OVH Firewall configuration is an excellent additional security layer to your server’s internal firewall (such as iptables, ufw, or firewalld). It blocks unwanted traffic before it even reaches your server’s network interface, saving CPU resources and bandwidth.
Here’s a step-by-step guide to configuring the OVH Network Firewall, focused on avoiding common mistakes (such as blocking your own access).
1. Understanding the Logic (Before You Begin)
The OVH Firewall works with numbered Priority rules (0 to 19).
Rule 0: This is the first to be read.
Rule 19: This is the last to be read.
As soon as a data packet matches a rule, the action (Allow or Reject) is taken and the reading stops.
2. Accessing the Dashboard
- Log in to OVH Manager.
- In the top menu, go to Bare Metal Cloud.
- In the left-hand menu, click on Network and then on IP.
- Locate your server’s IP address in the list.
- Click on the … (three dots) next to the IP address and select Create Firewall (if it doesn’t already exist) or Configure Firewall.
3. Enabling the Firewall
Before creating rules, you must enable mitigation mode:
In the IP address, click Enable Firewall.
The shield icon will turn green or the status will show “Enabled”.
4. Creating the Rules (Step by Step)
To add rules, click the IP address (…) and select Configure Firewall. You will see an empty table. Click Add a rule.
Rule A: Allow SSH (CRUCIAL)
Do this first to avoid locking yourself out.
Priority: 0
Action: Authorize
Protocol: TCP
Source IP: Leave blank (to allow access to everyone) or enter only your static internet IP address (for maximum security).
Source Port: Leave blank.
Destination Port: 22 (or your custom SSH port).
Status: New or leave blank.
Rule B: Allow Web (HTTP/HTTPS) and Control Panels
If you host websites or use cPanel/DirectAdmin/Plesk.
Priority: 1
Action: Allow
Protocol: TCP
Destination Port: 80 (HTTP)
Priority: 2
Action: Allow
Protocol: TCP
Destination Port: 443 (HTTPS)
(Repeat the process for other ports or control panel ports such as 2222, 2083, 2087, 8080, if necessary).
Rule C: Allow established connections (TCP Established)
Allow established connections (TCP Established)
This is vital. If your server attempts to download an update (apt/yum) or respond to a ping, it needs to receive the response back.
Priority: 10
Action: Allow
Protocol: TCP
TCP Options: Select Established.
Rule D: Block everything else (The “Wall”)
This should always be your last rule.
Priority: 19
Action: Reject
Protocol: IPv4 (This selects all protocols: TCP, UDP, ICMP, etc.)
Source/Destination IP: Leave blank.
This should always be your last rule.
Priority: 19
Action: Reject
Protocol: IPv4 (This selects all protocols: TCP, UDP, ICMP, etc.)
Source/Destination IP: Leave blank.
5. Example of a Final Table
Your table in the OVH dashboard should look something like this for a basic web server:
| Priority | Action | Protocol | Destination Port | Notes |
| 0 | Authorize | TCP | 22 | SSH access |
| 1 | Authorize | TCP | 80 | Web HTTP |
| 2 | Authorize | TCP | 443 | Web HTTPS |
| 3 | Authorize | UDP | 53 | DNS (If it’s a DNS server) |
| 10 | Authorize | TCP | – | Option: Established (Answers) |
| 11 | Authorize | ICMP | – | Allow Ping (Optional) |
| 19 | Refuse | IPv4 | – | Block everything else. |
Important Tips and Warnings
- UDP: If you use games or VPNs (OpenVPN/Wireguard) that use UDP, remember to create Authorize rules with UDP protocol on the specific ports before rule 19.
- Application Delay: Rules on OVH can take 30 seconds to 2 minutes to propagate.
- Local Firewall: Never disable your local firewall (iptables/ufw). The OVH firewall is edge protection; the local one is your last line of defense and allows for finer controls (such as blocking login attempts).
- Permanent Mitigation: By default, OVH only activates these rules if it detects an attack. For these rules to always work, go to the IP settings and change the mitigation mode from “Automatic” to “Permanent Mitigation”.