Objective
To protect its global infrastructure and its customers’ servers, OVHcloud offers a firewall that can be configured and integrated into the Anti-DDoS (VAC) solution: the Network Firewall. This is an option that will enable you to limit how much your service is exposed to attacks from the public network.
This guide will take you through the steps for its configuration.
VAC: For more information on VAC, please check out this page about our protection system against DDoS attacks: https://us.ovhcloud.com/security/anti-ddos/
Note: By default, OVHcloud does not block any ports on the Network Firewall.
Requirements
- You must have an OVHcloud service with a Network Firewall (Dedicated Server, VPS, Public Cloud instance, Private Cloud, Additional IP, etc.)
- You must have access to your OVHcloud Control Panel
- You must have basic networking skills
Instructions
Enable the Network Firewall
The Network Firewall protects the IPs that are associated with a machine. You must therefore configure each IP separately; it is not possible to configure the server as a whole.
In this section, we will be creating a VMAC (virtual MAC address) to be used by the NIC (Network Interface Card) which ESXi assigns to a VM. To begin, log in to the OVHcloud Control Panel. On the left-hand sidebar click the Network option.
Next, click Public IP Addresses.
Navigate to the IP address on which you wish to configure the firewall. Then, click the ... to the right of the IP address and select Create Firewall from the drop-down menu.
- You will then be asked for confirmation:
- You can then
Enable the firewallandConfigure the Firewallby clicking once more on the gear icon next to the IPv4:
You can set up to 20 rules per IP.
The firewall is enabled automatically upon each DDoS attack, and cannot be disabled before the attack ends. This is why it is important to keep the firewall rules up to date. As a default setting you do not have any configured rules, so all connections can be set up. If you do have any, remember to check your firewall rules regularly, even if you disable it.
- The UDP fragmentation is blocked (DROP) as a default setting. When you enable the Firewall Network, if you use a VPN, remember to correctly configure your maximum transmission unit (MTU). For example, on OpenVPN, you can tick
MTU test. - The Network Firewall is not taken into account within the OVH network, so the rules set up do not affect the connections in this internal network.
Configuring the Network Firewall
To add a rule, right-click on Add a rule:
For each rule you must choose:
- a priority (from 0 to 19, 0 being the first rule to be applied, followed by the others);
- an action (
AuthorizeorRefuse); - the protocol;
- an IP (optional);
- the source port (TCP only)
- the destination port (TCP only)
- the TCP options (TCP only)
- Priority 0: we advise that you authorize the TCP protocol on all the IPs with an
establishedoption. Theestablishedoption enables you to verify that the packet is part of a session that has previously been opened (already started). If you do not authorize it, the server will not receive the TCP protocol feedback from the SYN/ACK requests. - Priority 19: refuses all of the IPv4 protocol if any rules before 19th (the last possible) are not filled in.
Configuration example
To make sure that only the SSH (22), HTTP (80), HTTPS (443), and UDP (on port 10000) ports are left open when authorizing the ICMP, you need to follow the rules below:
The rules are sorted chronologically from 0 (the first rule read) to 19 (the last). The chain stops being scanned as soon as a rule is applied to the packet.
For example, a packet for TCP port 80 will be captured by rule 2 and the rules that come after will not be tested. A packet for TCP port 25 will only be captured at the last rule (19) which will block it, because OVHcloud does not authorize communication on port 25 in the previous rules.
If anti-DDoS mitigation is enabled, your Network Firewall rules will be applied, even if you have disabled them. If you wish to disable it, remember to delete your rules.