A firewall is a network security device used to protect servers from network threats. The firewall monitors incoming and outgoing network traffic and decides whether to allow or block specific traffic based on a defined set of security rules. You can set rules for all connections except port 25 for outbound traffic as it is blocked by default. If you use a Load Balancer and your Virtual Machine is in a pool, configure its firewall by opening ports for receiving and transmitting data to the Load Balancer. For more information, refer to our guide “Create and configure a Load Balancer”.

Create a firewall

If you don’t create your custom firewall, the default firewall will be used. 1. Open a window to create a firewall. You can do this in two ways:
  • In the Cloud menu, go to Networking > Firewalls > Create firewall.
  • When you’re creating a Virtual Machine, navigate to Firewall settings and select Add a Firewall.
Firewalls
2\. Give your firewall a name. 3. Set Inbound rules which would define the allowed incoming traffic.
Click New rule and select one of the template rules, or choose Custom to apply custom settings.
  • Template rules (All TCP/all UDP/SSH/HTTP/HTTPS/MySQL/DNS UPD/DNS TCP/PostgreSQL): template rules come with pre-configured protocols and ports for typical connections
  • Custom rule: if you select a custom rule, specify the protocol and port manually.
Inbound rule
For Sources, set a specific IP address range in the CIDR format. Otherwise, the rule will be applied to all IP addresses. You can attach multiple firewalls to a single Virtual Machine, and each port (interface) can have its own dedicated firewall. 4. Set the Outbound rules which would define the allowed outgoing traffic. Please note that by default, outbound traffic over port 25 (TCP/UDP) is restricted, while all other outbound ports are open. Click New rule and select one of the template rules or choose Custom to apply custom settings.
  • Template rules (All TCP/all UDP/SSH/HTTP/HTTPS/MySQL/DNS UPD/DNS TCP/PostgreSQL): template rules come with pre-configured protocols and ports for typical connections
  • Custom rule: If you select a custom rule, specify the protocol and port manually.
Custom rule
For Sources, set a specific IP address range in the CIDR format. Otherwise, the rule will be applied to all IP addresses. Outbound traffic on port 25 (SMTP) is closed by default to prevent abusive actions within our network. To open this port, please reach out to our support team. 5. (optional) Apply a firewall to a Virtual Machine by selecting it in the Apply to Instance drop-down list. 6. (optional) Add tags by switching on the Add tags toggle in the Additional options section and specifying headers and tags. 7. Click Create firewall.

Use the default firewall

If you don’t specify which firewall to apply to your Virtual Machine, the default firewall will be applied. The default firewall contains inbound rules, which allow the following traffic for IPv6 as for IPv4 addresses:
  • SSH connections over TCP protocol on port 22
  • Remote Desktop Protocol (RDP) connections over TCP and UDP protocols on port 3389.
  • Internet Control Message Protocol (ICMP) is allowed.
All outgoing connections are allowed. Some operating systems also have an internal firewall, providing an additional layer of protection. However, to prevent misconfiguration, it’s best to configure either the cloud firewall or the OS firewall, but not both at the same time. When you activate the service, the system automatically creates a default firewall in the default project. If you don’t specify a custom firewall, this default firewall will be applied to your Virtual Machine.

Manage a firewall

Firewalls protect your cloud infrastructure by filtering network traffic based on defined rules. Use the steps below to configure firewall rules, assign them to Virtual Machines, or delete a firewall if needed.

Add, change and delete rules

1. Go to the Networking tab > Firewalls. 2. Find the required firewall, click the ⋯ menu on the right and select Rules.
Firewalls
Please note that the RDF template is currently not included in the list of predefined template rules. If you require specific configurations not covered by the available templates, consider using the ‘Custom’ rule option and specifying the necessary ports and protocols.

Assign to a Virtual Machine and detach from it

1. Go to the Networking tab > Firewalls. 2. Find the required firewall, click the ⋯ menu on the right and select Instances.
Firewalls

Delete a firewall

WarningYou can’t delete a default firewall.
1. Go to the Networking tab > Firewalls. 2. Find the required firewall, click the ⋯ menu on the right and select Delete.
Delete a firewall

Restore a default firewall

To restore the default security group settings, you can either use the API or click Restore Default in the Firewall Rules section. This will restore any custom changes made to the firewall settings to their default configuration.
Restore Default option for resetting firewall settings

Firewall feature not supported for Bare Metal servers

Please note that the Firewall feature is not supported for Bare Metal servers. Unlike Virtual Machines or other cloud services that can easily integrate with cloud-native firewalls, Bare Metal servers operate directly on physical hardware and are not subject to the same level of firewall management. For network security, Bare Metal servers can use the following alternatives:
  • You can manually configure network security using solutions like iptables or nftables (recommended) to protect your server at the network level. Other similar solutions can also be used to set up necessary firewall rules based on your security needs.
sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT
sudo iptables -A INPUT -i lo -j ACCEPT
sudo iptables -P INPUT DROP
  • For an additional layer of protection, opt for Gcore DDoS Protection to keep your server available during attacks. DDoS Protection redirects traffic to the Threat Mitigation System (TMS), which performs filtering and threat detection, preventing service disruptions with its always-on mode.
For more information, please reach out to our support team for tailored DDoS Protection plans.