Firewall in OVH

Firewall for Dedicated Servers in OVH Cloud


Overview of default firewall setup in OVH

This is a guide on how to setup a Linux based firewall in OVH to protect your physical servers. By default OVH Dedicated Servers (Physical Servers) are only protected by Windows firewall and the OVH perimeter firewall. As of 2024 there is no option for either hardware firewalls or Linux based firewalls.

The OVH firewall allows you to protect your physical server by adding up to 20 firewall rules. However, this is a perimeter firewall for all servers within OVH. So anyone who takes control of a machine in OVH or simply pays £5 per month for a VPS is on the inside of this firewall and will bypass it.

This leaves the Windows firewall to protect your physical server. This is not ideal and with the issue of some software creating firewall rules when it’s being installed makes things worse.

 

What we are trying to achieve

This is a guide that sets up a Linux based firewall on a dedicated server.  This is done by disabling the Public facing network cards on the physical servers which you want to protect. All traffic to your other physical servers both incoming and outgoing is routed via the firewall

Linux based firewall in this instance is Netgate pfSense, although what are termed Cloud Based firewalls from other commercial vendors such as Fortigate and Cisco could potentially be used.

 

Preparation

There is no option to install from an ISO image file to a dedicated server for this. You need to make a pre-prepared image of a VM running pfSense and use this.

Why do we need to this? It simply takes the image that you present to it and copies it to the hard disks in the server. Therefore if you use the standard pfSense.iso that you would normally install with, it writes this to the hard disk. The first time you start the server it goes into the pfSense installation, then upon reboot it goes back into the pfSense installation again. This becomes a never ending loop.

To prepare the image we use a machine running Hyper-V and simply installed pfSense as per normal. But don’t do any configuration of network cards etc at this point as it’s not required.

You can do this a Generation 2 VM, but make sure that you turn off the Secure Boot or else it won’t start.

Once it’s created, there is a requirement to convert the .VHDX file to RAW format. This can be done by using a program called QEMU – https://www.qemu.org/

This is a command line tool that converts disks into different formats.

In the following command we have copied the .VHDX file into D:\Temp and this command converts the file to RAW format.

qemu-img.exe convert -f vhdx -O raw d:\temp\pfSense.vhdx d:\temp\pfSense.raw

Installation of pfSense in OVH

The above pfSense.raw image is used to do the installation with. Although this isn’t complicated it’s not as smooth as you would like. You need to put the file on to an HTTPS web site and then reference the web site URL and file name in the installer.

When you go into the installation, select Custom from the drop down list and then BYOI

BYOLINUX is slightly different as it lets you mirror the disks, but it requires the format of the image to be QCOW2. You can use QEMU to convert to QCOW2. Did try this and QEMU verified it as being QCOW2 format but the OVH installer failed as it said it was RAW format?

In the setup screen enter the URL to the disk image in the URL field.

Initial setup will need to be carried out in the IPMI remote control screen in OVH.

If you are struggling to see the bottom of the screen where the command line is, from the Options Menu > Zoom > Actual Size

In pfSense setup ixl0 is WAN and ixl1 is LAN (they are L’s not 1’s)

Then assign an interface for LAN that is on the same subnet as the Internal network of your physical servers.

Now add the physical server to the VRACK in which the existing physical servers exist.

Optionally reboot pfSense.

To configure the firewall from the pfSense web configurator you will need to connect to it on the LAN address from a physical server which is on the same VRACK. You won’t be able to connect via the WAN address.

The first time you connect go through the setup wizard and change the password etc and create a new user with Admin rights and disable the default Admin user.

Create alias for the IP’s that you are going to be using RDP to connect to the back end physical servers with. Optionally create aliases for the physical servers you are connecting to.

Create NAT rule that allows the alias you have just created. Each RDP connection will need its own incoming WAN port that is then mapped to the internal IP and port of the physical server you want to connect to.

On the physical server that you need to RDP to make sure the Internal network card has the pfSense LAN IP as it’s gateway address. Otherwise, nothing will connect out and incoming RDP connections will not work.

Test RDP connection via the firewall. Once working you can then disable the External network c

Considerations for VM’s with Public IP’s

If you are running VM’s on your physical servers it’s likely at least one of them will have a public facing IP. 

What OVH term “Floating IP’s” or “Additional IPs’ are Public IP addresses that are purchased individually and then you create a virtual mac address for them etc. These type of IP’s use the External network card on the physical server. So disabling it will also disable internet connectivity for the VM it’s assigned to.

The solution to this issue is to use “IP Blocks”. These come in blocks of 5 but in this instance a block of /30 will give you one working IP.

The IP block uses the Internal network card and for it to work will need adding to the VRACK that the physical servers are in.

If the IP block is for example 11.11.11.10 then the working IP would be 11.11.11.11 and the gateway would be 11.11.11.12. The subnet mask being 255.255.255.252

Simply put these details into the WAN configuration in pfSense.

Send Us A Message

More Posts

Reporting Cyber Incidents

The UK landscape for cyber incident reporting is complex, demanding vigilance from organisations of all sizes. This article looks into the key regulations and timeframes