Out new: Firewall for netcup vServer - additional security layer at no extra cost

What does the new firewall offer?

The stateful firewall allows you to granularly control the incoming and outgoing network traffic of your vServer. You can define your own rules both via the SCP and via the API to specifically allow or block certain protocols, ports or IP ranges. This ensures that only desired connections are allowed and that internal services are not unintentionally accessible to the public.

Key benefits:

• Additional layer of security at no extra cost
• Rule-based control over incoming and outgoing traffic
• Filtering directly at network level before requests reach the server itself
• Enabled by default for new root servers and VPS, existing VMs can now activate the feature in the SCP
• Simple management in the server control panel or automated via API

Why an additional firewall makes sense

The firewall gives you an additional, easy-to-understand yet flexible option to significantly reduce the attack surface of your vServer at netcup. However, we strongly recommend that you also set up your own internal firewall solutions such as iptables or nftables on the server itself, even if you use the firewall feature from netcup.

The firewall provides basic protection. It supplements your measures with an upstream security layer in the network, for example to counteract unwanted public services or misconfigurations in the system, but does not replace protection via local server firewalls.

Notes and limitations

The firewall is available for all netcup server products from Generation 12 onwards and can be configured per server with immediate effect. The firewall is already activated by default for new orders. For existing servers (ordered before December 9, 2025), the firewall must be activated once in the SCP.

You can define up to 500 active rules per server and per public network interface in the firewall. Please note, however, that some rules are already predefined by default, for example to prevent email spamming such as netcup Mail block (default policy). You can remove these at any time after activation. For example, outgoing traffic on port 25 (SMTP) is blocked by default. This measure serves as a protective mechanism against outgoing e-mail spam. If you want to operate your server as a mail server, you can remove this rule manually at any time. In this case, however, make sure that your email configuration is complete and correct to avoid blocking by third-party providers or blacklists.

If no policies are assigned to a server, the firewall generally allows all traffic.

You can find further tips on this topic in the netcup Help Center.

Management via SCP and API

The firewall can be activated and managed directly in the Server Control Panel (SCP). Policies can be created, edited and assigned to individual servers there. Alternatively, administration can be fully automated via the netcup API.

You can find additional technical details, policy examples, and a complete management guide here in the netcup Help Center.

Don't miss out: Grab a new deal every day in the advent calendar

The netcup Advent calendar has a new bargain for you every day from December 1 to 24.