To protect its global infrastructure and its customers’ servers, OVHcloud offers a firewall that can be configured and integrated into the Anti-DDoS (VAC) solution: the Network Firewall. This is an option that will enable you to limit your service's exposure to attacks from the public network.
This guide will take you through the steps for its configuration.
NOTE: By default, OVHcloud does not block any ports on the Network Firewall.
Requirements
- You must have an OVHcloud service with a Network Firewall (Dedicated Server, VPS, Public Cloud instance, Private Cloud, Additional IP, etc.)
- You must have access to your OVHcloud Control Panel
- You must have basic networking skills
NOTE: This feature might be unavailable or limited on servers of the Eco product line. Please visit our comparison page for more information.
Instructions
Enable the Network Firewall
From the OVHcloud Control Panel:
- Select
Bare Metal Cloud
tab at the top of the page. - Under Network, select
IP
. - Navigate to the IP address on which you wish to configure the firewall. You can use the My public IP addresses and associated services drop-down menu to filter the list.
- Click the more options
...
button to the right of the IP address. - Select
Create Firewall
.
Click Confirm
to continue creating a firewall.
From the more options ...
menu, click Enable the firewall
and Configure the Firewall
to start configuring it.
You can set up to 20 rules per IP.
- The UDP fragmentation is blocked (DROP) as a default setting. When you enable the Firewall Network, if you use a VPN, remember to correctly configure your maximum transmission unit (MTU). For example, on OpenVPN, you can tick
MTU test
. - The Network Firewall is not taken into account within the OVH network, so the rules set up do not affect the connections in this internal network.
Configuring the Network Firewall
NOTE: Please note that the OVHcloud Network Firewall cannot be used to open ports on a server. To open ports on a server, you must go through the firewall of the operating system installed on the server.
To add a rule, right-click on Add a rule
:
For each rule you must choose:
- a priority (from 0 to 19, 0 being the first rule to be applied, followed by the others);
- an action (
Authorize
orRefuse
); - the protocol;
- an IP (optional);
- the source port (TCP only)
- the destination port (TCP only)
- the TCP options (TCP only)
- Priority 0: we advise that you authorize the TCP protocol on all the IPs with an
established
option. Theestablished
option enables you to verify that the packet is part of a session that has previously been opened (already started). If you do not authorize it, the server will not receive the TCP protocol feedback from the SYN/ACK requests. - Priority 19: refuses all of the IPv4 protocol if any rules before the 19th (the last possible) are not filled in.
Configuration example
To make sure that only the SSH (22), HTTP (80), HTTPS (443), and UDP (on port 10000) ports are left open when authorizing the ICMP, you need to follow the rules below:
The rules are sorted chronologically from 0 (the first rule read) to 19 (the last). The chain stops being scanned as soon as a rule is applied to the packet.
For example, a packet for TCP port 80 will be captured by rule 2 and the rules that come after will not be tested. A packet for TCP port 25 will only be captured at the last rule (19) which will block it because OVHcloud does not authorize communication on port 25 in the previous rules.
If anti-DDoS mitigation is enabled, your Network Firewall rules will be applied, even if you have disabled them. If you wish to disable it, remember to delete your rules.
NOTE: As stated, the configuration above is just an example and should only be used as a reference if the rules do not apply to services hosted on your server. It is absolutely necessary to configure the rules in your firewall according to the services hosted on your server. Improper configuration of your firewall rules can cause legitimate traffic to be blocked and server services to be inaccessible.
Mitigation
Our Anti-DDoS (VAC) solution includes three mitigation modes: automatic, permanent, or forced.
Automatic mitigation: By default, all OVHcloud IPs are under automatic mitigation. Automatic mitigation will be enabled automatically only if the traffic is detected as "unusual" compared to the normal traffic usually received by the server.
Permanent mitigation: This mode can be enabled or disabled via the OVHcloud Control Panel. With permanent mitigation (if enabled), you apply a constant first level of filtering through our Shield hardware.
All traffic at all times gets through the mitigation system before reaching the server. We recommend enabling this mode for services under frequent attacks.
Please note that as permanent mitigation is part of our Anti-DDoS (VAC) solution, you can activate it on your IP without enabling the Network Firewall.
To enable it, click on the Bare Metal Cloud
menu and open IP
. Next, click on the ...
to the right of the relevant IPv4 and select Mitigation: permanent mode
.
Forced mitigation: This mode is automatically enabled once an attack is detected on the server. Once enabled on our Anti-DDoS infrastructure, it cannot be disabled. In order to protect our infrastructure, it will be enabled throughout the attack until it is completely mitigated.
Since the mitigation is part of our Anti-DDoS (VAC) solution, it cannot be disabled on a service. All OVHcloud products are delivered with Anti-DDoS protection.
Configuring Armor
In order to configure rules for your ports in Armor, you will first need to log into the OVHcloud Control Panel.
Go to the Bare Metal Cloud
menu and open IP
. Next, click on the ...
next to the IP address of your Game Server and click on Configure the GAME firewall
.
On the following screen, click the Add a rule
button to add a rule to Armor.
You can set up to 30 rules per IP.
Enable the ports as needed on the following screen and click on the Confirm
button when you are finished adding your rules. You have now successfully configured Armor.
Conclusion
Having read this tutorial, you should now be able to configure the Network Firewall as well as Armor (for Game dedicated servers) to enhance the security of your OVHcloud services.
Go further
For more information and tutorials, please see our other Networking and Security support guides or explore the guides for other OVHcloud products and services.