Firewall
A firewall monitors network packets, blocking or allowing specific types of traffic. A firewall filters traffic based on preset rules.
Warning
Firewall service is currently in beta. To improve the service, please provide feedback by creating a technical support ticket (select Support in the Control Panel).
Firewall Management
Our service uses a stateful firewall—a network firewall that monitors the state of network connections and makes decisions about allowing or blocking packets based not only on static rules (e.g., IP addresses and ports), but also on the context of outgoing connections:
The client initiates a connection (e.g., sends a TCP SYN).
The firewall checks the rules and, if the connection is allowed, updates the state table accordingly.
When the server responds (SYN-ACK), the firewall recognizes this as a response to an existing request and allows the packet through.
If a packet arrives that is not related to an existing connection, it is blocked. This helps protect against certain attacks, such as spoofing.
To enable the firewall in the Control Panel, go to the Infrastructure section, Firewalls tab, set traffic rules, and then turn on the Enable Firewall toggle.
If the Enable Firewall toggle remains unchecked, all traffic will be allowed through without any additional processing, regardless of whether rules are present.
By default, if no rules are created, all incoming traffic is blocked. We recommend enabling the ICMP/ICMPv6 protocols. Firewall Rules Each region must have firewall rules configured to allow incoming traffic. Network traffic passing through the firewall is compared against the configured rules to determine whether to allow it.
Please note that outgoing traffic is not filtered!
To add the rule:
In the Control Panel, go to the Infrastructure section to the Firewalls tab.
Click the Add rule button.
Be sure to fill in the Family field. For example, if you specify IPv6 without specifying any other fields (protocols, CIDR, etc.), all IPv6 traffic will be allowed.
Specify the protocol and the ports required for it. Ports can be specified as a comma-separated list or as a range. For example, use entries like 21-23 or 80,443. If you don’t specify specific ports, all ports for the selected protocol will be opened.
Complete the remaining fields in the rules table as needed. Please note that the ICMP code and ICMP type fields are only specified for the ICMP/ICMPv6 protocols.
Click the Add rule button. The rule will be created.
You can’t change an existing rule. You can create a new rule and then delete the previous one.
Supported protocols
Number |
Protocol |
Description |
|---|---|---|
1 |
ICMP |
Internet Control Message Protocol |
2 |
IGMP |
Internet Group Management Protocol |
4 |
IP-in-IP |
IP-to-IP Encapsulation |
6 |
TCP |
Transmission Control Protocol |
8 |
EGP |
Exterior Gateway Protocol |
17 |
UDP |
User Datagram Protocol |
33 |
DCCP |
Datagram Congestion Control Protocol |
41 |
IPv6 |
6in4, Teredo |
43 |
IPv6-Route |
Routing Header for IPv6 |
44 |
IPv6-Frag |
Fragment Header for IPv6 |
46 |
RSVP |
Resource Reservation Protocol |
50 |
ESP |
Encapsulating Security Payload (IPsec) |
51 |
AH |
Authentication Header (IPsec) |
57 |
SKIP |
Simple Key-Management for Internet Protocol |
58 |
ICMPv6 |
Internet Control Message Protocol for IPv6 |
59 |
IPv6-NoNxt |
No Next Header for IPv6 |
60 |
IPv6-Opts |
Destination Options for IPv6 |
89 |
OSPF |
Open Shortest Path First |
112 |
VRRP |
Virtual Router Redundancy Protocol |
113 |
PGM |
Pragmatic General Multicast |
132 |
SCTP |
Stream Control Transmission Protocol |
136 |
UDPLite |
Lightweight UDP |