OVH US offers four main products within our Anti-DDoS offerings: the Pre Firewall, Network Firewall, Shield, and Armor. All of these products serve to protect your OVH US products from attacks over the public internet. In this guide, we will be covering the two portions of Anti-DDoS our customers can control (the Network Firewall for all customers and Armor for Anti-DDoS Game customers). The remainder of our Anti-DDoS product is controlled at a network-wide level to ensure the safety of the OVH network.
- Basic Networking Skills
Enabling Firewall Protection
First, log in to the OVH US Manager and click IP on the left-hand sidebar. Click on the ellipses (...) to the right of the IP address for which you would like to create a firewall. Click Create a firewall on the drop-down menu.
Click Confirm on the following popup. To enable the firewall, click on the ellipses (...) again and select Enable the firewall from the drop-down menu.
Once the firewall is enabled, you will be able to configure up to 20 rules. Note that the firewall will automatically turn on in the event of a DDoS attack on your server. If this occurs, the firewall cannot be disabled until the attack is fully mitigated. Therefore, it is important to keep your firewall rules up to date. By default, you do not have any configured rules, so all connections can be established. Remember to regularly check your firewall rules, if you have them, even if you disable the firewall.
- UDP fragmentation is blocked (DROP) by default. When activating the network firewall, if you are using a VPN, ensure that your MTU is correctly configured. For example, on OpenVPN you can check " MTU test."
- The network firewall is not taken into account in the OVH US network, so the rules implemented do not affect the connections inside the OVH US network.
Configuring Firewall Rules
The configuration of the network firewall is also done in the "IP" section. Click on the cog wheel to the right of the IP for which you would like to configure the firewall rules, and select Configure the firewall. Click the Add a Rule button and the following screen will pop up:
When configuring a rule using the TCP protocol, the window will give you options for three flags as you can see in the image below:
The "SYN" option allows outbound connections. The server sends a SYN packet to the external IP (which does not pass through the network firewall,) the external IP responds with a SYN/ACK (which passes through the network firewall.) The "ESTABLISHED" option allows communication to be authorized from the moment the connection is established.
To leave open only the SSH, HTTP, HTTPS, and UDP/10000 ports, as well as allowing ICMP, create the following rules:
The rules range from 0 to 19, and they stop being processed from the moment a rule applies to the moment a packet is received. For example, a packet for port 80/TCP will be caught by rule 1, and any rules after will not be tested. A packet destined for port 25/TCP will only be caught by the last rule (19) which will block it because we did not allow any communication on port 25 in the previous rules.
By default, Armor will be pre-configured with certain rules that OVH has determined work with the most common games. However, for customers with access to Anti-DDoS Game, we allow you to go a step further and configure rules for ports to allow and block for yourself.
In order to configure rules for your ports in Armor, you will first need to log in to the OVH US Manager. Next, click IP on the left-hand sidebar. Click on the ellipses (...) next to the IP address of your Game Server and select Configure the GAME firewall.
On the following screen, click the Add a Rule button to add a rule to Armor.
Enable or block the ports as needed on the following screen and click Confirm when you are finished adding your rules. You have now successfully configured Armor.
The OVH US Network Firewall is an important tool for protecting the security of your OVH US products. However, it does not negate the importance of your other firewalls. It is another tool OVH US provides our customers to enhance their security.