Firewall
cPguard firewall is built on nftables, offering greater flexibility and performance compared to legacy iptables. Since it works at the system level, it operates independently of any control panel (including RunCloud). This ensures your server remains protected at all times. You can manage rules and settings directly through our firewall module.
The cPguard firewall includes powerful features such as IP and country-based whitelisting/blacklisting, extended rule imports, temporary bans with expiry, port filtering, DoS/SYN-flood protection, real-time IPDB integration, AI bot protection, and Fail2Ban support for service-level brute-force defense. These features ensure proactive security and complete control over inbound and outbound traffic. For each function, you can manage rules easily through the UI interface, or use CLI options, both of which are available for flexibility.
You can access the firewall from from the app portal. Protection → Firewall.
The Firewall settings and IP blacklist/whitelist and temporary bans can be managed directly from UI.
All tasks can also be performed via the CLI, and you can view the available options using the following commands:
cpgcli fw --help
cpgcli ip --help
The firewall can be easily enabled or disabled using the toggle option, and restarts can also be initiated directly from the UI.
You can check status, enable, disable or restart the firewall module using the following command :
cpgcli fw --enable |
Enable Firewall on the server |
cpgcli fw --disable |
Disable Firewall on the server |
cpgcli fw --restart |
Restart Firewall on the server |
cpgcli fw -- debug |
Start firewall with extended logging ( recommended for debugging only )
|
1. IP block management
a. Check IP
To check if IP is in any firewall list, input the IP in the given box.
cpgcli ip --check IPb. Whitelist/Blacklist IP or CIDR:
You can manage whitelist and blacklist IPs or CIDRs through the UI by entering the IP in the provided box, adding a reason in the comment section, and removing entries when needed.
To view all whitelisted and blacklisted IPs, there are options like “View Whitelist” and “View Blacklist.” By clicking these, you can see all the IPs added along with their reasons, and you also have the option to add new entries directly from this view.
The CLI commands for managing whitelist and blacklist IPs are as follows:
cpgcli ip --allow IP --reason 'reason to add' |
Add IP/CIDRs to whitelist (comma or space-separated). |
cpgcli ip --allow --remove IP1 IP2.. |
Renove IP/CIDRs from whitelist (comma or space-separated). |
cpgcli ip --allow --list |
List whitelist IP/CIDRs (comma or space-separated). |
cpgcli ip --deny IP1 --reason 'reason to add' |
Add IP/CIDRs to blacklist (comma or space-separated). |
cpgcli ip --deny --remove IP1 IP2.. |
Remove IP(s) from blacklist. |
cpgcli ip --deny --list 'reason or comment' |
Add optional reason/comment for –allow and –deny. |
c. Temporary ban
IPs may be temporarily blocked by DoS protection, Fail2Ban, SYN-Flood, etc. If you notice an IP is blocked, you can unblock it by entering the IP in the provided box and clicking Unblock. Default expiry is 24 hours.
If you want to temporarily block an IP, this can also be done from the Block IP section. Enter the IP, set the expiry time, and click Block. You can choose to block the IP for minutes, hours, or days as needed.
cpgcli ip --temp-ban IP <options> options --expiry values. Available values: m (minute), h (hour), d (day) --reason 'reason or comment' |
Temporarily ban IP(s) from accessing the server. |
cpgcli ip--temp-ban --remove IP |
Remove IP(s) from temporary ban list. |
cpgcli ip --temp-ban --list |
List all temporarily banned IPs. |
2. IPDB distributed firewall
The IPDB firewall can be managed from this section. You can turn it on or off using the toggle, and you can also enable or disable IPDB logging through the same toggle.
cpgcli fw --ipdb enable|disable |
Enable, disable or check IPDB integration. |
cpgcli fw --ipdb-log enable|disable |
Enable, disable or check IPDB logging. |
3. DoS Protection
To configure DoS protection, enable it using the toggle and enter the maximum requests allowed per minute in the provided box.
cpgcli fw --dos <options> options:enable|disable|status |
Enable, disable or check DOS protection status |
cpgcli fw --dos-threshold value |
Set/view maximum requests allowed per minute before blocking(integer) |
4. Configure AI bots and Fail2ban
AI bot protection settings and Fail2Ban settings, which can be enabled by switching the toggle to On.
cpgcli fw --block-ai-bots <options> enable|disable |
Enable, disable or check AI Bots blocking status |
cpgcli fw --block-meta-bots <options> enable|disable |
Enable, disable or check Meta Bots blocking status |
cpgcli fw --fail2ban <options> options: enable|disable|status |
Enable, disable or check Fail2Ban status |
5. Country filtering
You can whitelist or blacklist entire countries using their ISO codes (e.g., US, CN), with options to add, remove, or view the list of allowed or blocked countries.
cpgcli fw --allow-country CODE |
Whitelist entire country by ISO code (e.g., US, CN). |
cpgcli fw --allow-country --remove CODE |
Remove country from allowed list |
cpgcli fw --allow-country --list |
List whitelisted countries |
cpgcli fw --deny-country CODE |
Blacklist entire country by ISO code (e.g., US, CN). |
cpgcli fw --deny-country --remove CODE |
Remove country from denyed list |
cpgcli fw --deny-country --list |
List blacklisted countries |
6. SYNFLOOD
A SYN flood is a type of Denial-of-Service (DoS) attack where an attacker sends a large number of TCP connection requests (SYN packets) but never completes the handshake, exhausting server resources and making it unavailable to legitimate users.
Note: It is not recommended to enable SYN protection unless you notice a SYN flood attack.
The SYN flood rate configuration sets a limit on how many SYN requests are allowed within a specific time interval (e.g., 10/minute). This helps the firewall differentiate between normal traffic spikes and malicious floods, blocking excessive SYN packets before they overwhelm the server.
Enable SYN Flood Protection configures the firewall to defend against TCP SYN packet DoS attempts. It is important to set the rate carefully to minimize false positives, otherwise visitors may experience connection issues. You can monitor for blocked attempts in /var/log/messages under SYNFLOOD Blocked.
The SYN flood burst value defines how many SYN packets are allowed to pass through in a short burst before the rate limiting kicks in.
-
Burst allows a temporary spike in connections (e.g., when many users connect at once).
-
After the burst limit is reached, the firewall enforces the rate limit (e.g.,
10/minute).
Example: If you set --synflood-burst 20 and --synflood-rate 10/minute, the firewall will allow up to 20 SYN packets immediately, but then only permit 10 new SYN packets per minute after that.
cpgcli fw --synflood enable|disable|status |
Enable, disable or check SYN flood protection status |
cpgcli fw --synflood-burst value |
Set the burst limit for SYN flood protection |
cpgcli fw --synflood-rate count/interval |
Set the rate limit for SYN flood protection |
7. Port filter configuration
Port Filtering allows you to control inbound and outbound traffic by defining which TCP and UDP ports are permitted. When enabled, all ports are blocked by default except those explicitly allowed. You can manage input and output ports separately for both TCP and UDP, with options to add, remove, or list the allowed ports. This ensures only required services are accessible while closing all unnecessary ports for better security.
You can enter a range of ports in the input box. To define a range, use a dash (-) between the starting and ending port numbers. For example, 30000-35000 will cover every port from 30000 up to 35000. You can also mix single ports and ranges, like 22,80,443,30000-35000, to allow or block multiple specific ports together.
cpgcli fw --port-filter <options> options: enable|disable|status |
Enable, disable or check Port Filtering status WARNING: blocks all TCP/UDP ports except allowed ones |
cpgcli fw --port tcp-in action |
Add/remove or list allowed TCP input ports |
cpgcli fw --port tcp-out action |
Add/remove or list allowed TCP output ports |
cpgcli fw --port udp-in action |
Add/remove or list allowed UDP input ports |
cpgcli fw --port udp-out action |
Add/remove or list allowed UDP output ports |
| Available actions : –list, –add <port>, –remove <port> |
8. Whitelist/Blacklist Source File
You can manage extended whitelist and blacklist sources by importing IPs directly from files. This allows you to add, remove, or list source files containing multiple IP addresses, making it easier to handle large or frequently updated blocklists and whitelists in a centralized way. The available CLI options are:
cpgcli ip --allow-source path_to_file |
Add IPs from source file to whitelist. |
cpgcli ip --allow-source --remove path_to_file |
Remove source file from whitelist. |
cpgcli ip --allow-source --list |
List all whitelisted source files. |
cpgcli ip --deny-source path_to_file |
Add IPs from source file to blacklist. |
cpgcli ip --deny-source --remove path_to_file |
Remove source file from blacklist. |
cpgcli ip --deny-source --list |
List all blacklisted source files. |