Skip to content
Wikitura

Network Isolation

To secure a VPS during an incident, “walling off” traffic at the network level (via the cloud provider’s control panel) is the safest method, because it prevents malicious traffic from reaching your server’s operating system.

This guide covers the steps for DigitalOcean, Hetzner, and Vultr, with links to each provider’s documentation.

1. DigitalOcean (Cloud Firewalls)

Section titled “1. DigitalOcean (Cloud Firewalls)”

DigitalOcean Cloud Firewalls are the most straightforward: with no rules configured, they apply a deny-all policy to both inbound and outbound traffic.

How to wall off

Section titled “How to wall off”
  1. Go to the Networking tab and select Firewalls.
  2. Create a new firewall (e.g. named QUARANTINE).
  3. Delete all default rules (both Inbound and Outbound).
  4. Apply this firewall to your affected Droplet.

Result: All incoming and outgoing traffic is dropped at the network level.

Documentation: How to Configure Firewall Rules

2. Hetzner (Cloud Firewalls)

Section titled “2. Hetzner (Cloud Firewalls)”

Hetzner Cloud Firewalls treat inbound and outbound differently: they block all inbound traffic by default, but allow all outbound traffic until you add at least one outbound rule.

How to wall off

Section titled “How to wall off”
  1. Open the Cloud Console, select your project, and go to Firewalls.
  2. Create a new firewall.
  3. Inbound: Leave this section empty (implicit “deny all”).
  4. Outbound: Add a single rule to a dummy or non-routed destination (e.g. Protocol: TCP, Destination IP: 127.0.0.1).
    Adding any outbound rule triggers an implicit “deny all” for everything else that doesn’t match.
  5. Apply the firewall to your server.

Documentation: Cloud Firewall Overview

3. Vultr (Firewall Groups)

Section titled “3. Vultr (Firewall Groups)”

Vultr Firewall Groups mainly affect inbound traffic. Outbound behaviour varies by region; some regions now support outbound filtering.

How to wall off inbound

Section titled “How to wall off inbound”
  1. In the Vultr Customer Portal, go to Firewalls.
  2. Create a new Firewall Group.
  3. Leave the rules empty (default is Drop for all ports).
  4. Link your Instance to this group.

Walling off outbound (OS level)

Section titled “Walling off outbound (OS level)”

If the network firewall doesn’t support outbound blocking in your region, use the Vultr Console (out-of-band web terminal) and run one of these on the server’s OS firewall:

Terminal window
# Firewalld (CentOS / Alma)
sudo firewall-cmd --panic-on
Terminal window
# UFW (Ubuntu / Debian)
sudo ufw default deny outgoing

Documentation: Vultr Firewall Quickstart Guide

Summary: Incident response comparison

Section titled “Summary: Incident response comparison”
ProviderMethodDefault inboundDefault outbound
DigitalOceanCloud FirewallBlock all (if no rules)Block all (if no rules)
HetznerCloud FirewallBlock all (if no rules)Allow all (until 1 rule added)
VultrFirewall GroupBlock all (if no rules)Usually allow (check region)

Provider documentation

Section titled “Provider documentation”
DigitalOcean Firewalls Configure firewall rules and recovery console.
Hetzner Cloud Firewall Cloud Firewall overview and console access.
Vultr Firewall & Console Firewall groups and web console usage.