Skip to main content

Configure Instance Firewalls

DewaVPS Cloud Firewalls provide a crucial layer of security by acting as a virtual barrier controlling network traffic to and from your Instances before it reaches the operating system. Properly configured firewalls are essential for protecting your services from unauthorized access and potential attacks.

Benefits of Using DewaVPS Cloud Firewalls:

  • Enhanced Security: Block unwanted traffic at the network edge, significantly reducing the attack surface of your Instance's OS.
  • Improved Performance: Your Instance doesn't waste CPU cycles processing and rejecting traffic that the firewall already blocks.
  • Centralized Management: Manage network rules for your Instances through the user-friendly DewaVPS control panel instead of complex command-line configurations on each server.
  • Stateful Inspection: DewaVPS Firewalls are stateful. This means if you allow an outgoing connection, the return traffic for that specific connection is automatically permitted without needing a separate inbound rule. Likewise, if you allow an inbound connection (e.g., to your web server), the firewall automatically permits the outgoing responses for that session.

Key Firewall Concepts

  • Inbound Rules: These rules control traffic coming into your Instance from the internet or other network sources. The DewaVPS Firewall management within the Instance tab focuses primarily on these inbound rules.
  • Default Incoming Policy: This is the baseline behavior for traffic that doesn't match any specific rule you define.
    • Accept: Allows all incoming traffic by default. You then add specific DROP rules to block unwanted traffic. (Less Secure)
    • Drop: Blocks all incoming traffic by default. You must explicitly add ACCEPT rules for only the traffic you need. (More Secure - Recommended)
  • Rule Components: Each firewall rule consists of several parts:
    • Source IP: The IP address or range (using CIDR notation like 192.0.2.10/32 for a single IP or 10.0.0.0/16 for a range) or an IP List from which the traffic originates.
    • Type: Predefined common services (like SSH, HTTP, HTTPS) which automatically fill the protocol and port, or Custom which allows you to specify them manually.
    • Protocol: The network protocol (usually TCP for connection-oriented services like SSH/HTTP/Databases, or UDP for connectionless services like DNS/some games/streaming).
    • Destination Port: The specific port number (e.g., 22, 80, 443) or range (e.g., 10000-10010) on your Instance the rule applies to.
    • Action: ACCEPT (allow the traffic) or DROP (silently discard the traffic).
    • Description: A human-readable note explaining the purpose of the rule (highly recommended).
  • IP Lists: Reusable, named groups of IP addresses or CIDR ranges. Using IP Lists simplifies managing rules that apply to multiple sources (e.g., office IPs, monitoring service IPs).

Managing Firewalls on an Instance

You can manage firewall rules directly from the specific Instance's management page within the DewaVPS control panel.

1. Accessing the Firewall Tab:

  • Log in to your DewaVPS account.
  • Navigate to the Instances section in the sidebar.
  • Click on the name of the Instance you want to manage.
  • Select the Firewall tab on the Instance's management page.

2. Setting the Default Incoming Policy:

  • Within the Firewall tab, locate the setting for the default policy for incoming traffic.
  • Choose either Accept (allow by default) or Drop (deny by default).
  • Recommendation: Set this to Drop for a more secure posture (principle of least privilege).

3. Managing IP Lists:

  • Creating an IP List:
    • Click the "Create" button on the IP List section.
    • A modal will appear prompting for:
      • Name: A descriptive name for the list (e.g., Office_IPs, Monitoring_Services).
      • Description: An optional explanation of the list's purpose.
    • Click Submit. A new empty IP List card/section will appear.
  • Adding IPs to a List:
    • On the IP List card you just created (or an existing one), click the + (Add IP) button.
    • Enter the IP address or CIDR range (e.g., 203.0.113.5/32, 192.168.1.0/24).
    • Add an optional description for this specific entry.
    • Click Submit. Repeat for all IPs/ranges needed in this list.
  • Deleting an IP List:
    • On the IP List card, click the Delete (trash bin) icon.
    • Confirm the deletion.

4. Adding Firewall Rules:

  • Click the button to Create button on the Firewall section.
  • A modal window will appear. Fill in the details:
    • Source IP: Enter a specific IP (1.2.3.4/32), a CIDR range (10.0.0.0/8), 0.0.0.0/0 for All IPv4, ::/0 for All IPv6, or the exact Name of a pre-configured IP List.
    • Type: Select a preset like SSH, HTTP, HTTPS if applicable. Otherwise, choose Custom TCP or Custom UDP.
    • Protocol: (Enabled if Type is Custom) Select TCP or UDP.
    • Destination Port: Enter the specific port number (e.g., 22) or a port range (e.g., 3306).
    • Action: Choose ACCEPT or DROP.
    • Description: Write a clear explanation (e.g., "Allow SSH access from Office", "Allow public web traffic").
  • Click Submit. The rule will be added to the list.

5. Editing, Disabling, and Removing Rules:

  • Existing rules will be listed in the Firewall tab.
  • Edit: Edit icon (pencil) next to a rule to modify its parameters.
  • Enable/Disable: Toggle on/off switch to temporarily disable a rule without deleting it.
  • Remove: Delete icon (trash bin) next to a rule to permanently remove it.