OVH US sets up a network firewall for its customers as part of our VAC (Anti-DDoS) offering. A network firewall is an option that limits exposure to attacks from the public network.
- Basic Networking Skills
Enabling Firewall Protection
First, log in to the OVH US Manager and click IP on the left-hand sidebar. Click on the ellipses (...) to the right of the IP address for which you would like to create a firewall. Click Create a firewall on the drop-down menu.
Click Confirm on the following popup. To enable the firewall, click on the ellipses (...) again and select Enable the firewall from the drop-down menu.
Once the firewall is enabled, you will be able to configure up to 20 rules. Note that the firewall will automatically turn on in the event of a DDoS attack on your server. If this occurs, the firewall cannot be disabled until the attack is fully mitigated. Therefore, it is important to keep your firewall rules up to date. By default, you do not have any configured rules, so all connections can be established. Remember to regularly check your firewall rules, if you have them, even if you disable the firewall.
- UDP fragmentation is blocked (DROP) by default. When activating the network firewall, if you are using a VPN, ensure that your MTU is correctly configured. For example, on OpenVPN you can check " MTU test."
- The network firewall is not taken into account in the OVH US network, so the rules implemented do not affect the connections inside the OVH US network.
Configuring Firewall Rules
The configuration of the network firewall is also done in the "IP" section. Click on the cog wheel to the right of the IP for which you would like to configure the firewall rules, and select Configure the firewall. Click the Add a Rule button and the following screen will pop up:
When configuring a rule using the TCP protocol, the window will give you options for three flags as you can see in the image below:
The "SYN" option allows outbound connections. The server sends a SYN packet to the external IP (which does not pass through the network firewall,) the external IP responds with a SYN/ACK (which passes through the network firewall.) The "ESTABLISHED" option allows communication to be authorized from the moment the connection is established.
To leave open only the SSH, HTTP, HTTPS, and UDP/10000 ports, as well as allowing ICMP, create the following rules:
The rules range from 0 to 19, and they stop being processed from the moment a rule applies to the moment a packet is received. For example, a packet for port 80/TCP will be caught by rule 1, and any rules after will not be tested. A packet destined for port 25/TCP will only be caught by the last rule (19) which will block it because we did not allow any communication on port 25 in the previous rules.
The OVH US Network Firewall is an important tool for protecting the security of your OVH US products. However, it does not negate the importance of your other firewalls. It is another tool OVH US provides our customers to enhance their security.