Managing VPS firewall

Managing VPS firewall

For your VPS Leaseweb offers free Basic Firewall functionality which you can enable to restrict and control access to the VPS.

By default the Firewall is turned Off when a new VPS is delivered. You will need to turn on the Firewall to block ingress traffic to your VPS. Make sure to create firewall rules, allowing specific traffic to your VPS when you turn on the Firewall.

Creating firewall rules

In order to selectively grant access for traffic from certain IP addresses to reach a few selected ports of your VPS, you will need to create firewall rules. Based on these rules, traffic from specified IP address ranges is allowed to reach your VPS using the specified protocol and to the specified ports. 

Note: you can create firewall rules before turning the firewall on. Those rules will be applied immediately when you do turn On the firewall, which should prevent unnecessary down time for your services.

The firewall functionality works only with IPv4 addresses. 

  1. To create a new ingress firewall rule, login to the Customer Portal and choose VPS.
  2. Click on a VPS and click on Manage VPS, to go to the management page.
  3. On the Overview page, select Networking tab and click Add rule.
  4. The Create firewall rule pop-up window displays. Enter the following values:
Field NameDescription
NameEnter a name for this firewall rule. It will help you to identify the type of rule you have created when applying it to a VPS.
ProtocolYou can allow ingress traffic for TCP, UDP and ICMP protocols.
SourceEnter a range of IP addresses (in CIDR notation) from which traffic is allowed to reach certain ports of your VPS.
To allow public access to a service use the IP-address range 0.0.0.0/0 which will match all IPv4 IP-addresses and network ranges.
A single IP-address in CIDR notation is the IP-address followed by the /32 prefix e.g. 192.0.2.17/32
StartportEnter the port number of the VPS through which you allow external traffic to reach the VPS (by by-passing the firewall). For example, Port 80.
However, if there are multiple ports through which you want external traffic to reach the server, you can enter the start (first) port number here.
In the “Endport” field name, you can enter the end (last) port number. For example, if you want port numbers 50-60 to allow traffic into the virtual machine, you need to enter 50 here.
Endport (optional)If there are multiple ports through which you want external traffic to reach the VPS, you can enter the end (last) port number here. For example, if you want port numbers 50-60 to allow traffic into the server, you need to enter 60 here.
  1. Click Submit to save the firewall rule.

Turning on Firewall for a VPS

  1. To turn on the Firewall, login to the Customer Portal and choose VPS.
  2. Click on a VPS and click on Manage VPS, to go to the management page.
  3. On the Overview page, select Networking tab and click Turn on Firewall.

Managing VPS firewall - Frequently Asked Questions

  • How do I allow the whole internet to connect to my service?

    The network range “0.0.0.0/0” denotes the whole internet and will allow every network range and ip-address access to the port (range) you select.

     

     

  • My firewall settings block all traffic, but I still see incoming traffic in the data traffic graphs, what is going on there?

    Even though the traffic gets blocked from reaching your server, it is still coming into the Leaseweb network. Blocked traffic is still calculated as part of the data traffic for your server and therefore displayed in the datatraffic graphs.

     

     

  • Does Leaseweb block any ports?

    Please check https://www.leaseweb.com/en/about-us/legal/sales-contract for the most recent policies, terms and conditions on what connectivity is blocked and when Leaseweb is entitled to block more.

    At the time of writing the following ports are blocked on the network level:

    • UDP/137 – Netbios
    • UDP/139 – Netbios
    • TCP/135 till 139 – Netbios
    • TCP/445 – Smb
    • UDP/11211 – Memcache.

  • Does the firewall block outgoing traffic?

    No. All outgoing traffic is allowed, even when the firewall is turned On.
    It is also not possible to block specific outgoing traffic with custom firewall rules.

     

     

  • Does the firewall automatically allow related traffic, such as for instance to the DATA port in passive FTP?

    No, the firewall does not automatically allow related traffic.
    If you want to allow FTP in combination with the basic firewall it is recommended that you configure your FTP server to use only a restricted range of ports for passive FTP and then open that range with a specific rule in addition to the default TCP port 21 used for the FTP command channel.