according to category.

filter service

Next, click the ... button to the right of the relevant IPv4 and select Create Firewall.

Enabling the Network Firewall

You will then be asked to confirm.

Confirmation

Then click Enable the firewall (1), and click Configure the firewall (2) to start configuring it.

Enabling the configuration

You can set up to 20 rules per IP.

The firewall is enabled automatically whenever a DDoS attack is launched, and cannot be disabled before the attack ends. This is why it is important to keep your firewall rules up-to-date. By default, you do not have any configured rules to start with, so all connections can be set up. If you have any, we recommend checking them regularly, even if the firewall is disabled.

  • The UDP fragmentation is blocked (DROP) by default. When you enable the Network Firewall, if you use a VPN, remember to configure your maximum transmission unit (MTU) correctly. For example, on OpenVPN, you can tick MTU test.
  • The Network Firewall is not taken into account within the OVHcloud network, so the rules set up do not affect the connections in this internal network.

Configure the Network Firewall

Please note that the OVHcloud Network Firewall cannot be used to open ports on a server. To open ports on a server, you must go through the firewall of the operating system installed on the server. For more information, please refer to the following guides: Configuring the firewall on Windows and Configuring the firewall on Linux with iptables.

To add a rule, click on Add a rule:

Add a rule

For each rule you must choose:

  • A priority (from 0 to 19, 0 being the first rule to be applied, followed by the others)
  • An action (Authorise or Refuse)
  • The protocol
  • An IP (optional)
  • The source port (TCP only)
  • The destination port (TCP only)
  • The TCP options (TCP only)

Details on adding a rule

  • Priority 0: we advise authorising TCP protocol on all the IPs with an established option. With the established option, you can verify that the packet is part of a session that has previously been opened (already started). If you do not authorise it, the server will not receive the TCP protocol feedback from the SYN/ACK requests.
  • Priority 19: we advise to refuse all IPv4 protocol traffic that has not been accepted by any earlier rule.

Configuration example

To make sure that only the SSH (22), HTTP (80), HTTPS (443) and UDP (10,000) ports are left open when authorising the ICMP, follow the rules below:

Configuration example

The rules are sorted from 0 (the first rule read) to 19 (the last). The chain stops being scanned as soon as a rule is applied to the packet.

For example, a packet for TCP port 80 will be captured by rule 2, and the rules that come after will not be applied. A packet for TCP port 25 will only be captured at the last rule (19) which will block it, because the Firewall does not authorise communication on port 25 in the previous rules.

As stated, the configuration above is just an example and should only be used as reference if the rules do not apply to services hosted on your server. It is absolutely necessary to configure the rules in your firewall according to the services hosted on your server. Improper configuration of your firewall rules can cause legitimate traffic to be blocked and server services to be inaccessible.

Mitigation

There are three mitigation modes: automatic, permanent or forced.

Automatic mitigation: With this mode, the traffic goes through the mitigation system only if it is detected as "unusual" compared to the normal traffic usually received by the server.

Permanent mitigation: By activating permanent mitigation, you apply a constant first level of filtering through our Shield hardware.
All traffic at all times gets through the mitigation system before reaching the server. We recommend this mode for services under frequent attacks.
Please note that the Network firewall must not be created/enabled to activate permanent mitigation on your IP.

To enable it, click on the Bare Metal Cloud menu and open IP. Next, click on the ... to the right of the relevant IPv4 and select Mitigation: permanent mode.

Forced mitigation: This mode is automatically activated once an attack is detected on the server. Once enabled, this mode cannot be disabled. In order to protect our infrastructure, it will be activated throughout the attack until it is completely mitigated.

If anti-DDoS mitigation is enabled, your Network Firewall rules will be applied, even if you have disabled them. If you wish to disable it, remember to delete your rules.

Please note that the anti-DDoS mitigation cannot be disabled.

Configuring Armor

By default, Armor is pre-configured with certain rules that OVHcloud has determined work with the most common games. However, for customers with a Game Dedicated Server, we allow you to go a step further and configure rules for ports as well.

In order to configure rules for your ports in Armor, you will first need to log into the OVHcloud Control Panel.
Go to the Bare Metal Cloud menu and open IP. Next, click on the ... next to the IP address of your Game Server and click on Configure the GAME firewall.

Game_wall

On the following screen, click the Add a rule button to add a rule to Armor.

You can set up to 30 rules per IP.

Configure_Armor

Enable the ports as needed on the following screen and click on the Confirm button when you are finished adding your rules. You have now successfully configured Armor.

Conclusion

Having read this tutorial, you should now be able to configure the Network Firewall as well as Armor (for Game dedicated servers) to enhance the security of your OVHcloud services.

Go further

Join our community of users on https://community.ovh.com/en/.

Did you find this guide useful?

Please feel free to give any suggestions in order to improve this documentation.

Whether your feedback is about images, content, or structure, please share it, so that we can improve it together.

Your support requests will not be processed via this form. To do this, please use the "Create a ticket" form.

Thank you. Your feedback has been received.

These guides might also interest you...

Dedicated servers
Configuring an IP block in a vRack
Dedicated servers
Creating multiple vLANs in a vRack
Dedicated servers
Moving an Additional IP
Most viewed tutorials
IP Management
Customer data protection
Instance management
Managing dedicated servers
VPS management
Managing Hosted Private Cloud

OVHcloud Community

Access your community space. Ask questions, search for information, post content, and interact with other OVHcloud Community members.

Discuss with the OVHcloud community

In accordance with the 2006/112/CE Directive, modified on 01/01/2015, prices exclude VAT. VAT may vary according to the customer's country of residence.