And yeah, you should. But the good news is that Contabo recently rolled out a free, built-in firewall with a GUI right in the control panel. No iptables commands, no memorizing syntax, no accidentally locking yourself out and crying. Just point, click, and your server is protected.

This is how I set mine up, and how you can too.

What Even Is a Firewall?

Quick explanation: your server is connected to the internet. Without a firewall, any traffic can knock on any port, and your server will answer. That's not great. That is nightmarish there are lots of smart people with bad intentions.

A firewall sits in front of all that and says, "Only these specific things are allowed in. Everything else? Thank you, next."

Contabo's firewall works at the network level, meaning traffic gets filtered before it even touches your server. Your VPS doesn't even see the blocked stuff. That's cleaner and safer than a software firewall you install on the OS itself.

And it's free. Included with every VPS and VDS. No excuses to not set it up and not have nightmares about ports being hammered while you sleep!

Before You Touch the Firewall: Do This First

Here's something that tripped me up mentally at first: how do you know what to allow if you don't know what's running?

SSH into your server and run:

ss -tlnp

This lists every service that's currently listening for connections and the port it's listening on. Here's what mine looked like:

State   Port    Process
LISTEN  53      systemd-resolve   (127.0.0.1 only)
LISTEN  8096    jellyfin
LISTEN  2019    caddy             (127.0.0.1 only)
LISTEN  22      sshd
LISTEN  443     caddy
LISTEN  80      caddy

Now you read it like this:

• If the Local Address shows 127.0.0.1 or 127.0.0.53, it's an internal-only address. The internet can't reach it anyway. You don't need a firewall rule for it.

• If it shows 0.0.0.0 or *, it's publicly reachable. You need to decide: should it be?

In my case, the services that actually needed to be reachable from the outside were:

What about Jellyfin on port 8096?

Good question. I access Jellyfin through a subdomain (jellyfin.mydomain.com), which Caddy proxies. So traffic comes in on port 443, Caddy handles it, and forwards it internally to port 8096. Port 8096 never needs to be public. I leave it closed.

If you're accessing Jellyfin directly via yourip:8096 in the browser, then you'd need to open 8096. But I'd recommend setting up a reverse proxy instead, it's cleaner and more secure. (That's a separate article, though.)

Setting Up the Contabo Firewall

Step 1: Log In to the Firewall Section

Log in to your Contabo Customer Control Panel. In the navigation, go to:

Network Services → Firewall

You'll land on a page where you can create and manage firewall rule sets.

Step 2: Understand the Default

When you first enable the firewall, Contabo creates one rule:

This is your safety net. It means: if nothing else matches, drop the packet. You want this rule to exist. You want it to stay at the bottom. Every rule you add will be an exception to this. Do not worry too much about this caveat Contabo knows this and every new rule you add, is added above your default DROP all rule, but if you mess with one just be mindful of this.

Step 3: Add Your Allow Rules

Now add a rule for each port you identified earlier. For each one, you'll specify:

• Action: ACCEPT

• Protocol: TCP

• Port: the port number

• Source: Any (or a specific IP if you want to lock SSH down to just your home IP, more on that below)

Add these three rules:

Rule 1: SSH

• Display Name: Allow SSH

• Action: ACCEPT

• Protocol: TCP

• Port: 22

• Source: Any

Rule 2: HTTP

• Display Name: Allow HTTP

• Action: ACCEPT

• Protocol: TCP

• Port: 80

• Source: Any

Rule 3: HTTPS

• Display Name: Allow HTTPS

• Action: ACCEPT

• Protocol: TCP

• Port: 443

• Source: Any

Step 4: Check Your Rule Order

Your final rule list should look something like this:

The DROP rule should always be last. Rules are evaluated top to bottom, first match wins. So ACCEPT rules go above, DROP catches everything that didn't match.

Step 5: Attach the Firewall to Your VPS

Creating rules isn't enough, you have to attach the rule set to your actual VPS instance. In the Contabo panel, go to the Active VPS/VDS tab and assign your firewall there.

Once attached, it's live immediately. No restart is needed.

Optional, but Recommended: Lock Down SSH

Allowing SSH from any source works, but if you have a static home IP or office IP, you can restrict SSH to just that address. This means even if someone finds port 22, they can't connect unless they're you.

In your SSH rule, instead of Source: Any, put your IP address (you can find it by Googling "what is my IP").

Just make sure you remember to update this if your IP changes, or you'll lock yourself out. If that happens, Contabo has a VNC console in the control panel you can use as a backup.

Testing It

After your rules are active, test from your local machine:

# Test HTTP
curl http://your-server-ip

# Test SSH
ssh root@your-server-ip

If HTTP returns a response and SSH connects, you're good. Everything else is blocked.

Want to be thorough? You can use nmap to scan your server from outside and see exactly what's visible:

nmap -Pn your-server-ip

Only ports 22, 80, and 443 should show as open.

Quick Reference

Condensed version of everything for quick reference.

1. ss -tlnp on your server to see what's running and on which port

2. Identify which ports need to be public (ignore 127.0.0.1 entries, this just means local.)

3. Contabo Panel → Network Services → Firewall

4. Add ACCEPT rules for your ports (22, 80, 443 at minimum)

5. Keep the Block all traffic DROP rule at the bottom

6. Attach the firewall to your VPS instance

7. Test with curl and ssh

Wrapping Up

Contabo's built-in firewall is one of the nicer things they've added recently. No need to mess with a command line and worry about iptables-persistent, no scary moments thinking to yourself "did I save that rule before rebooting?". Its all sorted very cleanly from the site.

The key habit to build here is: always check what's running before you build your rules. Don't just copy someone else's firewall setup, your server is yours, and your services are different. Running ss -tlnp takes two seconds and tells you exactly what you're working with.

If you're running a Jellyfin + Caddy setup like me, the three rules above are all you need. Keep 8096 closed, let Caddy handle the routing, and you're good to go.

Have questions, or something didn't work the way you expected? Drop a comment. I'm learning too, and we can figure it out together.