Skip to content

Configuring the Panel Firewall

You can use the built-in firewall in the Panel to secure traffic to your services. Here’s a quick guide on how to set up the rules correctly.

::: danger Important: Make sure you’ve saved the rules :::

1. How Rules Are Processed

  • Order Matters: The firewall checks the rules from top to bottom (in ascending ID order).
  • First Match Wins: As soon as a rule matches the traffic, it is executed. All subsequent rules are no longer checked.
  • Change the order: You can easily reorder the rules using drag-and-drop to adjust their priority.
  • Default action: If none of your rules match, the “default action” is applied. It determines whether the remaining traffic is allowed or blocked.

2. Leave fields blank (No filter)

If you leave a field blank, no filtering will be applied for that criterion—it will then apply to everything. * Example: If you leave the Destination IP field blank, the rule applies to all destination addresses.

3. Entering Ports Correctly (Source/Destination Ports)

You can filter ports flexibly. Use the following formats:

  • Individual ports (list): Separate ports with a comma, e.g., 80,443
  • Port ranges: Use a hyphen, e.g., 8000-8080
  • Combination: You can mix both, e.g., 80,443,8000-8080

Important note regarding protocols: Ports are only available for the TCP and UDP protocols. When you enter ports, you must also select one of these two protocols. Other protocols (such as ICMP for pings or GRE) do not use ports—in those cases, the field must remain empty.

4. IP Addresses and Subnets (Source/Destination Addresses)

You can filter based on where the traffic is coming from (Source) or where it is going (Destination):

  • Single IP address: Enter the IP address directly (e.g., 1.0.0.1 or f00d::c0ff:ee). Only this exact address will then be filtered.
  • Entire ranges (subnets): Use the CIDR notation with a slash (e.g., 1.1.1.0/24 or f00d::/64) to cover an entire network.

::: info

Prefix Lists for Multiple IPs

If you want to apply a rule to many different IPs or networks at the same time, you don't need to create a separate rule for each IP. Instead, create a prefix list, add all the IPs/subnets to it, and simply enter the name of the prefix list in the address field of the firewall rule. :::