A LumaDock VPS uses two possible layers of filtering: the cloud firewall in your control panel and the OS firewall inside the VPS.
To understand why a port is open or blocked, you need to test both layers and check whether a service is actually listening.
By default, the VPS firewall is enabled but has no rules, so all ports are open until you add restrictions.
How to check port status
When looking at ports, three outcomes help describe what is happening:
Open — a service is listening and the firewall allows traffic
Closed — no service is listening but the server responds to probes
Filtered — a firewall drops packets and the scan receives no reply
Step 1 — Check the cloud firewall in your control panel
Go to Service Management → Firewall for your VPS.
If you see no rule it means your VPS firewall is open and no port is closed.
Step 2 — Check services listening inside the VPS
Use ss to see which applications are bound to which ports.
sudo ss -tulpen
If the port appears as 127.0.0.1:PORT, the service listens only on localhost and will not be reachable externally until reconfigured.
A service bound to 0.0.0.0 or :: is reachable on all IPv4 or IPv6 addresses.
Step 3 — Inspect your OS firewall rules
Your VPS may use UFW, firewalld, or raw iptables/nftables depending on the OS.
Ubuntu and Debian (UFW)
sudo ufw status verbose sudo ufw allow 22/tcp sudo ufw allow 80,443/tcp sudo ufw allow 25565/tcp sudo ufw reload
CentOS, AlmaLinux, Rocky Linux (firewalld)
sudo firewall-cmd --state
sudo firewall-cmd --get-active-zones
sudo firewall-cmd --list-all
sudo firewall-cmd --add-service=ssh --permanent
sudo firewall-cmd --add-service=http --permanent
sudo firewall-cmd --add-service=https --permanent
sudo firewall-cmd --add-port=25565/tcp --permanent
sudo firewall-cmd --reload
iptables or nftables (if used directly)
sudo iptables -L -n -v
sudo nft list ruleset
Step 4 — Test from outside your VPS
This shows what the internet sees when probing your ports.
nmap -Pn -p 22,80,443 YOUR_VPS_IP
For quick TCP checks:
nc -vz YOUR_VPS_IP 22 nc -vz YOUR_VPS_IP 443
If outside scans show filtered, a firewall is dropping packets.
If they show closed, traffic is reaching the VPS but nothing is listening.
Step 5 — Test locally inside the VPS
Use loopback tests to confirm an application is responding to requests.
curl -I http://127.0.0.1:80 nc -vz 127.0.0.1 80
If loopback works but the public IP fails, the service may be bound to localhost only or a firewall is blocking external traffic.
How to interpret results
If the service is listening and outside scans show filtered, check the cloud firewall and OS firewall.
If the service is listening but scans show closed, the application is not accepting connections on that interface.
If nothing is listening, start or reconfigure the application.
If localhost works but the public IP fails, adjust the bind address or firewall rules.
Common port checks
SSH (22)
sudo ss -tulpen | grep ':22'
sudo ufw allow 22/tcp
sudo firewall-cmd --add-service=ssh --permanent
sudo firewall-cmd --reload
Web (80, 443)
sudo ss -tulpen | egrep ':80|:443'
sudo ufw allow 80,443/tcp
sudo firewall-cmd --add-service=http --permanent
sudo firewall-cmd --add-service=https --permanent
sudo firewall-cmd --reload
PostgreSQL (5432)
sudo ss -tulpen | grep ':5432'
sudo ufw allow 5432/tcp
sudo firewall-cmd --add-port=5432/tcp --permanent
sudo firewall-cmd --reload
MySQL/MariaDB (3306)
sudo ss -tulpen | grep ':3306'
sudo ufw allow 3306/tcp sudo firewall-cmd --add-port=3306/tcp --permanent sudo firewall-cmd --reload
Minecraft Java (25565)
sudo ss -tulpen | grep ':25565'
sudo ufw allow 25565/tcp
sudo firewall-cmd --add-port=25565/tcp --permanent
sudo firewall-cmd --reload
Notes on UDP
UDP scans are less reliable because UDP does not create a handshake. You can still test specific ports:
nmap -sU -Pn -p 53,123,1194 YOUR_VPS_IP
Security best practices
Only expose the ports your applications truly need.
Enable the cloud firewall if you want to restrict access by IP.
Avoid exposing databases to the public internet.
Use SSH keys, keep services updated, and disable unneeded ports.
Useful commands
Install diagnostic tools on Ubuntu or Debian:
sudo apt update && sudo apt install -y nmap netcat-openbsd
List processes using a port:
sudo lsof -iTCP:PORT -sTCP:LISTEN -n -P sudo ss -lptn | grep ":PORT"
Show listening sockets only:
sudo ss -tuln | sed -n '1p; /LISTEN/p'
This process helps identify whether a port issue is caused by the cloud firewall, the OS firewall, or an application that is not actually listening.