UpCloud Control Panel offers an L3 Firewall that is positioned just before the network interface connecting your cloud server to the internet, therefore all packets going to your server get checked. The firewall is configured per-server basis, sign in to your UpCloud Control Panel, click on the server description of the system you wish to configure, and open the firewall tab in your server settings.

Note that the UpCloud firewall is stateless and does not keep track of connections. Make sure to configure rules for both incoming and outgoing traffic.

When you first open your server’s Firewall settings the rules list will be empty and the firewall itself is disabled. If you already have active services running on the server such as a website or a database, keep the firewall disabled until you have created all the required rules to avoid blocking connections while making configurations. Select Enabled or Disabled in the drop-down menu, then click the Save button next to the selection box to turn the firewall on or off.

Enabling or disabling the firewall

Before configuring new rules, first, check the Default Rule settings for both incoming and outgoing traffic rules. These define the baseline rule for any traffic to each direction when no other rules match the data packet in question.

The most common approach for a firewall configuration is to use drop as the default rule and defining the rules list to accept connections you want to allow. Usually, there is no need to block outgoing traffic as anything on your cloud server should be installed and configured intentionally by you, but the option is there in case you need to be more restrictive.

Start by setting the incoming traffic option to Default rule: drop, and click the Save changes button to confirm.

Setting firewall default to drop

To allow connections on the incoming traffic rules, click the Add rules button, which will open a new firewall rule dialogue window.

Firewall create new rule

With the available rule options, you can precisely define which ports accept what kind of traffic and from where. But if your cloud server has more than just SSH and web services, creating all the rules manually would get tiresome. Instead, select Use a premade firewall rule profile from the Mode drop-down and then choose one of the profiles below.

By selecting a profile, you can read a short description of it to the right of the dialogue panel to get a better idea what those premade profiles are meant for. Do not worry if none of the profiles seem to match your cloud server’s use case perfectly, you can always edit or add more rules later, just pick the one that gets the closest to what you are aiming for.

Firewall use premade

Once you’ve made your selection, click the Accept -button to confirm the new rules.

This creates a group of inbound rules for allowing traffic based on the premade profile description. If you want to check out a different profile, just repeat the steps and select another group of rules to try.

Premade web server firewall configuration

The above example configuration is a standard web server listening at 80 and 443 for HTTP(S), 22 is for SSH, and port 53 for DNS. Each rule shows twice to allow both IPv4 and IPv6 traffic including ICMP that ping commands use. The default rule for all other incoming connections is drop so packets heading to any other ports will get denied access. All outgoing ports are allowed with Default rule: accept.

You can edit the rules created from the premade profiles just as any other manually added rules by clicking the pencil icon to the right of the rule row. It opens the dialogue panel to change an existing firewall rule with the current settings for that specific rule selected.

For example, you could disable IPv4 ping reply for your server by editing the ICMP/IPv4 rule and selecting Drop from the Action menu. This retains the rule so you can easily allow it again if you wish instead of simply deleting the rule by clicking the X -icon. Save any changes by clicking Accept, or return without changing the rule by clicking Cancel.

Firewall edit rule

Please note that the Default rule matches both IPv4 and IPv6 protocols. If you have IPv6 interface enabled on your server remember to add firewall rules for IPv6 traffic as well.

As with most firewall setups, the order of the rules also matters. All packets will be compared to the rules on a top-down basis, and the action is selected based on which rule matches the packet first. New rules you create are added to the bottom of the list, but you can change the order of the rules by simply dragging and dropping any rule on its list.

An example of using the rule order, for instance, if you wish to block all incoming IPv6 traffic, just create a new rule with Family: IPv6, Action: Drop and leave Protocol, Source, and Destination to “All“, then drag that new rule to the top of the list. This will supersede any other IPv6 rules below it on the list regardless of their Action selection.

When you are done adding new or editing the existing rules, click the Save changes button again to apply the current set of rules to your firewall, then turn it on by selecting Enabled at the top right of the page and click the Save button.

With the UpCloud Firewall configured and enabled your cloud server gets the extra protection it deserves. Thanks to the easy to use web control panel you don’t have to worry about locking yourself out of your server by accidentally blocking SSH connections. For more intricate connection policies, consider implementing a server-side software firewall, such as iptables, as well.