How to Configure Firewall Rules for Your VPS

When you set up a new VPS (Virtual Private Server), one of the most important tasks you should not overlook is configuring your firewall. A firewall acts as the first line of defense, filtering incoming and outgoing traffic based on rules you define. This ensures that only legitimate traffic can access your server while blocking malicious attempts. In this guide, we will walk through the process of configuring firewall rules for your VPS, why it is essential, and best practices to follow.

Why Firewall Configuration Matters

A VPS usually comes with root access, which means you have full control of the server environment. However, this also makes your server a potential target for hackers, bots, and malware. Without a firewall:

• Hackers could attempt brute-force logins on your SSH.

• Malware might try to exploit open ports.

• Your server could become part of a botnet if unsecured.

By configuring firewall rules, you restrict access only to the services you intend to run. For example, if you only need SSH, HTTP, and HTTPS, then all other ports should be blocked.

Step 1: Check Your VPS Firewall Options

Most hosting providers give you two options for firewall configuration:

1. Provider-level firewall – Managed from your hosting control panel (safer because traffic is filtered before reaching your VPS).

2. VPS-level firewall – Configured inside your operating system, such as using ufw (Uncomplicated Firewall) on Ubuntu or firewalld on CentOS.

If possible, use both for layered protection.

Step 2: Install and Enable a Firewall

If your VPS is running on Linux, here are common tools:

• Ubuntu/Debian: ufw

  sudo apt update
sudo apt install ufw
sudo ufw enable


• CentOS/RHEL: firewalld

  sudo yum install firewalld
sudo systemctl enable firewalld
sudo systemctl start firewalld


This activates your firewall service and prepares it for rules.

Step 3: Allow Only Essential Ports

Most servers only require a few ports to function:

• 22: SSH (secure shell for remote access)

• 80: HTTP (web traffic)

• 443: HTTPS (secure web traffic)

To allow these in ufw:

For firewalld:

Step 4: Deny All Other Traffic

The golden rule is: deny by default, allow by exception.
In ufw, set default deny policies:

This means no one can connect unless explicitly allowed.

Step 5: Add Custom Rules (If Needed)

Depending on your VPS use case:

• If you run a database server (e.g., MySQL), restrict it to local connections only.

• If you need FTP, allow ports 20 and 21 but secure them with TLS.

• For mail servers, you may need ports like 25, 465, and 587.

Always limit access by IP whenever possible. For example, to allow SSH only from your office IP:

Step 6: Test and Monitor

Once rules are in place:

1. Check firewall status: sudo ufw status or sudo firewall-cmd --list-all.

2. Test access from another computer. Make sure your website loads and SSH works.

3. Monitor logs (/var/log/ufw.log or /var/log/firewalld) for blocked attempts.

If something breaks, review your rules and adjust accordingly.

Best Practices

• Change default SSH port to reduce brute-force attempts.

• Use fail2ban alongside your firewall for dynamic blocking.

• Regularly audit open ports with netstat or ss commands.

• Backup your rules before making major changes.

Conclusion

Configuring firewall rules for your VPS is a critical step to protect your server from unauthorized access and cyber threats. By following the principle of least privilege—allowing only what’s necessary and blocking everything else—you significantly reduce your server’s attack surface. Combine firewall rules with other security practices like strong passwords, two-factor authentication, and regular updates, and your VPS will be far more secure.