Skip to main content
A firewall is a network security device used to protect servers from network threats. The firewall monitors incoming and outgoing network traffic and decides whether to allow or block specific traffic based on a defined set of security rules. You can set rules for all connections except port 25 for outbound traffic as it is blocked by default. If you use a Load Balancer and your Virtual Machine is in a pool, configure its firewall by opening ports for receiving and transmitting data to the Load Balancer. For more information, refer to our guide “Create and configure a Load Balancer”.

Create a firewall

If you don’t create a custom firewall, the default firewall will be used. 1. Open a window to create a firewall. You can do this in two ways:
  • In the Cloud menu, go to Networking > Firewalls > Create firewall.
  • When you’re creating a Virtual Machine, navigate to Firewall settings and select Add a Firewall.
Firewalls
2. Give your firewall a name. 3. Set Inbound rules to define the allowed incoming traffic.
Click Add rule and select one of the template rules, or choose Custom to apply custom settings.
  • Template rules (All TCP/All UDP/SSH/HTTP/HTTPS/MySQL/DNS TCP/DNS UDP/PostgreSQL/RDP): template rules come with pre-configured protocols and ports for typical connections
  • Custom rule: if you select a custom rule, specify the protocol and port manually.
The RDP template only adds a rule for port 3389/TCP. To enable RDP over UDP, create a Custom rule for port 3389/UDP.
Add rule dropdown showing template options and Custom rule
For Sources, configure the allowed traffic origin using one or both options:
  • IP with mask: Specify an IP address range in CIDR format (for example, 192.168.1.0/24). If left empty with “All IPv4” selected, the rule applies to all IP addresses.
  • Select security groups: Choose one or more existing security groups. Traffic from instances associated with the selected security groups is allowed. This option enables dynamic rules that automatically update when security group membership changes.
Both options can be combined using “and/or” logic. If neither is specified, the rule applies to all IP addresses. You can attach multiple firewalls to a single Virtual Machine, and each port (interface) can have its own dedicated firewall. 4. Set Outbound rules to define the allowed outgoing traffic.
By default, outbound traffic over port 25 (TCP/UDP) is restricted, while all other outbound ports are open.
Click Add rule and select one of the template rules or choose Custom to apply custom settings.
  • Template rules (All TCP/All UDP/SSH/HTTP/HTTPS/MySQL/DNS TCP/DNS UDP/PostgreSQL/RDP): template rules come with pre-configured protocols and ports for typical connections
  • Custom rule: If you select a custom rule, specify the protocol and port manually.
Add firewall rule dialog showing protocol, port, and sources configuration
For Sources, specify the allowed destinations for outbound traffic:
  • IP with mask: Specify an IP address range in CIDR format.
  • Select security groups: Choose existing security groups to allow traffic to instances associated with those groups.
To open port 25 (SMTP), contact the support team. 5. (Optional) Apply a firewall to a Virtual Machine by selecting it in the Apply to Instance drop-down list. 6. (Optional) Add tags by switching on the Add tags toggle in the Additional options section and specifying headers and tags. 7. Click Create firewall.

Use the default firewall

If you don’t specify which firewall to apply to your Virtual Machine, the default firewall will be applied. The default firewall contains inbound rules that allow the following traffic for both IPv6 and IPv4 addresses:
  • SSH connections over TCP protocol on port 22
  • Remote Desktop Protocol (RDP) connections over TCP and UDP protocols on port 3389.
  • Internet Control Message Protocol (ICMP) is allowed.
All outgoing connections are allowed. Some operating systems also have an internal firewall that adds an additional layer of protection. However, to prevent misconfiguration, it’s best to configure either the cloud firewall or the OS firewall, but not both at the same time. When you activate the service, the system automatically creates a default firewall in the default project. If you don’t specify a custom firewall, this default firewall will be applied to your Virtual Machine.

Manage a firewall

Firewalls protect your cloud infrastructure by filtering network traffic based on defined rules. Use the steps below to configure firewall rules, assign them to Virtual Machines, or delete a firewall if needed.

Add, change, and delete rules

1. Go to the Networking tab > Firewalls. 2. Find the required firewall, click the ⋯ menu on the right and select Rules.
Firewalls

Assign to a Virtual Machine and detach from it

1. Go to the Networking tab > Firewalls. 2. Find the required firewall, click the ⋯ menu on the right and select Instances.
Firewalls

Delete a firewall

The default firewall cannot be deleted.
1. Go to the Networking tab > Firewalls. 2. Find the required firewall, click the ⋯ menu on the right and select Delete.
Delete a firewall

Restore a default firewall

To restore the default security group settings, you can either use the API or click Restore Default in the Firewall Rules section. This will restore any custom changes made to the firewall settings to their default configuration.
Restore Default option for resetting firewall settings

Firewall feature not supported for Bare Metal servers

The Firewall feature is not supported for Bare Metal servers. Unlike Virtual Machines or other cloud services that integrate with cloud-native firewalls, Bare Metal servers operate directly on physical hardware and are not subject to the same level of firewall management.
For network security, Bare Metal servers can use the following alternatives:
  • You can manually configure network security using solutions like iptables or nftables (recommended) to protect your server at the network level. Other similar solutions can also be used to set up necessary firewall rules based on your security needs.
sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT
sudo iptables -A INPUT -i lo -j ACCEPT
sudo iptables -P INPUT DROP
  • For an additional layer of protection, opt for Gcore DDoS Protection to keep your server available during attacks. DDoS Protection redirects traffic to the Threat Mitigation System (TMS), which performs filtering and threat detection, preventing service disruptions with its always-on mode.
For more information, contact the support team for tailored DDoS Protection plans.