.svg)
.svg)
This guide shows you how to turn on the LifeinCloud firewall for a VPS, add allow/deny rules, and verify that everything works without locking yourself out.
Step 1 — Open the Firewall for your VPS
- Go to your LifeinCloud client area.
- Open Services → Your VPS and select the server you want to protect.
- Navigate to the Firewall section.
Step 2 — Add a Safe Access Rule before Enabling
To avoid lockouts, first create an allow rule for your admin access:
Linux VPS (SSH)
- Direction: Inbound
- Protocol: TCP
- Port: 22 (or your custom SSH port)
- Source:
YOUR.PUBLIC.IP/32
Replace YOUR.PUBLIC.IP with your real IP (e.g., 203.0.113.10). If your IP changes often, temporarily use 0.0.0.0/0 during setup and tighten later.
Windows VPS (RDP)
- Direction: Inbound
- Protocol: TCP
- Port: 3389
- Source:
YOUR.PUBLIC.IP/32
For extra safety, allow RDP only from your office/home IPs.
Now enable the firewall. Your admin port stays reachable.
Step 3 — Understand Rule Fields
- Direction: Inbound or Outbound (most users only need inbound rules).
- Action: Allow or Deny.
- Protocol: TCP, UDP, or Both (for services using both, like some games).
- Port(s): Single (e.g., 443), list (e.g., 80,443), or range (e.g., 30000–30100).
- Source (Inbound): IP/CIDR allowed to reach your VPS (e.g.,
0.0.0.0/0,203.0.113.0/24). - Destination (Outbound): Where your VPS can connect (leave as any unless you need egress control).
- IPv4 / IPv6: Add rules for both stacks if your VPS has IPv6 enabled.
- Priority / Order: Rules are processed top-to-bottom; first match wins. Keep “allow admin” near the top.
Step 4 — Add Common Service Rules
Web Server (HTTP/HTTPS)
- Allow TCP 80 from
0.0.0.0/0 - Allow TCP 443 from
0.0.0.0/0
If hosting only HTTPS, you can skip port 80 after forcing HTTPS.
Mail Server (example)
- Allow TCP 25,465,587 (SMTP)
- Allow TCP 110,995 (POP3/POP3S)
- Allow TCP 143,993 (IMAP/IMAPS)
Open only what you use. Many providers block outbound 25 by policy.
Databases (private access only)
- Allow TCP 3306 (MySQL/MariaDB) from
YOUR.PRIVATE.RANGE/24or a specific app server IP
Avoid exposing databases to the internet. Prefer private networking.
Game Server (example: Minecraft)
- Allow TCP/UDP 25565 from
0.0.0.0/0 - Keep SSH/RDP rules for administration
Some games need multiple ports or ranges—check the game’s docs.
Step 5 — Add IPv6 Rules (If Your VPS Has IPv6)
If your VPS has an IPv6 address, create equivalent IPv6 rules. For example:
- Allow TCP 22 from
YOUR:IPV6:ADDR::/128 - Allow TCP 80 and 443 from
::/0
IPv6 is a separate stack—opening IPv4 does not automatically open IPv6.
Step 6 — Apply & Test Your Rules
- Apply/Save your firewall changes.
- Keep your current SSH/RDP session open. From another terminal/computer, test access:
# From your computer (replace IP) # Check open web ports curl -I http://YOUR.SERVER.IP curl -I https://YOUR.SERVER.IP -k # Probe a port (Linux/macOS) nc -vz YOUR.SERVER.IP 22 nc -vz YOUR.SERVER.IP 443 - If something fails, review rules and ordering. Ensure your source IP matches what the rule expects.
Tip: Add a temporary “Allow SSH/RDP from anywhere” rule while testing, then tighten it to your IP.
Recommended Rule Order
- Allow SSH/RDP from your IP(s)
- Allow critical services (HTTP/HTTPS, etc.)
- Allow private-only services from specific IPs/subnets
- Optional outbound controls (egress)
- Implicit/explicit deny (block everything else)
Maintenance & Best Practices
- Review rules periodically; remove ports you no longer need.
- Prefer allowlists (specific IPs) for admin ports over open internet access.
- Mirror rules for both IPv4 and IPv6 if applicable.
- Document why each rule exists (helpful for teams and audits).
