How to Configure VPS Firewall Rules in Virtualizor

  1. Portal Home
  2. Knowledgebase
  3. Virtualizor
  4. Virtualizor Security & Networking
  5. How to Configure VPS Firewall Rules in Virtualizor
  Support
My Support Tickets Announcements Knowledgebase Downloads Network Status Open Ticket
Knowledgebase / How to Configure VPS Firewall Rules in Virtualizor

How to Configure VPS Firewall Rules in Virtualizor

0 found helpful (0 votes) ...
Back to Knowledgebase

The Virtualizor firewall lets you control which network traffic is allowed into and out of your VPS. Rules are grouped into named firewall plans, which can be applied to one or more VPS instances. By default, traffic not explicitly allowed is dropped.

What you will need

  • Access to the Virtualizor Enduser Panel
  • Knowledge of which ports your services use (e.g. port 22 for SSH, port 80 for HTTP, port 443 for HTTPS)

Step 1 — Create a firewall plan

  1. Log in to the Virtualizor Enduser Panel.
  2. In the left sidebar, click Firewall Plans (or navigate to Networking → Firewall Plans).
  3. Click Add Plan.
  4. Enter a descriptive name for the plan, such as Web Server or My VPS Firewall.
  5. Click Save. The plan is created and you are taken to the rule editor.

Step 2 — Add rules to the plan

Each rule defines what to do with a specific type of traffic. The fields for each rule are:

  • Direction: IN (incoming traffic to the VPS) or OUT (outgoing traffic from the VPS)
  • IP Type: IPv4 or IPv6
  • Decision: ACCEPT (allow the traffic) or DROP (silently discard the traffic)
  • Protocol: TCP, UDP, ICMP, or GRE
  • Source Port: the originating port (leave blank to match any port)
  • Destination Port: the port on the VPS to match (e.g. 22, 80, 443)
  • Source IP: restrict the rule to a specific IP or subnet (leave blank to match any source)

Common rules to add for a typical web server:

  1. ACCEPT IN TCP port 22 — allows SSH access from your IP or any IP
  2. ACCEPT IN TCP port 80 — allows standard HTTP web traffic
  3. ACCEPT IN TCP port 443 — allows HTTPS web traffic
  4. ACCEPT IN TCP port 3306 — allows remote MySQL/MariaDB connections (only add this if you need remote database access; restrict to a specific source IP if possible)
  5. DROP IN all remaining — add a final DROP rule with no port specified to block everything else inbound

Step 3 — Apply the plan to your VPS

  1. Go to List VPS and click the gear icon for your VPS.
  2. On the VPS management page, click Networking in the sidebar, then choose Change Firewall Plan.
  3. Select the firewall plan you just created from the drop-down list.
  4. Click Save. The rules take effect immediately.

Warning: accidental SSH lockout

If you apply a firewall plan that does not include an ACCEPT rule for TCP port 22, you will lose SSH access to the VPS. To recover:

  1. Open the VNC console from the Virtualizor management page.
  2. Log in as root using the VNC terminal.
  3. Edit the firewall plan in Virtualizor to add the missing SSH rule, or temporarily remove the firewall plan from the VPS.

Troubleshooting

  • Rules do not seem to take effect: confirm that the plan has been applied to the correct VPS. Go to Networking → Change Firewall Plan and verify the active plan name.
  • Cannot reach a service that was working before: check that you have an ACCEPT rule for the port that service uses. If the service was running and a new firewall plan was applied, the missing rule is the most likely cause.
  • Need to remove all firewall restrictions: go to Networking → Change Firewall Plan and select None or a plan with no DROP rules to restore open access temporarily while you troubleshoot.

Was this article helpful?

Still need help?

Open a support ticket →

On This Page