This guide will walk you through configuring DDoS protection for your infrastructure using Edge Rules and Application Filters. We’ll cover best practices and step-by-step instructions for securing your services.

Edge Rules Configuration

Edge Rules allow you to control traffic flows based on various criteria like IP addresses, protocols, and packet characteristics.

Edge Rules management interface showing existing rules and their priorities

Best Practice: Default Deny Rule

We strongly recommend starting with a “deny all” rule and then explicitly allowing only necessary traffic. Here’s how to set this up:

Edge Rules use a dynamic priority system and follow a first-match principle. Rules are evaluated from highest priority (lowest number) to lowest priority, and processing stops at the first matching rule. For example, if a packet matches a rule with priority 1, rules with priority 2 and higher will not be evaluated. This makes rule priority crucial for proper traffic filtering.

When creating a new rule, you can only assign a priority up to (highest existing priority + 1). If you insert a rule between existing rules (e.g., adding a rule with priority 4), all subsequent rules will automatically shift down (the existing priority 4 becomes 5, 5 becomes 6, and so on). This helps maintain organized rule management while preventing priority gaps.

1

Create Default Deny Rule

  1. Click “Create New Edge Rule”
  2. Select “ANY” for protocol
  3. Set Destination to your protected IP
  4. Set Source IP to “0.0.0.0/0” (all IPs)
  5. Set Priority to “1” (highest priority)
  6. Set Action to “Drop”
  7. Add description: “Drop All Traffic”
2

Allow Specific Services

Create subsequent rules with higher priority numbers to allow specific services:

  • Priority 1: Allow SSH (TCP port 22)
  • Priority 2: Allow HTTP/HTTPS (TCP ports 80/443)
  • Priority 3: Allow other required services

Application Filters

Application Filters ensure only legitimate traffic of specific applications gets through and reach your server.

Application Filter configuration showing FiveM game server protection

Setting Up Application Filters

1

Access Port Automation

Navigate to the Port Automation section in the dashboard

2

Create New Application Shield

Click “Create New Application Shield” button

3

Configure Application Settings

  1. Enter your Destination IP
  2. Specify the Application Port
  3. Select the Application Type (e.g., FiveM, Wireguard, OpenVPN, Source Engine)

Advanced Configuration Tips

Rate Limiting

When creating Edge Rules, consider setting appropriate rate limits, two types or rate limits are available:

  • Ratelimit: This defines the maximum number of packets allowed per second (1-2500000 packets) per source IP. If the source IP exceeds this limit, the packet will be dropped.

  • Ratelimit Burst: This setting allows for short bursts of traffic (1-250000 packets). It uses a token bucket algorithm, where tokens are added to a “bucket” at a fixed rate. Each packet sent removes a token. If the bucket is empty, additional packets are dropped. Each source IP has it’s own “bucket”.

Feature Matching

Use Feature Matching to fine-tune your protection:

  • State Type: Configure connection state matching

    • NEW: Match packets that start a new connection
    • ESTABLISHED: Match packets belonging to an existing connection
    • RELATED: Match packets related to, but not part of, an existing connection
    • INVALID: Match packets that don’t belong to any known connection

  • Packet Length: Set valid packet size ranges (1-65535 bytes)

    • Helps identify and filter abnormal packet sizes
    • Common legitimate packet sizes:
      • TCP packets: typically 40-1500 bytes
      • UDP gaming traffic: often 100-300 bytes
      • HTTP/HTTPS: variable, but usually under 1500 bytes