In Hexabyte Cloud, each instance (also called VPS) have its own firewall that controls what traffic is allowed to and from the server. The firewall function can be either active or inactive:
- Active firewall: Traffic is filtered according to your specified rules.
- Inactive firewall: All traffic is allowed through – no rules are applied.
You can see if the firewall is active directly in the instance's Firewall-Tab.
What is a firewall rule?
A firewall rule is an instruction that determines whether certain network traffic should be allowed or blocked, based on:
- Direction:
- Ingress – incoming traffic to the server.
- Egress – outgoing traffic from the server.
- Source – The IP address or network where the traffic comes from.
- Destination (goal) – The IP address or network the traffic is destined for.
- Source port / Destination port – which ports are used in communication (e.g. port 22 for SSH).
- Protocol – for example TCP, UDP, ICMP4/ICMP6 (for ping), or
anyfor all protocols. - Action –
allowto allow orrejectto block traffic. - State –
enabledordisabledto enable/disable the rule without deleting it.
How the interface works
In the Firewall tab for your instance, you can see all active rules. When you add or edit a rule, you'll fill in fields such as:
- Protocol, Source, Gate, Destination, Description etc.
- You can specify specific IP addresses, port numbers, or use
anyto allow/block everything.
Examples of common rules
Allow SSH (for login via terminal)
| Direction | Protocol | Destination port | Description |
|---|---|---|---|
| Ingress | TCP | 22 | Allow SSH to server |
Allow HTTP and HTTPS (for web server)
| Direction | Protocol | Destination port | Description |
|---|---|---|---|
| Ingress | TCP | 80, 443 | Allow HTTP/HTTPS |
Allow ping (ICMP)
| Direction | Protocol | Description |
|---|---|---|
| Ingress | ICMP4 | Allow ping via IPv4 |
| Ingress | ICMP6 | Allow ping via IPv6 |
Allow all outbound traffic
| Direction | Protocol | Description |
|---|---|---|
| Egress | Any | Allow all outgoing traffic |
Restrict traffic to a specific IP address
You can use Sourcefield to only allow traffic from a specific IP address. This is especially useful when you want to:
- Protect SSH so that only you (or your office) can log in.
- Allow access to an API service only from trusted sources.
- Minimize the risk of intrusion by limiting unnecessary exposure.
Example: Allow only your IP for SSH
If your IP address is 203.0.113.45:
| Direction | Protocol | Destination port | Source | Description |
|---|---|---|---|---|
| Ingress | TCP | 22 | 203.0.113.45 | Allow SSH from my IP |
You can also use CIDR format (e.g. 203.0.113.0/24) if you want to allow an entire network.
Tip
- Remember that the order does not matter, the system automatically sorts the rules when you press save.
- Leaving fields empty (any) means that anything in that field is allowed.
- There is an automatic default policy at the bottom – when traffic that does not match any previous rule, the traffic is rejected.
- Remember to click Save when you added or changed rules.
