With recent updates, customers can now remove the requirement of software firewalls like CSF on the Firs2Host VPS network. The default cPanel firewall is a software firewall like CSF and this operates at the server level. That means it performs its function inside the server. So the traffic flows through the network port and a software firewall like CSF will analyze the traffic and apply any firewall rules. A software firewall is the most basic type of protection; because of this, they also have limitations. For example, DDoS attack traffic can form a bottleneck as it flows through the network card and is analyzed by the firewall. But at best this means slow page loading speeds for end users and at worse, outages on websites.
Local Network Firewall
The local network firewall (LNF) operates one level above customer’s virtual servers directly on the hypervisor. We now use the LNF as the default firewall on all servers. Including cPanel servers. By using the LNF you can block malicious traffic and apply firewall rules to traffic before it reaches your server. As it’s operating on the hypervisor, above the virtual server the throughput capacity is equal to the node’s physical connection which is 10 GBPS. The LNF is able to deal with a larger amount of traffic compared to a software firewall.
Configure LNF Rules
The LNF firewall is managed directly from your First2Host client area. Under the Virtual Server > Firewall section you can apply rules to the LNF.
- For public connections, rules are applied to the net0 interface.
- For private connections, rules are applied to the net1 interface.
Common rules like to allow HTTP, HTTPS, IMAP, and POP3 are available in the MACRO section. It’s important to note that when using a MACRO, that rule is applied to incoming and outgoing connections. However, we advise the firewall is configured to block all incoming connections by default and rules are applied to open the ports that are required.
LNF Security Groups – cPanel Firewall
LNF Security Groups are a predefined set of rules for specific applications. We now use the cPanel firewall security group as the default firewall on all cPanel VPS Servers. The cPanel firewall group is configured with all of the recommended ports open as listed in the cPanel documentation. By default, the LNF blocks IMCP requests. You cannot ping a server behind the LNF unless you allow IMCP requests in the control panel.
To apply a security group to a virtual server, click the three dots next to the firewall rules button and select “Add Security Group.” But to ensure the rules are applied to your server, make sure the slider is to the right.
Managed Edge Firewall
The edge firewall sits on the boundary of the network, known as the PoP. The Point-of-presence. And this is where traffic from the internet enters our network in the data centre. Enterprise customers can take advantage of our hardware firewall. Firewall rules can be applied by the support team to the edge firewall to block and analyze traffic before it enters the network. So, please contact your support team for details of our managed firewall solutions for enterprise customers.
