Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

OVH Network Firewall 19 Rules [Support]
New on LowEndTalk? Please Register and read our Community Rules.

OVH Network Firewall 19 Rules [Support]

amsaalamsaal Member

As most of you know , in OVH Network firewall only you can add 19 rules. There is no way to add port range or multiple IP's in single rule to white list. Now i have issue with FTP passive ports and it needs like 20 ports range to be able to have 3-4 users connected but now i am short of rules unable to add them. I even dont want to white list single IP Range as the users have dyanamic ip so cant add again and again.

How can i solve the issue with FTP Passive ports adding single range example 4110-4120 TCP instead of adding rule 1 by 1 . ?

OVH does not support port ranges or multiple IP's adding in single rule.

Comments

  • stefemanstefeman Member

    Teach them to use SFTP instead. Its better and works via SSH port with linux username and password. Problem solved.

    FTP/FTPS is for old shit or specific applications. You dont need it with a gameserver.

  • amsaalamsaal Member

    @stefeman said:
    Teach them to use SFTP instead. Its better and works via SSH port with linux username and password. Problem solved.

    FTP/FTPS is for old shit or specific applications. You dont need it with a gameserver.

    yes that is the problem , i dont want SSH to be enabled . And they have dyanamic ip so that is why i just want just ftp for them so i can monitor the logs in and out easily of pure-ftpd.

  • amsaalamsaal Member

    @OVH_APAC any help would be appreciated.

  • OVH_APACOVH_APAC Member, Provider

    Hello @amsaal ,
    I suggest you open a ticket with our tech support for further advice about the functionalities of the OVH Network firewall and its limitations.
    If there are too many limitations for your usecase, I guess you could use your server firewall instead, or an external firewall solutions (this last one will involve additional cost though). Hope this helps.

    Thanked by 1amsaal
  • amsaalamsaal Member
    edited May 5

    @OVH_APAC said:
    Hello @amsaal ,
    I suggest you open a ticket with our tech support for further advice about the functionalities of the OVH Network firewall and its limitations.
    If there are too many limitations for your usecase, I guess you could use your server firewall instead, or an external firewall solutions (this last one will involve additional cost though). Hope this helps.

    The external one is not only expensive but not reliable due to addtional latency added or whatever it may be. i dont want that happen. OVH network firewall prevents attack before it reaches my server. They said me to use FO IP for main IP for management . but just for 1 port i dont want to use FO IP .

    And if i use server firewall , it means the attack reaches my server without check points.

    The thing is i dont have issue with attacks now since few days , but the ftp passive port issue. Not just me but its most people have same issue like me.

    In this case i will open a new ticket with asking about adding this port range for FTP. May be there will be better solution to my situation.

  • pierrepierre Member

    @OVH_APAC said:
    Hello @amsaal ,
    I suggest you open a ticket with our tech support for further advice about the functionalities of the OVH Network firewall and its limitations.
    If there are too many limitations for your usecase, I guess you could use your server firewall instead, or an external firewall solutions (this last one will involve additional cost though). Hope this helps.

    Probably already did, sad that SYS and Kimsufi have faster support than OVH.

  • Tim_kwakmanTim_kwakman Member
    edited May 5

    The OVH firewall only works for connections outside of OVH. So any server within the OVH network (regardless of datacenter) will not get filtered by it. This means two things;

    • You cannot 100% rely on it to block off ports, you should also use something else (e.g. iptables) behind it to make sure that someone cannot just connect to things they should not from within OVH's network. But it does work great for outside (non-internal) attacks tho.

    • You can use this to your advantage. I'm not sure how expensive your server is and what your budget is, but you could order a small VPS with OVH (or some OVH reseller, I'm sure there are ones with very low prices because you don't really need great specs, it is just forwarding, not even TLS offloading), set up something like HaProxy on it, and forward those TCP FTP ports to your OVH server IP (never tested it, but if it is all TCP, then HaProxy's TCP mode should just work). It will pass your firewall rules (so no port range rule needed as it is internal traffic within OVH). And if an attack would overwhelm it (should not, the only thing that may happen is that those FTP ports are attacked and that HaProxy forwards the attack. But OVH should filter this just fine), then only the small proxy VPS would have issues, and if it causes issues on the main server itself then you can just stop the HaProxy (or another load balancer/forwarder) service or shut down the proxy VPS to prevent it from causing issues during those attacks. You can also IP limit access using iptables on that proxy VPS. So attacks that are not filtered may take it down, but your main server will be fine because HaProxy won't do anything.

    (SFTP is preferred, but if that is not possible for you, this could be a work-around.)

    -Tim

    Thanked by 1amsaal
  • @amsaal said:

    @stefeman said:
    FTP/FTPS is for old shit or specific applications. You dont need it with a gameserver.

    yes that is the problem , i dont want SSH to be enabled

    You can configure OpenSSH (the default SSH server on most (all?) Linux & similar) to only allow pure SSH connections for specific users (or nobody) and force the rest to use SFTP only.

    There are also entirely SFTP-only servers that you can run instead.

    Use of FTP should be discouraged where possible as it is completely insecure by today's standards, and as you are discovering a pain for some firewall arrangements. If SFTP can not be avoided (it is needed by an application that your clients are forced to use) then I would suggest running it over a VPN instead, then you only need to open for the VPN at your firewall and it gives better security. Though with the VPN option you are then responsible for setting up any firewall or other filtering needed between you and said clients, as the VPN will bypass OVH's.

    Thanked by 1amsaal
Sign In or Register to comment.