Configure Firewall Rules

Security Architecture Diagram

LightYear firewall groups let you define inbound and outbound traffic rules that are applied at the network level, before traffic reaches your server. This guide explains how to create and manage firewall groups.

Understanding Firewall Groups

A firewall group is a named set of rules that can be attached to one or more servers. Changes to a group apply to all attached servers immediately.

Default behaviour: All inbound traffic is denied unless explicitly allowed. All outbound traffic is allowed by default.

Step 1 — Create a Firewall Group

1. Navigate to Networking → Firewall Groups.
2. Click Create Firewall Group.
3. Enter a descriptive name (e.g., web-servers).

Step 2 — Add Inbound Rules

Click Add Rule and configure each rule:

Essential Rules for a Web Server

[!WARNING] Never open port 22 (SSH) to 0.0.0.0/0 (anywhere) in production. Restrict SSH access to your office or home IP address to prevent brute-force attacks.

Restrict SSH to a Specific IP

Step 3 — Attach the Firewall Group to a Server

1. Navigate to Servers → Your Server → Settings.
2. Under Firewall Group, select the group you created.
3. Click Save.

The rules take effect within 30 seconds.

Manage Rules via API

List Firewall Groups

$curl https://api.lightyear.host/v1/firewalls \
$  -H "Authorization: Bearer YOUR_API_KEY"

Add a Rule

$curl -X POST https://api.lightyear.host/v1/firewalls/FIREWALL_ID/rules \
$  -H "Authorization: Bearer YOUR_API_KEY" \
$  -H "Content-Type: application/json" \
$  -d '{
$    "ip_type": "v4",
$    "action": "accept",
$    "protocol": "tcp",
$    "port": "443",
$    "subnet": "0.0.0.0",
$    "subnet_size": 0,
$    "notes": "Allow HTTPS from anywhere"
$  }'

Common Rule Configurations

Database Server (MySQL/PostgreSQL)

Only allow database connections from your application servers:

Game Server (Minecraft)

[!NOTE] LightYear firewall rules are stateful — you do not need to add explicit outbound rules for established connections.