Vultr offers a web-based firewall solution that can be enabled to protect one or more compute instances. Having a firewall ruleset in place for your servers is an important security measure as it prevents unnecessary exposure of application services to the internet.
Will changes to my Vultr Firewall interrupt existing traffic?
No. Established connections are left intact. When you change a rule in a firewall group, changes will only be applied to new connections.
How does Vultr Firewall differ from my operating systems' firewall?
Vultr Firewall is comparable to most firewall programs bundled in with server operating systems. However, Vultr Firewall has several key differences.
- Packet filtering takes place at a higher level on the network, reducing resource usage of your server.
- The firewall is managed through the Vultr control panel.
- Updating the firewall policy for multiple servers is quick and convenient because Vultr Firewall groups can be applied to multiple servers.
How do I use Vultr Firewall on my server?
Vultr Firewall can be used on both new and existing servers.
First, you'll need to log into the members area and create a firewall group. After creating the group, you may add any desired rules to it.
To apply a firewall group to a new server, choose the firewall group you've created on the deploy form.
To apply a firewall group to an existing server, click on the server in the members area. Then access the sub menu "Settings", "Firewall". You will see a list of your firewall groups on the tab shown. Choose the desired firewall group, then click "Update Firewall Group".
Can I apply the same firewall group to more than one server?
Yes, you can use the same firewall group on any number of servers.
How quickly do firewall changes take effect?
Changes to a Vultr Firewall group will take place in 2 minutes or less.
What is the default policy of Vultr Firewall?
Vultr Firewall groups require at least one rule to become active. An empty ruleset will not block all traffic when applied to a server.
After an inbound rule has been added to the ruleset, all other packets are dropped by default. To allow inbound traffic to additional ports, you must create additional firewall rules. This is also known as a white list.
Is the Vultr Firewall stateful or stateless?
The Vultr Firewall is stateful - if you initiate a connection from your instance, response traffic is accepted without requiring an explicit inbound rule. You do not have to setup separate rules for ephemeral ports.
Is IPv6 supported?
Yes, you can use Vultr Firewall to filter both IPv4 and IPv6 traffic.
Is the Vultr Firewall a replacement for DDOS protection?
The Vultr Firewall is designed to enhance the security of your instance. It's not designed to block the large volumes of traffic that can happen during a DDOS attack.
Will Vultr Firewall protect me from a DDOS attack?
A firewall can help in certain smaller attacks, but your server may still be null routed if you are hit with a large attack. We would suggest purchasing DDOS protection if attacks are a problem for you.
Can I manage Vultr Firewall with the Vultr API?
Yes. Please refer to the Vultr API Documentation.
Can the firewall on my instance be disabled? Is Vultr Firewall enough?
Vultr Firewall will drop all traffic on ICMP, TCP, UDP, and GRE protocols, except for traffic that matches rules that have been added to it. If this is acceptable, then Vultr Firewall is enough. OS firewalls allow finer rule customization, such as ICMP message handling. If your use case requires this type of customization, you would still need to use the OS firewall in addition to Vultr Firewall.
Does Vultr Firewall affect private networking?
No. Only traffic from public interfaces gets filtered through Vultr Firewall.