Opterius Panel provides a firewall interface that works with whichever firewall is present on the server: UFW on Debian and Ubuntu, firewalld on RHEL-family systems including AlmaLinux and Rocky Linux. The agent abstracts the underlying tool so the panel UI works the same regardless of OS.
Accessing the firewall
Server Mode → Security → Firewall.
The page lists all current rules: protocol, port or port range, direction, source IP or CIDR, and action (allow/deny).
Adding a rule
- Click Add Rule.
- Fill in the fields:
| Field | Options |
|---|---|
| Action | Allow, Deny |
| Protocol | TCP, UDP, TCP+UDP |
| Port | Single port (e.g. 443) or range (e.g. 8000:9000) |
| Source IP / CIDR | Leave blank for any, or enter 203.0.113.0/24 to restrict |
| Direction | Inbound (default), Outbound |
- Click Save Rule. The agent applies the change immediately.
Common operations
Block a single IP
Select Deny, leave the port blank, and enter the IP in the source field. This drops all traffic from that address.
# Equivalent UFW command (for reference)
ufw deny from 198.51.100.42
# Equivalent firewalld command
firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="198.51.100.42" drop'
firewall-cmd --reload
For single-IP brute-force blocking, consider using Fail2ban instead — it handles bans and unbans automatically.
Allow a port
Select Allow, enter the port number, choose TCP or UDP. For web servers: 80 and 443 TCP. For mail: 25, 465, 587, 993, 995.
Restrict SSH to a specific IP
This is the highest-impact change you can make to reduce attack surface on SSH.
- Add a Deny TCP port 22 rule with no source IP (blocks all).
- Add an Allow TCP port 22 rule with your specific IP as source.
[!WARNING] Apply the Allow rule for your IP before applying the Deny all rule. Applying deny first will immediately lock you out of SSH. Rules are evaluated in order — if you are unsure of the order, do this via the VPS console rather than an active SSH session.
Ports Opterius opens automatically during install
The installer configures the following rules so you do not need to add them manually:
| Port | Protocol | Purpose |
|---|---|---|
| 22 | TCP | SSH |
| 80 | TCP | HTTP |
| 443 | TCP | HTTPS |
| 8443 | TCP | Opterius Panel UI |
| 25 | TCP | SMTP |
| 465 | TCP | SMTPS |
| 587 | TCP | SMTP submission |
| 993 | TCP | IMAPS |
| 995 | TCP | POP3S |
| 53 | TCP+UDP | DNS (PowerDNS) |
Recovering from a lockout
If you block port 22 or 8443 accidentally:
- Log in to your VPS provider's web console (Linode Lish, DigitalOcean console, Hetzner console, etc.).
- Log in as root from the console — no network needed.
- Remove the blocking rule:
# UFW (Debian/Ubuntu)
ufw status numbered
ufw delete <rule number>
# firewalld (AlmaLinux/Rocky)
firewall-cmd --list-all
firewall-cmd --permanent --remove-rich-rule='...'
firewall-cmd --reload
- Confirm SSH is reachable again before closing the console session.
[!TIP] Always keep a VPS console session open in a separate browser tab when making firewall changes. This gives you a recovery path if a rule blocks your SSH connection.