Description 

For your virtual server LeaseWeb offers free Basic Firewall functionality which you can enable to restrict and control access to your virtual server.

By default turning the Firewall On will block all traffic to your virtual server. You will need to create rules to grant access to each and every service and port that you want to make available.

Turning the Firewall Off will allow all traffic to reach your virtual server. By default the Firewall is turned Off when a new virtual server gets delivered.

 Contents

Turning on/off firewall for a virtual server

You enable the firewall to secure your system from severals types of attacks and to restrict access on port numbers that you don't want to remain open for external traffic. 

Turning On firewall will block all traffic for TCP, UDP and ICMP protocols and by default no traffic can reach your instance. By creating new firewall rules you can grant restricted or public access to specific ports and services.

Turning Off firewall allows all traffic to reach your virtual server through all available ports.

To ensure that only filtered traffic through specified protocols, IP addressess, and ports are allowed to reach your instance, you need to create firewall rules.

Perform the following steps to turn on/off firewall for a virtual server:

  1. In the menu bar, under Cloud, select "Virtual Server".
    The Virtual Servers Overview page displays. 

     
     
  2. Click the Manage button for the virtual server for which you want to turn on/off the firewall.
    The Server Management page displays.

     

  3. Click the Firewall tab to turn on/off the firewall for the instance.



  4. Click the "Turn On" button.
    You will receive a warning message. Click the "OK" button.



  5. You will receive a message stating that the firewall is successfully turned on, encouraging you to create a firewall rule.



  6. Once your firewall is turned on, you get the option to turn it off (allowing all traffic to reach your virtual machine).
     
  7. Click the "Turn Off" button to turn off the firewall for the virtual machine. 
    You will receive a warning message. Click the "OK" button.



  8. You will receive a message stating that the firewall is successfully turned off.


     


 

Creating firewall rule

Turning On firewall will block all traffic for TCP, UDP and ICMP protocols and by default no traffic can reach your instance.

In order to selectively grant access for traffic from certain IP addresses to reach a few selected ports of your virtual machine, you need to create firewall rules. Based on these rules, traffic from specified IP address range is allowed to reach your virtual machine using the specified protocol and to the specified ports. 

 

Note: you can create firewall rules before turning the firewall on. Those rules will be applied immediately when you do turn On the firewall, which should prevent unnecssary down time for your services.

 

Perform the following steps to create firewall rules for a Virtual Server:

  1. In the menu bar, under Cloud, select "Virtual Server".
    The Virtual Servers Overview page displays. 

     
     
  2. Click the Manage button for the Virtual Server for which you want to create a firewall rule.
    The Server Management page displays.

     

  3. Click the Firewall tab to create a firewall rule for an instance.

    Note: You can create firewal
     
     

  4. Click the "Create Rule" button. 
    The "Create Firewall Rule" popup window displays.  Enter the following values and click the "Confirm" button.

    Field NameDescription
    ProtocolYou can allow external traffic to reach your virtual machine over one of these three protocols (by bypassing the firewall):
    • TCP  
    • UDP 
    • ICMP
    Source IP Address

    Enter an IP address or a range of IP addresses (in CIDR notation) from which traffic is allowed to reach certain ports of your virtual machine (by bypassing the firewall).

    To allow public access to a service use the ip-address range 0.0.0.0/0 which will match all IPv4 ip-addresses and network ranges.

    A single IP-address in CIDR notation is the IP-address followed by the /32 prefix e.g. 192.0.2.17/32

    StartportEnter the port number of the virtual machine through which you allow external traffic to reach the virtual machine (by bypassing the firewall). For example, Port 80. However, if there are multiple ports through which you want external traffic to reach the virtual machine, you can enter the start (first) port number here. In the "Endport" field name, you can enter the end (last) port number. For example, if you want port numbers 50-60 to allow traffic into the virtual machine, you need to enter 50 here.
    Endport (optional)If there are multiple ports through which you want external traffic to reach the virtual machine, you can enter the end (last) port number here. For example, if you want port numbers 50-60 to allow traffic into the virtual machine, you need to enter 60 here.
    Name (optional)Enter a name for this firewall rule. It will help you to identify the type of rule you have created when applying it to a virtual machine.



  5. Click the "Confirm" button.
    The rule you created will display under the "Firewall" tab and is immediately applied to the virtual machine.

 

FAQs about Virtual Server Firewall

How do I allow the whole internet to connect to my service?
The network range "0.0.0.0/0" denotes the whole internet and will allow every network range and ip-address access to the port (range) you select.

My firewall settings block all traffic, but I still see incoming traffic in the datatraffic graphs, what is going on there?
Even though the traffic gets blocked from reaching your server, it is still coming into the LeaseWeb network. Blocked traffic is still calculated as part of the data traffic for your server and therefore displayed in the datatraffic graphs.

Does LeaseWeb block any ports?
Please check https://www.leaseweb.com/legal for the most recent policies, terms and conditions on what connectivity is blocked and when LeaseWeb is entitled to block more. 
At the time of writing the FAQ §7.3 of the policy states that for our whole Network LeaseWeb shall in any event actively block the following ports:

    1. UDP/137 – Netbios
    2. UDP/139 – Netbios
    3. TCP/135-139 – Netbios
    4. TCP/445 – Smb

Does the firewall block outgoing traffic?
No. With exception of the ports mentioned above by default all outgoing traffic is allowed, even when the firewall is turned On. 
It is also not possible to block specific outgoing traffic with custom firewall rules.

Does the firewall automatically allow related traffic, such as for instance to the DATA port in passive FTP?
No, the firewall does not automatically allow related traffic. 
If you want to allow FTP in combination with the basic firewall it is recommended that you configure your FTP server to use only a restricted range of ports for passive FTP and then open that range with a specific rule in addition to the default TCP port 21 used for the FTP command channel. 

 


Keywords
You can click on any of the keywords below this article to see all related articles for that keyword