Skip to content

Bulk Firewall Rules

Apply multiple firewall rules at once by submitting a JSON array. Each entry in the array is a single rule. This is faster than clicking through the UI rule-by-rule when you're provisioning a new VM or rebuilding a ruleset.

Rule Format

Each rule is a JSON object with the following fields:

Field Required Values Description
type yes in, out Direction of traffic
action yes ACCEPT, DROP What to do with matching traffic
proto yes tcp, udp, icmp Protocol
dport yes port number Destination port
source no IP / CIDR Restrict rule to a specific source address
comment no string Human-readable label, shown in the panel

Example

Paste this into the bulk-import field

[
    {
        "type": "in",
        "action": "ACCEPT",
        "proto": "tcp",
        "dport": "80",
        "comment": "Allow HTTP"
    },
    {
        "type": "in",
        "action": "ACCEPT",
        "proto": "tcp",
        "dport": "443",
        "comment": "Allow HTTPS"
    },
    {
        "type": "in",
        "action": "ACCEPT",
        "proto": "tcp",
        "dport": "22",
        "source": "1.2.3.4",
        "comment": "Allow SSH from office"
    },
    {
        "type": "in",
        "action": "DROP",
        "proto": "tcp",
        "dport": "3306",
        "comment": "Block MySQL"
    },
    {
        "type": "out",
        "action": "ACCEPT",
        "proto": "tcp",
        "dport": "53",
        "comment": "Allow DNS out"
    }
]

What This Example Does

  • HTTP (80) and HTTPS (443) — open to the world, so the VM can serve web traffic.
  • SSH (22) — restricted to a single source IP (1.2.3.4). Anyone else hitting port 22 will not match this rule.
  • MySQL (3306) — explicitly dropped. Useful when MySQL is bound to 0.0.0.0 by mistake and you want a hard guarantee it isn't reachable from outside.
  • DNS out (53) — outbound DNS allowed. Required if your egress policy is otherwise restrictive.

Notes

Rules are evaluated in order

The first matching rule wins. Put narrow ACCEPT rules (with a source) before broad DROP rules covering the same port, and vice versa.

Use source to scope sensitive ports

Management ports like SSH (22), RDP (3389), database ports, and admin panels should always carry a source field. Leaving them open to 0.0.0.0/0 is the most common cause of compromised VMs.

Outbound rules are optional

By default, outbound traffic is allowed. You only need type: out rules if you've switched the VM to a deny-by-default egress policy.

See also: VPS/VM Security for the broader security model.