Managing VPS firewall

DescriptionFor your VPS Leaseweb offers free Basic Firewall functionality which you can enable to restrict and control access to the VPS.

By default turning the Firewall On will block all traffic to your VPS. You will need to create rules to grant access to each and every service and port that you want to make available.

Turning the Firewall Off will allow all traffic to reach your VPS. By default the Firewall is turned Off when a new virtual server gets delivered.


Contents

Turning on/off firewall for a VPS

You enable the firewall to secure your system from different type of attacks and to restrict access on port numbers that you don't want to keep open for external traffic. 

Turning On firewall will block all traffic for TCP, UDP and ICMP protocols and by default no traffic can reach your instance. By creating new firewall rules you can grant restricted or public access to specific ports and services.

Turning Off firewall allows all traffic to reach your virtual server through all available ports.

To ensure that only filtered traffic through specified protocols, IP addresses, and ports is allowed to reach your VPS, you need to create firewall rules.

Perform the following steps to turn on/off firewall for a VPS:

  1. In the menu bar, under Compute, select Virtual Private Server.
  2. Click on the ID of the VPS for which you want to manage the firewall.
  3. Click the Firewall tab.

  4. Click the Turn On button.
    You will receive a warning message. Click OK.


  5. You will receive a message stating that the firewall is successfully turned on, encouraging you to create a firewall rule.


  6. Once your firewall is turned on, you get the option to turn it off (allowing all traffic to reach your VPS).

Creating firewall rules

In order to selectively grant access for traffic from certain IP addresses to reach a few selected ports of your VPS, you will need to create firewall rules. Based on these rules, traffic from specified IP address ranges is allowed to reach your VPS using the specified protocol and to the specified ports. 

Note: you can create firewall rules before turning the firewall on. Those rules will be applied immediately when you do turn On the firewall, which should prevent unnecessary down time for your services.

Perform the following steps to create firewall rules for a VPS: 

  1. Click the Create Rule button on the Firewall tab of your VPS. 
    The Create firewall rule pop-up window displays. Enter the following values:


    Field NameDescription
    ProtocolYou can allow external traffic to reach your virtual machine over one of these three protocols (by bypassing the firewall):
    • TCP  
    • UDP 
    • ICMP
    Source IP Address

    Enter an IP address or a range of IP addresses (in CIDR notation) from which traffic is allowed to reach certain ports of your VPS (by by-passing the firewall).

    To allow public access to a service use the ip-address range 0.0.0.0/0 which will match all IPv4 ip-addresses and network ranges.

    A single IP-address in CIDR notation is the IP-address followed by the /32 prefix e.g. 192.0.2.17/32

    StartportEnter the port number of the VPS through which you allow external traffic to reach the VPS (by by-passing the firewall). For example, Port 80. However, if there are multiple ports through which you want external traffic to reach the server, you can enter the start (first) port number here. In the "Endport" field name, you can enter the end (last) port number. For example, if you want port numbers 50-60 to allow traffic into the virtual machine, you need to enter 50 here.
    Endport (optional)If there are multiple ports through which you want external traffic to reach the VPS, you can enter the end (last) port number here. For example, if you want port numbers 50-60 to allow traffic into the server, you need to enter 60 here.
    Name (optional)Enter a name for this firewall rule. It will help you to identify the type of rule you have created when applying it to a VPS.
  2. Click Submit
    The rule you created will display under the Firewall tab and is immediately applied to the VPS.

FAQs about VPS Firewall

How do I allow the whole internet to connect to my service?
The network range "0.0.0.0/0" denotes the whole internet and will allow every network range and ip-address access to the port (range) you select.

My firewall settings block all traffic, but I still see incoming traffic in the data traffic graphs, what is going on there?
Even though the traffic gets blocked from reaching your server, it is still coming into the Leaseweb network. Blocked traffic is still calculated as part of the data traffic for your server and therefore displayed in the datatraffic graphs.

Does Leaseweb block any ports?
Please check https://www.leaseweb.com/legal for the most recent policies, terms and conditions on what connectivity is blocked and when Leaseweb is entitled to block more. 
At the time of writing the FAQ §7.3 of the policy states that for our whole Network Leaseweb shall in any event actively block the following ports:

    1. UDP/137 – Netbios
    2. UDP/139 – Netbios
    3. TCP/135-139 – Netbios
    4. TCP/445 – Smb

Does the firewall block outgoing traffic?
No. With exception of the ports mentioned above by default all outgoing traffic is allowed, even when the firewall is turned On. 
It is also not possible to block specific outgoing traffic with custom firewall rules.

Does the firewall automatically allow related traffic, such as for instance to the DATA port in passive FTP?
No, the firewall does not automatically allow related traffic. 
If you want to allow FTP in combination with the basic firewall it is recommended that you configure your FTP server to use only a restricted range of ports for passive FTP and then open that range with a specific rule in addition to the default TCP port 21 used for the FTP command channel. 

Get Support

Need Technical Support?

Have a specific challenge with your setup?

Create a Ticket