Hero image

Knowledge Base

How To Set Up the Firewall

Why Use a Firewall?

Your server is exposed to the internet the moment it goes online, and that means it can be a target. Connection floods, port scanners, and DDoS attacks are all common threats that can slow your server to a crawl or knock it offline entirely. A firewall gives you the tools to fight back.

With the firewall enabled, you can:

  • Block malicious IPs before they ever reach your server
  • Control which ports accept traffic and which stay closed
  • Rate limit connections so a single source can’t overwhelm you with requests
  • Enable DDoS protection to automatically filter out flood attacks

Think of it as a bouncer for your server – it decides who gets in and who gets turned away.

The firewall is a premium feature. Free plan users will need to upgrade to use it.

Enabling the Firewall

Getting started is straightforward:

  1. Navigate to your server’s Firewall page.
  2. Toggle the Firewall Enabled switch.
  3. Set the Default Action for unmatched traffic. This determines what happens to any traffic that doesn’t match a specific rule:
    • Allow – traffic that doesn’t match any rule passes through. This is the default and a good starting point while you build out your rules.
    • Drop – traffic that doesn’t match any rule is silently blocked. Use this once you have your Allow rules dialed in.
  4. Click Sync Firewall to apply.

Setting the default action to Drop will block all traffic that doesn’t match an Allow rule. Make sure you have your Allow rules in place first, otherwise you could lock yourself out of your own server.

Rule Types

The firewall supports four types of rules, each on its own tab. You can have up to 50 rules total per server, so plan accordingly.

  • IP rules let you block or allow traffic from specific IP addresses or ranges. This is your go-to for banning a troublesome IP or whitelisting a trusted one.

    To set up an IP rule, you’ll fill in these fields:

    • Source IP / CIDR – A single IP address (e.g. 192.168.1.100) or a CIDR range (e.g. 10.0.0.0/24) to target.
    • Direction – Whether the rule applies to Inbound or Outbound traffic.
    • Action – What to do when traffic matches: Allow it through, Drop it silently, or Reject it with a response sent back to the sender.
    • Description – An optional note for yourself so you remember why you created this rule (max 255 characters).

    A few things to keep in mind:

    • CIDR ranges must be /8 or more specific (e.g. /8, /16, /24, /32).
    • You can’t use loopback addresses (127.x.x.x, ::1) or null addresses (0.0.0.0).
    • The IP address or CIDR notation must be valid, or the rule won’t save.

    If someone specific is causing problems, grab their IP and create a Drop rule for it. Quick, clean, and effective.

  • Port rules let you control access to the specific ports allocated to your server. This is useful if you want to lock down a port to a specific protocol or block it entirely.

    Here’s what you’ll configure:

    • Port – Pick from your allocated ports using the dropdown.
    • Protocol – Choose TCP only, UDP only, or Both.
    • Direction – Inbound or Outbound.
    • Action – Allow, Drop, or Reject.
    • Description – Optional note for your reference (max 255 characters).

    You can only create port rules for ports that are allocated to your server. Your allocated ports are listed right on the page, so you’ll always know what’s available.

  • Rate limiting caps how many connections a single IP address can make per second. This is one of the best defenses against connection flooding, where an attacker tries to overwhelm your server by opening tons of connections at once.

    You’ll configure two main values:

    Setting Description Range Default
    Connections per Second Maximum new connections allowed per second 1–10,000 50
    Burst Size Temporary spike allowance above the rate limit 1–1,000 100

    You can also add an optional Description to remind yourself what the rule is for.

    Don’t want to do the math yourself? Use one of the quick presets:

    Preset Connections/sec Burst
    Light 100 150
    Medium 50 100
    Strict 25 50

    Rate limiting rules are always inbound and automatically drop any excess connections beyond your threshold.

    If you’re getting hit by connection floods, start with the Medium rate limiting preset. It’s a solid middle ground that stops most flood attacks without accidentally blocking legitimate players during peak times. You can always tighten it to Strict later if needed.

  • DDoS protection gives you multi-layered defense against common distributed denial-of-service attacks. Unlike the other rule types, this isn’t about creating individual rules – it’s a single configuration panel with toggles and thresholds that you tune to your needs.

    General Options

    Option Description Default
    Preserve Connections Allow already-established connections through On
    Invalid Packets Drop malformed packets Off
    Fragment Protection Drop fragmented packets Off
    Per-Source Tracking Track limits per individual IP address Off

    Flood Protection

    Each flood type can be individually enabled with its own thresholds. Expand each one to fine-tune the settings.

    SYN Flood Protection

    Setting Range Default
    Rate limit 1–1,000 pps 50
    Burst size 1–500 100

    ACK Flood Protection

    Setting Range Default
    Rate limit 1–5,000 pps 200
    Burst size 1–1,000 400

    UDP Flood Protection

    Setting Range Default
    Packets/sec 1–100,000 5,000
    Bytes/sec 0–1,000,000 (0 = off) 0
    Burst size 1–5,000 1,000

    ICMP Flood Protection

    Setting Range Default
    Rate limit 1–100 pps 10
    Burst size 1–200 20

    A status bar at the top of the page shows which protections are currently active (e.g. “SYN, ACK, Fragments protection active”), so you can always see your coverage at a glance.

    If you’re running a game server, be careful with UDP flood thresholds. Many games rely heavily on UDP traffic, so setting the limits too low could impact legitimate gameplay. Start with the defaults and lower them gradually while monitoring performance.

Creating a Rule

    1. Navigate to your server’s Firewall page.
    2. Select the appropriate tab (IP Rules, Port Rules, or Rate Limiting).
    3. Click Add Rule.
    4. Fill in the fields for that rule type.
    5. Click Add Rule to save.
    6. Click Sync Firewall to apply the changes to your server.

  • DDoS protection works a bit differently – instead of adding individual rules, you configure a single protection profile.

    1. Navigate to your server’s Firewall page.
    2. Select the DDoS Protection tab.
    3. Toggle the general options and flood protections you want.
    4. Configure thresholds for each enabled flood type (click to expand).
    5. Click Save.
    6. Click Sync Firewall to apply the changes.

    Disabling all DDoS protections removes the DDoS rule entirely. Re-enabling any protection creates a new one with fresh defaults.

Rules are not applied until you click Sync Firewall. Always sync after making changes, or your updates won’t actually take effect.

Editing Rules

You can edit existing IP, port, and rate limiting rules directly:

  1. Click the edit button on the rule you want to change.
  2. Update the fields as needed.
  3. Save the changes.
  4. Click Sync Firewall to apply.

Deleting Rules

To delete a rule:

  1. Click the delete button (trash icon) on the rule you want to remove.
  2. Confirm the deletion in the modal.
  3. Click Sync Firewall to apply the changes.

Syncing Your Firewall

The Sync Firewall button pushes all your current rules to the server. You should sync after:

  • Adding, editing, or deleting rules
  • Enabling or disabling the firewall
  • Changing the default action
  • Updating DDoS protection settings

The page shows a Last Synced timestamp so you always know whether your latest changes have been applied.

Understanding Action Types

When you create a rule, you choose what happens to matching traffic. Here’s what each action does:

  • Allow – Traffic is permitted through. Use this when you want to explicitly let certain IPs or ports through, especially if your default action is set to Drop.
  • Drop – Traffic is silently blocked. The sender gets no response at all, which means they can’t even tell a firewall is there. This is the recommended choice for most blocking rules.
  • Reject – Traffic is blocked, but the sender receives a rejection response. This is useful when you want the other side to know their connection was actively refused, but it does reveal that a firewall exists.

Drop is usually better than Reject for security. When you Drop traffic, attackers get no information about your server’s defenses. Reject tells them something is there, which can invite further probing. Stick with Drop unless you have a specific reason to use Reject.

Wrapping Up

The firewall gives you real control over who and what can reach your server. Whether you’re dealing with a targeted attack or just want to tighten things up as a precaution, the combination of IP rules, port rules, rate limiting, and DDoS protection has you covered. Start simple, sync often, and adjust as you go.