With all plans we offer our advanced, configurable firewall settings to help you improve the security of your server, this guide details how to configure the firewall.

Why do I need a firewall?

There's a few different reasons you may wish to use a firewall:

When running Bungeecord, to ensure the network stays secure you need to make it so that only the proxy server can connect to the backend servers. This is because the backend server has to run in offline mode, so if players can directly connect to it then they can join with any username. Therefore, you can set up a firewall that only allows Bungeecord to connect to it.
If there's somebody specifically malicious trying to connect to your server, or using exploits such as a null ping attack, or any other similar exploits, you can block their IP on the network so that the packets don't reach your server at all.
If you wish to have a more secure whitelist than just a username-based whitelist, you could make it so that only your own IP, or the IP of your friends, can connect to the server.
If you're using any sort of DDOS protection solution like TCPshield it may be possible to block all connections that don't come from that service, to force all connections to go through that service.

How do the rules get applied?

The firewall rules are applied in order of priority. The node will read the rules from the highest priority number, to the lowest priority number, and check each rule in order. If the rule matches the IP trying to connect, and the connection is being made to the selected port, then the connection will be either allowed or blocked depending on which you choose. If no rules match the details of the connection, then the connection will be allowed by default.

The firewall rules are updated every time you reboot your server.

Common Configurations

Bungeecord

For Bungeecord there is actually an automatic configurator that will set it all up for you! This will only show up if you have no rules added, all you have to do is click your Bungeecord server in the dropdown and select Configure and it will create the needed rules. You will need to do this on every backend server for example on Survival, and on Factions.



This will create two rules:



What these rules say is as follows:

If the connection is from 1.2.3.4 (which is our Bungeecord IP), then allow it, and stop checking any other rules.
If the connection is from any other IP (0.0.0.0/0 means any IP), then block it, and stop checking any other rules

Then, just reboot the server. To test that this is set up correctly, simply put the IP of the backend server into your game, and click join. It should stay on "Connecting to server" and then time out, however if you join through Bungeecord it should work fine.

Blocking a malicious IP

To block a malicious IP, it's as simple as adding a "Block" rule for this user's IP. The priority must be higher than any other Allow rules you have, so that the block gets processed first.

Simply click "Add Rule" and fill out the IP with the malicious IP, the port with your server's port, and set the priority. Change the action to "Block" and then add the rule!



This will then mean that they are completely unable to make any network connections to that port on your server.
Was this article helpful?
Cancel
Thank you!