A basic firewall setup is one of the first steps to securing a VPS.
The goal is simple: allow only the traffic you actually need and block everything else.
Below are practical examples of common firewall rules used on most VPS setups, including VPN servers and general-purpose servers.
Allow your own IP for SSH, RDP, or VPN
The most important rule is limiting administrative access to your own public IP. This protects SSH, RDP, or management VPN ports from brute-force attacks.
Inbound rule example for SSH or RDP
Direction: Inbound
Action: Accept
Protocol: TCP
Port: 22 for SSH or 3389 for RDP
Source IP: your public IP
Comment: Allow admin IP
If your IP changes often, update this rule before reconnecting. Locking yourself out is easy if this rule is missing or incorrect.
Allow ICMP (ping)
ICMP allows basic network diagnostics like ping. It helps confirm that the server is reachable and responding.
Inbound rule example for ICMP
Direction: Inbound
Action: Accept
Protocol: ICMP
Port: leave empty
Source IP: leave empty
Comment: Allow ping
Blocking ICMP does not make a server more secure in most cases and can make troubleshooting harder.
Allow VPN ports
If the VPS runs a VPN server, you must explicitly allow the VPN ports. These rules are usually UDP-based.
OpenVPN rule example
Direction: Inbound
Action: Accept
Protocol: UDP
Port: 1194
Source IP: Any
Comment: Allow OpenVPN
WireGuard rule example
Direction: Inbound
Action: Accept
Protocol: UDP
Port: 51820
Source IP: Any
Comment: Allow WireGuard
Only open the VPN protocol you actually use. Leaving unused ports open increases attack surface.
Allow outbound traffic
Most servers need outbound connectivity for updates, package downloads, backups, or API calls. Many firewalls allow outbound traffic by default, but it’s good to be explicit.
Outbound rule example
Direction: Outbound
Action: Accept
Protocol: Any
Port: Any
Destination: Any
Comment: Allow all outbound
If you need tighter control later, you can restrict outbound traffic by protocol or destination.
Drop all remaining inbound traffic
This is the final safety net. Any inbound traffic not explicitly allowed by previous rules will be blocked.
Final inbound rule example
Direction: Inbound
Action: Drop
Protocol: Any
Port: Any
Source: Any
Comment: Drop all other traffic
This rule must always be placed last. Firewall rules are evaluated in order, and an early drop rule will override everything below it.
Example rule set for a VPN server
A simple and effective rule order for a VPN-focused VPS looks like this:
Inbound Accept TCP 22 from your IP for SSH access
Inbound Accept UDP 1194 from any for OpenVPN
Inbound Accept ICMP from any for ping
Outbound Accept any protocol to allow all outbound traffic
Inbound Drop any remaining traffic as the final rule
Tips for safe firewall configuration
A few practical habits reduce mistakes and downtime:
Always whitelist your IP before adding restrictive rules
Use CIDR ranges if you want to allow a full subnet
Add clear comments so rules are easy to understand later
Apply rules one by one and test after each change
If you lose access or feel unsure, contact LumaDock support
A clean rule set makes firewall behavior predictable and keeps your VPS both secure and accessible.
Visit our Enable the firewall for your VPS documentation for an in-depth understanding.