External Firewall

Follow

All Mammoth Cloud servers include access to a web-based IPv4 firewall configuration tool free of charge.

This firewall is external to the VPS and can be used to configure exactly what IPv4 traffic you allow into (and out of) your server.

Note: the mPanel firewall supports IPv4 only. It does not provide IPv6 support


We suggest using the mPanel firewall for "broad strokes" like allowing SSH, HTTP, and nothing else, and then using your VPS' firewall for blocking individual IPs and more complex things that cannot be expressed purely as a single list.

As a general rule of thumb we recommend limiting the mPanel firewall to a maximum of ten rules and using your server's firewall to blacklist individual IPs.

Through our management panel customers can configure a list of rules that determine what happens to VPS traffic. Each rule consists of:

  • One or more source addresses
  • One or more destination addresses
  • Optionally, one or more ports.
  • Protocol; All, TCP, UDP, or ICMP
  • The action to take for matching traffic: block or allow


Port ranges can be used by separating beginning and end ports with a colon, for example; '80,443,2070:2099,3306'

The firewall also accepts CIDR subnet notation, for example; 192.168.8.0/24

Once a suitable firewall configuration is in place, the "Save & Apply" button will immediately apply the chosen rules without requiring a server reboot.

If you make a mistake and block your remote access to the server, simply delete the rule and start over - as the web-based firewall operates outside the VPS, there is no possibility of permanently preventing your own access.

An import/export tool is also available, which provides the ability to manipulate the rules as a block of JSON-structured text. This allows rules to be created offline, or easily copied from one server to another.

 

Example

In this example we will allow HTTP and HTTPS connections from anyone on the internet, allow SSH connections from your own IP only, and block everything else. These are "incoming" rules, meaning we need to set the destination to the server's IP address.

 

First, add the rule to allow public HTTP+HTTPS as follows:

  • Source Address(es): Click the magnifying glass icon and select "Any addresses" , or type in: 0.0.0.0/0
  • Destination Address(es): Click the magnifying glass icon and select "Server Public Addresses"
  • Destination Port(s): Click the magnifying glass icon and select HTTP+HTTPS, or type in: 80,443
  • Protocol(optional): TCP
  • Action: Allow


Second, add the rule to allow SSH only from your own computer as follows:

  • Source Address(es): Click the magnifying glass icon and select "Current IP". If you have other addresses you know you need remote access from, you may enter additional addresses by separating them with commas.
  • Destination Address(es): Click the magnifying glass icon and select "Server Public Addresses"
  • Destination Port(s): Click the magnifying glass icon and select SSH, or type in: 22
  • Protocol(optional): TCP
  • Action: Allow


Finally, enter the following to block all other connections:

  • Source Address(es): Click the magnifying glass icon and select "Any addresses" , or type in: 0.0.0.0/0
  • Destination Address(es): Click the magnifying glass icon and select "Server Public Addresses"
  • Destination Port(s): Leave blank
  • Protocol(optional): Leave set to ALL
  • Action: Block

You will end up with a screen something like this:

mpanelfirewallexample.png


Click Save & Apply at the bottom of the page to apply the changes. If you need to access SSH from a different IP address, you can return to mPanel firewall in the future and update your IP address.

Remember that if you have any issues accessing your server you may return to mPanel firewall and delete the appropriate rule(s) to gain access.

 

Internal VPS Firewall

As the server administrator, you are able - and encouraged - to configure your server's own firewall in a suitable manner. Our VPS installs are pre-configured to respond to:

  • ICMP ECHO ("ping") requests
  • Listen for SSH connections (Linux only)
  • Listen for Remote Desktop connections (Windows only)


For many customers, this initial firewall configuration provided is perfectly suitable as is.

Have more questions? Submit a request

Comments

Powered by Zendesk