Skip to main content

Enabling and Configuring the Edge Network Firewall

Stephanie R.
Updated

Learn how to configure the Edge Network Firewall for your services.

To protect customer services exposed on public IP addresses, OVHcloud offers a stateless firewall that is configured and integrated into the Anti-DDoS infrastructure: the Edge Network Firewall. It allows to limit service exposure to DDoS attacks, by dropping specified network flows coming from outside of the OVHcloud network.

You can find more information on our Anti-DDoS solution on our website.

DS_network_EdgeFirewall01.png

OVHcloud Anti-DDoS infrastructure and game protection services diagram.

 

Requirements

NOTE: This feature might be unavailable or limited on servers of the Eco product line. Please visit our comparison page for more information.
NOTE: The Edge Network Firewall does not support QUIC protocol.

 

Instructions

The Edge Network Firewall reduces exposure to network DDoS attacks by allowing users to copy some of the server's firewall rules to the edge of the OVHcloud network. This blocks incoming attacks as close to their source as possible, reducing the risk of saturating server resources or rack connections in the event of major attacks.

 

Enabling Edge Network Firewall

To date, this feature is only available for IPv4 addresses.
The Edge Network Firewall protects a specific IP associated with a server (or service). Therefore, if you have a server with multiple IP addresses, you must configure each IP separately.

From the OVHcloud Control Panel:

  1. Click on Bare Metal Cloud.
  2. In the left-hand menu, under Network, click IP.
  3. You can use the drop-down menu underneath "My public IP addresses and associated services" to filter your services according to category.
  4. Next, click the more options ... button to the right of the relevant IPv4 and first select Enable Edge Network Firewall.

DS_network_EdgeFirewall02***.png

 

Click Confirm in the pop-up window.

DS_network_EdgeFirewall03*.png

 

Once the firewall is created, reopen the more options ... menu. Here you will see a few options that will be useful moving forward in this guide:

  1. Click here to enable/disable the firewall.
  2. Add rules to customize your firewall. You can set up to 20 rules per IP.

DS_network_EdgeFirewall04**.png

 

Click Edge Network Firewall configuration to begin.

NOTE: The Edge Network Firewall is automatically enabled when a DDoS attack is detected and cannot be disabled until the attack has ended. As a result, all the rules configured in the firewall are applied during the duration of the attack. This logic allows our customers to offload the firewall rules of the server to the edge of the OVHcloud network for the duration of the attack.

Please note that you should configure your own local firewalls even if the Edge Network Firewall has been configured, as its main role is to handle traffic from outside of the OVHcloud network.

If you have configured some rules, we recommend that you check them regularly or when changing how your services are working. As previously mentioned, the Edge Network Firewall will be automatically enabled in case of a DDoS attack even when disabled in your IP settings.
  • UDP fragmentation is blocked (DROP) by default. When enabling the Edge Network Firewall, if you are using a VPN, remember to configure your Maximum Transmission Unit (MTU) correctly. For example, with OpenVPN, you can check MTU test.
  • The Edge Network Firewall (ENF) integrated into the scrubbing centers (VAC) only handles network traffic coming from outside the OVHcloud network.

 

Configure the Edge Network Firewall

NOTE: Please note that the OVHcloud Edge Network Firewall cannot be used to open ports on a server. To open ports on a server, you must go through the firewall of the operating system installed on the server.

For more information, please refer to the following guide: Configuring the Firewall on Windows.

To add a rule:

Click + Add a rule.

DS_network_EdgeFirewall05*.png

For each rule (excluding TCP), you must choose:

  • A priority (from 0 to 19, 0 being the first rule to be applied, followed by the others)
  • A more (Refuse or Authorise)
  • The protocol
  • Source IP (optional)

DS_network_EdgeFirewall06.png

For each TCP rule, you must choose:

  • A priority (from 0 to 19, 0 being the first rule to be applied, followed by the others)
  • A mode (Refuse or Authorise)
  • The protocol
  • Source IP (optional)
  • The source port (optional)
  • The destination port (optional)
  • The TCP state (optional)
  • Fragments (optional)

DS_network_EdgeFirewall07.png

We advise authorizing TCP protocol with an established option (for packets that are part of a previously opened/started session), ICMP packets (for ping and traceroute), and optionally UDP DNS responses from external servers (if you use external DNS servers).

Configuration example:
  • Priority 0: Authorise TCP established
  • Priority 1: Authorize UDP source port 53.
  • Priority 2: Authorize ICMP
  • Priority 19: Refuse IPv4
NOTE: Firewall setups with only "Authorise" mode rules are not effective at all. There must be an instruction as to which traffic should be dropped by the firewall. You will see a warning unless such a "Refuse" rule is created.

Once you have your rules in place, you can enable/disable your firewall from the IP screen or the configuration screen (shown below).

DS_network_EdgeFirewall08*.png

 

Configuration example

To make sure that only the standard ports for SSH (22), HTTP (80), HTTPS (443), and UDP (53) are left open when authorizing the ICMP, follow the rules below:

The rules are sorted from 0 (the first rule read) to 19 (the last). The rule chain stops as soon as a rule is applied to the packet.

For example, a packet for TCP port 80 will be intercepted by rule 2 and the rules that follow will not be applied. A packet for TCP port 25 will only be captured by the last rule (19), which will block it because the firewall does not allow communication on port 25 in the previous rules.

DS_network_EdgeFirewall08.png

NOTE: The above configuration is only an example and should only be used as a reference if the rules do not apply to the services hosted on your server. You must configure the rules in your firewall to match the services hosted on your server. Incorrect configuration of your firewall rules can result in legitimate traffic being blocked and server services being inaccessible.

 

Attack mitigation - scrubbing center activity

Our Anti-DDoS infrastructure (VAC) has two modes of operation: automatic and permanent. The mitigation process is done via the automated scrubbing center. This is where our advanced technology takes a deep look at the packets and attempts to remove DDoS traffic while allowing legitimate traffic to pass through.

  • Automatic mitigation is the default: All OVHcloud IPs are under automatic mitigation. Usually, this is the best choice for your services. In case any malicious traffic is detected, the scrubbing center activates. This state is indicated by the "Forced" status for a given IP address. At this time the Edge Network Firewall is also active. The situation comes back to normal when the attack is mitigated and no more suspicious activity is observed.

  • Permanent mitigation mode can be enabled or disabled via the OVHcloud Control Panel. With permanent mitigation, you permanently apply the first level of filtering so all traffic will always pass through the mitigation system before reaching the server. We do not recommend enabling this for longer periods unless you are experiencing latency jitter due to the scrubbing center redirecting the traffic too frequently.

Please note that compared to automatic mode, there is no increase in the level of protection when this mode is enabled.

To enable it, follow these steps:

  1. Click on the Bare Metal Cloud menu.
  2. In the left-hand sidebar, under Network, click IP.
  3. Next, click the more options ... button to the right of the relevant IPv4 and select Scrubbing Centre: permanent.

DS_network_EdgeFirewall09***.png

Tip: You can create attack-only firewall rules that only apply after an attack has been detected.
To do this, Edge Network Firewall rules must be created but disabled.
NOTE: If our Anti-DDoS infrastructure mitigates an attack, your Edge Network Firewall rules will eventually be applied, even if you have disabled the firewall. If you have disabled your firewall, remember to delete your rules as well.

Please note that our Anti-DDoS infrastructure cannot be disabled on a service. All OVHcloud products are delivered within the scope of protection and this cannot be changed.

 

Network Security Dashboard

For a detailed insight into detected attacks and the results of scrubbing center activities, we encourage you to explore our Network Security Dashboard.

 

Conclusion

After reading this tutorial, you should be able to configure the Edge Network Firewall to improve the security of your OVHcloud services.

 

Go further

See our Protecting a Game Server with the Application Firewall guide.

For more information and tutorials, please see our other Dedicated Servers support guides or explore the guides for other OVHcloud products and services.

Related articles