TallDwarf Hosting
Minecraft

Proxy Firewall (Backend Protection)

Lock your backend Minecraft server so only your proxy can connect.

Protecting Backend Servers Behind a Proxy

If you run a proxy setup (such as Velocity or BungeeCord), your backend server (Paper, Spigot, Purpur, etc.) should only accept connections from your proxy.

Without firewall protection, players can bypass your proxy and connect directly to the backend server IP. This can break your security model and expose offline-mode risks.

For a full explanation of the firewall UI and fields, see the Firewall guide.

Goal

Create rules so that:

  • Your proxy IP is allowed to connect to the backend port.
  • Everyone else is blocked from that same backend port.

For backend port 25566 (example):

  1. Allow rule for your proxy IP/CIDR with a higher priority (lower number).
  2. Block rule for 0.0.0.0/0 on the same port with a lower priority (higher number).

This ensures your proxy is matched first, and all other traffic is denied.

Step-by-Step

Open your backend Minecraft server in the game panel and go to Firewall.

Create an Allow rule:

  • Remote IP: your proxy IP (example: 203.0.113.50/32)
  • Server Port: backend port (example: 25566)
  • Priority: 1
  • Type: Allow

Create a Block rule for the same backend port:

  • Remote IP: 0.0.0.0/0
  • Server Port: backend port (example: 25566)
  • Priority: 2
  • Type: Block

Save both rules and test by joining through your proxy.

Confirm that direct connections to the backend IP:port fail.

Important Notes

Important

If your proxy IP changes, update your Allow rule immediately or your network may stop working.

  • If you run multiple proxies, add one Allow rule per proxy IP (or use the correct CIDR range).
  • Apply these rules to backend ports only. Do not block your public proxy port unless intentionally restricting access.
  • Keep priorities clean and predictable: all required Allow rules first, broad Block rules after.

Security Reminder

Firewall rules are a core part of proxy security, but not the only part. Keep your proxy/backend forwarding settings and authentication setup correct for your stack.

Having trouble?

  • Double-check your proxy IP and backend port.
  • Make sure the Allow rule has a higher priority than the Block rule.
  • Check your proxy configuration to ensure it's forwarding to the correct backend port.

If you are still having issues, feel free to reach out to support with your rule setup and proxy/backend details.

Install Dynmap

Learn to install and configure Dynmap on your Minecraft server.

On this page

Protecting Backend Servers Behind a ProxyGoalRecommended Rule SetupStep-by-StepImportant NotesSecurity Reminder