menu
small_header_rootserver.svg

netcup wiki

Server

Firewall

Learn how to configure the netcup firewall.
1. About the Firewall2. Creating Policys3. Creating Rules4. Assigning Policies to a Server5. Use Cases6. Frequently Asked Questions (FAQ)

1. About the Firewall

Our firewall is a free security feature that filters your server's incoming and outgoing traffic.

This simple firewall offers basic protection and can, for example, prevent internal data from being unintentionally transferred to the public internet. However, you will need to implement your own firewall solution for advanced features.

The firewall is managed via policies. These are sets of rules that define the rules for incoming and outgoing traffic. For newly ordered servers, the firewall is initially configured to allow all traffic. Then, create your own policies and assign them to your server.

The firewall is stateful. This means that it remembers connections originating from your server and automatically accepts return traffic. However, this only applies to TCP traffic. To whitelist UDP traffic, you must create INGRESS and EGRESS rules in your policy:

Example DNS Server: INGRESS, UDP, allow traffic TO port 53, EGRESS, UDP, allow traffic FROM port 53 (response traffic)

What is the difference between TCP and UDP traffic?

TCP (Transmission Control Protocol): Establishes a fixed connection that can be tracked by the firewall. This allows the firewall to automatically recognize responses to outgoing TCP connections.

UDP (User Datagram Protocol): There is no established session for the firewall to track. Therefore, both incoming and outgoing rules must be defined for UDP to allow requests and responses.

Availability

The firewall will be available for Generation 11 and 12 root servers and Generation 12 vServers from December 9, 2025.

When will the firewall be available for my root server or VPS?

Our VPS (vServer) and older root server generations will gradually be equipped with this feature. We are unable to provide an exact schedule at this time. We kindly ask for your patience in this matter.

2. Creating Policys

You can set and assign your own firewall rules (policies) to a server. If no policies are assigned to a server, the firewall automatically allows all traffic. Policies are defined across servers in the Server Control Panel (SCP) and can then be assigned to a server.

Default Policies

The standard firewall contains non-editable rules that allow mandatory traffic. For example, DNS traffic to the netcup DNS servers is always allowed. Additionally, rules are set by default to prevent email spamming. However, you can view these rules and remove them if necessary.

If you want to block outgoing traffic (EGRESS), make sure to whitelist NTP traffic to your server's configured NTP server, for example. DHCP traffic must also be whitelisted. However, this is likely only necessary during the installation of your server. If you want to restore your default policies, click on Restore Default Policies and confirm by clicking on Save. This action will not affect your existing policies.

To enable emails via SMTP, the default firewall policy must be removed, as it blocks incoming and outgoing SMTP connections by default.

  1. Select your server in the SCP.
  2. Go to the menu item Firewall.
  3. Click on the Trash Can Icon next to the policy.

Limits

You can create up to 500 active rules per Server and public network interface within policies using the Server Control Panel. The following applies:

  • Each combination of source IP address, destination IP address, and ports counts as a separate rule.
  • One rule can have up to 100 IP addresses as the source or destination, which corresponds to 100 separate rules.
  • One policy can contain up to 500 rules.

Creating Policys

  1. In the Server Control Panel (SCP), go to the Firewall Policies menu item.
  2. Click Add Policy.
  3. Enter a name.
  4. Enter a description (optional).

3. Creating Rules

  1. Click Add rule.

  2. Select Type: Select whether the rule should be applied to incoming or outgoing traffic.

  3. Select Action: Select what should happen to the traffic:

    • ACCEPT: Allow the traffic.
    • DROP: The traffic is discarded. In this case, no response is sent to the sender.

    As soon as a rule for INGRESS or EGRESS is defined and saved, the default rule for INGRESS/EGRESS is changed to DROP accordingly.

    Note that the REJECT action (discarding the traffic and sending a response to the sender) is not supported. Implement your own firewall solution for advanced features of this type.

  4. Select Source (Ports): The Source (Ports) parameter defines the range of source ports from which a network packet may originate. Each rule accepts only one port string.

    Example: Port numbers: port “22” or port range “1000-11000”

    To find out the ports for your services, check the documentation for your application or the configuration file for the service. The ports used are usually clearly specified there.

  5. Select Destinations (IP/S networks): The Destinations parameter describes which destination IP addresses or networks the firewall rule may address.

  6. Destination ports: The Destination ports parameter defines which destination ports may be addressed. This port usually determines the destination application or service.

  7. Confirm by Clicking Add.

If a policy's rules are changed while it is being applied to a server, the new settings will take effect as soon as the change has been saved.

4. Assigning Policies to a Server

  1. Select your server.
  2. Go to the Firewall menu item.
  3. Click on Edit policies.
  4. On the left side, you will see all your previously defined policies. Move them to the right side to apply them to your server.
    • >>: Apply all rules
    • >: Apply selected rule
  5. Note that rules are handled according to priority. If the top rule applies, the rules below it are ignored. You can drag and drop a rule up or down to change its priority.
  6. Add the desired policies to your server and confirm by clicking on Edit.
  7. Then click on Save. Changes will be applied immediately.

5. Use Cases

Example 1: Allow SSH

INGRESS, TCP, destination port 22, accept

EGRESS, TCP, source port 22, accept (Only define EGRESS if you have also configured extra EGRESS rules for client traffic, otherwise this traffic will be blocked (see example 5)).

Example 2: Allow Web Policy

INGRESS, TCP, destination ports 80,443, accept (2 rules)

EGRESS, TCP, source ports 80,443, accept (2 rules) (Only define EGRESS if you have also configured extra EGRESS rules for client traffic, otherwise this traffic will be blocked (see example 5)).

Example 3: Allow all traffic to/from a specific IP-Prefix

INGRESS, TCP, source IP-Prefixes =198.51.100.0/24, accept

EGRESS, TCP, destination IP-Prefixes =198.51.100.0/24, accept (Only define EGRESS if you have also configured extra EGRESS rules for client traffic, otherwise this traffic will be blocked (see example 5)).

Example 4: Whitelist a specific host for DB (MySQL) access

INGRESS, TCP, source IPs = 198.51.100.10/32, 2001:db8::cafe/128, destination ports 3306 accept (2 rules)

EGRESS, TCP, destination IPs = 198.51.100.10/32, 2001:db8::cafe/128, source ports 3306 accept (2 rules) (Only define EGRESS if you have also configured extra EGRESS rules for client traffic, otherwise this traffic will be blocked (see example 5)).

Example 5: Whitelisting client traffic from the server, so all the EGRESS rules above can be applied as well

For TCP, the firewall connection tracking will automatically allow return traffic (responses), so there is no need for INGRESS rules.

EGRESS, TCP, destination ports 80,443 accept (2 rules) (allows connecting to HTTP/S servers)

EGRESS, TCP, destination ports 22 accept (allows connecting to SSH servers)

EGRESS, UDP, destination ports 123 accept (allows syncing time with NTP servers)

INGRESS, UDP, source ports 123 accept (accepts NTP answer traffic)

Please note that once an EGRESS rule exists, the default action is DROP and anything that is not defined will be discarded. To ensure that everything continues to function as usual, EGRESS rules must be created for typical traffic, such as website visits (HTTP/S).

Example: EGRESS accept TO destination port 80,443

We recommend creating INGRESS rules only.

6. Frequently Asked Questions (FAQ)

Can I disable the firewall?

The firewall cannot be activated or deactivated directly. To temporarily allow all traffic, remove all policies from the server or create an “allow-all” policy. In this case, the allow policy must be placed above the other policies. Remember to remove this later.

Is there an alternative to the netcup firewall?

You can also use your own firewall solutions at the operating system level of your VPS or root server. For example: ufw, iptables, firewalld Also, make sure you protect your access with two-factor authentication/SSH keys and keep your system up to date.

Is the firewall sufficient to ensure the security of my server?

The firewall provides basic protection. It adds an upstream security layer to your network and blocks unwanted public services or system misconfigurations. However, it does not replace protection via local server firewalls. We recommend setting up your own internal firewall solutions, such as iptables or nftables, on the server itself. Also, make sure you protect your access with two-factor authentication/SSH keys and keep your system up to date.

Are VLANs supported by the firewall? Since this is internal traffic and not external traffic, the firewall cannot be configured for VLANs. Use a solution at the operating system level for this purpose.
Last update: 09/12/2025
firewall