Vultr offers a web-based firewall solution that can be enabled to protect one or more compute instances. Having a firewall ruleset in place for your servers is an important security measure as it prevents unnecessary exposure of application services to the internet.
No. Established connections are left intact. When you change a rule in a firewall group, changes will only be applied to new connections.
Vultr Firewall is comparable to most firewall programs bundled in with server operating systems. However, Vultr Firewall has several key differences.
Vultr Firewall can be used on both new and existing servers.
First, you'll need to log into the members area and create a firewall group. After creating the group, you may add any desired rules to it.
To apply a firewall group to a new server, choose the firewall group you've created on the deploy form.
To apply a firewall group to an existing server, click on the server in the members area. Then access the sub menu "Settings", "Firewall". You will see a list of your firewall groups on the tab shown. Choose the desired firewall group, then click "Update Firewall Group".
Yes, you can use the same firewall group on any number of servers.
Changes to a Vultr Firewall group will take place in 2 minutes or less.
Vultr Firewall groups require at least one rule to become active. An empty ruleset will not block all traffic when applied to a server.
After an inbound rule has been added to the ruleset, all other packets are dropped by default. To allow inbound traffic to additional ports, you must create additional firewall rules. This is also known as a white list.
The Vultr Firewall is stateful - if you initiate a connection from your instance, response traffic is accepted without requiring an explicit inbound rule. You do not have to setup separate rules for ephemeral ports.
Yes, you can use Vultr Firewall to filter both IPv4 and IPv6 traffic.
The Vultr Firewall is designed to enhance the security of your instance. It's not designed to block the large volumes of traffic that can happen during a DDOS attack.
A firewall can help in certain smaller attacks, but your server may still be null routed if you are hit with a large attack. We would suggest purchasing DDOS protection if attacks are a problem for you.
Yes. The Vultr API offers several endpoints to manage the Vultr Firewall.
Vultr Firewall will drop all traffic on ICMP, TCP, UDP, and GRE protocols, except for traffic that matches rules that have been added to it. If this is acceptable, then Vultr Firewall is enough. OS firewalls allow finer rule customization, such as ICMP message handling. If your use case requires this type of customization, you would still need to use the OS firewall in addition to Vultr Firewall.
No. Only traffic from public interfaces gets filtered through Vultr Firewall.
Yes. Vultr firewall will filter all traffic related to your instance, including IP space announced using the BGP feature.