OVH US manages its own Anti-DDoS solution, called VAC (short for vacuum), that is made up of four components: Pre-Firewall, Network Firewall, Shield, and Armor. VAC serves to protect the OVH US network from DDoS attacks.
In this guide, we will cover the two portions a customer can interact with; the Network Firewall for all customers and Armor for Game Dedicated Server customers. The remainder of VAC is controlled at a network-wide level to ensure the safety of the entire OVH network.
Enabling Firewall Protection
First, log in to the OVH US Manager and click the IP option in the left-hand sidebar. Click the ellipses (...) button to the right of the IP address for which you would like to create a firewall. Then, click the Create Firewall option from the drop-down menu.
Click the Confirm button on the following pop-up. To enable the firewall, click the ellipses (...) button again and select the Enable the firewall option from the drop-down menu.
Once the firewall is enabled, you will be able to configure up to 20 rules. By default, you do not have any configured rules, so all connections can be established.
Note: The firewall automatically turns on in the event of a DDoS attack. When this occurs, the firewall cannot be disabled until the attack is fully mitigated. Therefore, it is important to keep your firewall rules up to date.
Additionally, please keep the following in mind:
- UDP fragmentation is blocked (DROP) by default. When activating the network firewall, if you are using a VPN, ensure that your MTU is correctly configured. For example, on OpenVPN you can check " MTU test."
- The network firewall is not taken into account in the OVH US network, so the rules implemented do not affect the connections inside the OVH US network.
Configuring Firewall Rules
The configuration of the network firewall is also done in the "IP" section. Click on the ellipses (...) to the right of the IP for which you would like to configure firewall rules, and select the Configure the firewall option. Click the Add a Rule button and the following screen will pop up:
When configuring a rule using the TCP protocol, the window will give you options for three flags as you can see in the image below:
The "SYN" option allows outbound connections. The server sends a SYN packet to the external IP (which does not pass through the network firewall), the external IP responds with a SYN/ACK (which passes through the network firewall). The "ESTABLISHED" option allows communication to be authorized from the moment the connection is established.
To leave open only the SSH, HTTP, HTTPS, and UDP/10000 ports, as well as allowing ICMP, create the following rules:
The rules range from 0 to 19, and they stop being processed the moment a rule applies to an appropriate packet. For example, a packet for port 80/TCP will be caught by rule 1, and any rules after will not be tested. A packet destined for port 25/TCP will only be caught by the last rule (19) which will block it because we did not allow any communication on port 25 in the previous rules.
By default, Armor is pre-configured with certain rules that OVH has determined work with the most common games. However, for customers with a Game Dedicated Server, we allow you to go a step further and configure rules for ports as well.
In order to configure rules for your ports in Armor, you will first need to log in to the OVH US Manager. Next, click the IP option on the left-hand sidebar. Click the ellipses (...) button next to the IP address of your Game Server and select the Configure the GAME firewall option.
On the following screen, click the Add a Rule button to add a rule to Armor.
Enable the ports as needed on the following screen and click the Confirm button when you are finished adding your rules. You have now successfully configured Armor.
Having read this tutorial, you should now be able to configure the Network Firewall as well as Armor to enhance the security of your OVH US services.