Firewall & Security Settings
The firewall management features described on this page may still be under development or only available for certain servers. Refer to the Dashboard interface for the actual available settings.
Zeabur provides server-level firewall management, allowing you to configure inbound rules directly from the Dashboard without SSH-ing into the server to manage iptables manually.
Overview
Each dedicated server has its own firewall configuration. By default, Zeabur opens the ports required for services to operate (such as 80 and 443) and blocks all other unauthorized inbound connections.
Firewall rules only control inbound traffic. Outbound connections from your services are not restricted by the firewall.
Configuring Firewall Rules
- Go to the Zeabur Servers page and select your dedicated server.
- Click the “Firewall” tab in the left navigation.
- Click the “Add Rule” button to create an inbound rule.
Each rule requires the following fields:
| Field | Description |
|---|---|
| Protocol | TCP or UDP |
| Port Range | A single port (e.g., 8080) or a range (e.g., 3000-3100) |
| Source IP | Allowed source IP address or CIDR block (e.g., 203.0.113.0/24); leave empty to allow all sources |
Click “Save” when done. Rules take effect within seconds.
IP Allowlisting and Blocklisting
- Allowlist mode: To restrict access to specific IPs for a given port, simply specify the source IP when creating a rule.
- Blocklist mode: Zeabur’s firewall uses an allowlist strategy (default-deny). Ports and sources not explicitly opened in a rule are blocked, so no separate blocklist configuration is needed.
Common Scenarios
Allow only office IP to access admin panel
| Protocol | Port | Source IP |
|---|---|---|
| TCP | 8443 | 203.0.113.10 |
Open database port for a specific subnet
| Protocol | Port | Source IP |
|---|---|---|
| TCP | 5432 | 10.0.0.0/16 |
Required Ports
The following ports are required for Zeabur to operate properly. Do not block them:
| Port | Purpose |
|---|---|
| 22 | SSH management |
| 80 | HTTP traffic |
| 443 | HTTPS traffic |
| 4222 | NATS internal communication |
| 6443 | K3s API Server |
| 30000–32767 | Kubernetes NodePort range |
Blocking any of these ports may prevent Zeabur from managing your server or cause services to become unreachable.
Security Best Practices
- Principle of least privilege — Only open the ports and source IPs you actually need. Avoid using
0.0.0.0/0(allow all) for sensitive services. - Audit rules regularly — Periodically review your firewall rules and remove ports that are no longer needed.
- Use private networking — For inter-service communication, use private networking to avoid transmitting sensitive data over the public internet.
- Keep SSH secure — Use SSH key authentication instead of passwords, and consider restricting SSH access to specific IPs.