How to Configure Advanced Firewall for MU Online Server
Complete technical guide to configure Windows Firewall rules and protect your private MU Online server against attacks, unauthorized access, and connection floods.
Why Firewall Configuration is Critical for MU Online Servers
Private MU Online servers are frequent targets of DDoS attacks, unauthorized connection attempts, and port scans. Misconfiguration can expose SQL Server to the internet, allow unauthenticated access to the admin panel, or bring the server down with packet floods. This guide covers Windows Firewall with Advanced Security configuration on Windows Server 2012/2016/2019 — the most common hosting environments for MuServer Season 6 through Season 13.
Step 1: Map All MuServer Ports
Before creating any rules, document every port your server uses. The standard MuServer layout is:
| Component | Port | Protocol | Exposure |
|---|---|---|---|
| ConnectServer | 44405 | TCP | Public (players) |
| GameServer 1 | 55901 | TCP | Public (players) |
| GameServer 2 | 55902 | TCP | Public (players) |
| GameServer N | 5590N | TCP | Public (players) |
| DataServer | 55980 | TCP | Internal only |
| EventServer | 55960 | TCP | Internal only |
| SQL Server | 1433 | TCP | Internal only |
| RDP/Admin | 3389 | TCP | Restricted IP |
| Web Panel | 80/443 | TCP | Public or restricted |
Verify the exact ports in your ConnectServer configuration file:
GameServer/Setup/ConnectServer.ini
[CONNECT_SERVER_INFO]
ServerPort=44405
ServerListenIP=0.0.0.0
[GAME_SERVER_GROUP]
ServerCount=2
And in GameServer/Setup/GameServerInfo.cfg:
[GameServer_1]
ServerPort=55901
InternalPort=55901
Step 2: Set Default Block Policy for All Inbound Traffic
The correct approach is: block everything by default, then allow only what is necessary. Run the following commands as Administrator in PowerShell or Command Prompt:
1. Set default deny policy for inbound traffic:
netsh advfirewall set allprofiles firewallpolicy blockinbound,allowoutbound
2. Ensure the firewall is active on all profiles:
netsh advfirewall set allprofiles state on
Step 3: Create Inbound Rules for MuServer Components
3. Allow ConnectServer (port 44405 — public access):
netsh advfirewall firewall add rule name="MU - ConnectServer" dir=in action=allow protocol=TCP localport=44405 profile=any
4. Allow GameServers (ports 55901 and 55902):
netsh advfirewall firewall add rule name="MU - GameServer 1" dir=in action=allow protocol=TCP localport=55901 profile=any
netsh advfirewall firewall add rule name="MU - GameServer 2" dir=in action=allow protocol=TCP localport=55902 profile=any
For multiple GameServers, repeat for each port or use the range format:
netsh advfirewall firewall add rule name="MU - GameServers" dir=in action=allow protocol=TCP localport=55901-55910 profile=any
5. Allow HTTP/HTTPS for the web panel:
netsh advfirewall firewall add rule name="MU - Web HTTP" dir=in action=allow protocol=TCP localport=80 profile=any
netsh advfirewall firewall add rule name="MU - Web HTTPS" dir=in action=allow protocol=TCP localport=443 profile=any
6. Allow RDP only from your administration IP (replace 203.0.113.10 with your real IP):
netsh advfirewall firewall add rule name="Admin - RDP Restricted" dir=in action=allow protocol=TCP localport=3389 remoteip=203.0.113.10 profile=any
Step 4: Explicitly Block Internal Ports
SQL Server and internal components must never be reachable from the internet:
7. Block SQL Server externally:
netsh advfirewall firewall add rule name="BLOCK - SQL Server External" dir=in action=block protocol=TCP localport=1433 profile=any
8. Block DataServer and EventServer externally:
netsh advfirewall firewall add rule name="BLOCK - DataServer External" dir=in action=block protocol=TCP localport=55980 profile=any
netsh advfirewall firewall add rule name="BLOCK - EventServer External" dir=in action=block protocol=TCP localport=55960 profile=any
127.0.0.1 rather than 0.0.0.0. Navigate to: SQL Server Configuration Manager → SQL Server Network Configuration → Protocols for MSSQLSERVER → TCP/IP → IP Addresses → disable all IP entries except the loopback (127.0.0.1).Step 5: Anti-Flood Protection with Connection Limiting
The standard Windows Firewall does not offer native rate-limiting. Use PowerShell to create a monitoring script that blocks IPs with excessive simultaneous connections:
9. Create the anti-flood script at C:\MuServer\Scripts\AntiFlood.ps1:
# AntiFlood.ps1 - Monitors connections on port 44405 and blocks excessive IPs
$port = 44405
$connectionLimit = 15
$intervalSeconds = 30
while ($true) {
$connections = Get-NetTCPConnection -LocalPort $port -State Established -ErrorAction SilentlyContinue
$groupedIPs = $connections | Group-Object -Property RemoteAddress | Where-Object { $_.Count -ge $connectionLimit }
foreach ($group in $groupedIPs) {
$ip = $group.Name
$existingRule = Get-NetFirewallRule -DisplayName "AUTOBLOCK - $ip" -ErrorAction SilentlyContinue
if (-not $existingRule) {
New-NetFirewallRule -DisplayName "AUTOBLOCK - $ip" -Direction Inbound -Action Block -RemoteAddress $ip -Protocol TCP
Write-Output "$(Get-Date) - Blocked IP: $ip ($($group.Count) connections)"
}
}
Start-Sleep -Seconds $intervalSeconds
}
10. Register the script as a scheduled task that runs at system startup:
schtasks /create /tn "MU AntiFlood Monitor" /tr "powershell -ExecutionPolicy Bypass -File C:\MuServer\Scripts\AntiFlood.ps1" /sc onstart /ru SYSTEM /f
Step 6: Database-Level Security in SQL Server
Add a security layer inside SQL Server to log suspicious login attempts:
11. Enable failed login auditing in SQL Server Management Studio:
-- Check current audit configuration
EXEC sp_configure 'show advanced options', 1;
RECONFIGURE;
-- Enable login auditing (2 = both failures and success, 1 = failures only)
EXEC xp_instance_regwrite
N'HKEY_LOCAL_MACHINE',
N'Software\Microsoft\MSSQLServer\MSSQLServer',
N'AuditLevel',
REG_DWORD,
2;
12. Create a security log table in the MuOnline database:
USE MuOnline;
GO
CREATE TABLE dbo.SecurityLog (
LogID INT IDENTITY(1,1) PRIMARY KEY,
LogDate DATETIME DEFAULT GETDATE(),
AccountID VARCHAR(10),
IPAddress VARCHAR(15),
EventType VARCHAR(50),
Details VARCHAR(255)
);
GO
13. Create a trigger to log automatic account blocks on the MEMB_INFO table:
USE MuOnline;
GO
CREATE TRIGGER trg_LoginFailed
ON dbo.MEMB_INFO
AFTER UPDATE
AS
BEGIN
SET NOCOUNT ON;
IF UPDATE(block_code)
BEGIN
INSERT INTO dbo.SecurityLog (AccountID, EventType, Details)
SELECT i.memb___id, 'ACCOUNT_BLOCKED',
'Account automatically blocked - excessive failed attempts'
FROM inserted i
INNER JOIN deleted d ON i.memb___id = d.memb___id
WHERE i.block_code <> d.block_code AND i.block_code = 1;
END
END;
GO
Step 7: Verify and Audit All Rules
14. List all firewall rules created for MU Online:
netsh advfirewall firewall show rule name=all dir=in | findstr "MU\|BLOCK\|AUTOBLOCK\|Admin"
15. Check listening ports to confirm only expected ports are open:
netstat -ano | findstr "LISTENING" | findstr "44405\|55901\|55902\|1433\|3389"
16. Export current firewall configuration as a backup:
netsh advfirewall export "C:\MuServer\Backups\firewall-backup-%date:~-4,4%%date:~-10,2%%date:~-7,2%.wfw"
netsh advfirewall import "C:\MuServer\Backups\firewall-backup-YYYYMMDD.wfw"Step 8: Alternative GUI Configuration via wf.msc
If you prefer the graphical interface, open wf.msc and:
- Go to Inbound Rules → New Rule
- Select Port → TCP → enter the specific port number
- Select Allow the connection
- Check all profiles (Domain, Private, Public)
- Name it
MU - [ComponentName]
To restrict by IP in the GUI: after creating the rule, right-click → Properties → Scope tab → under "Remote IP address" select "These IP addresses" and add the permitted IPs.
Troubleshooting
Players cannot connect after applying rules: Verify the ConnectServer rule is correct with netsh advfirewall firewall show rule name="MU - ConnectServer". Confirm that Action=Allow and Direction=In.
RDP accidentally blocked: Use your VPS provider's KVM console. Run netsh advfirewall reset to restore defaults, then reapply rules in the correct order — always start with the RDP rule for your IP.
AntiFlood script blocking legitimate players: Increase $connectionLimit to a higher value (e.g. 30), or add a whitelist of trusted IPs at the top of the script before the blocking loop.
Perguntas frequentes
Which ports does MU Online require open?
ConnectServer uses port 44405 (TCP). Each GameServer uses 55901-55910 (TCP, one port per server instance). DataServer uses 55980 (TCP, internal communication only). The web panel uses 80 and 443. Never expose SQL Server port 1433 directly to the internet.
How do I block brute-force login attacks?
Combine firewall rules with rate-limiting: block IPs attempting more than 10 simultaneous connections on port 44405 using netsh advfirewall, and create a SQL Server trigger on the MEMB_INFO table to log failures and optionally call xp_cmdshell to ban the IP via netsh.
What if the server becomes unreachable after applying rules?
Access your VPS via KVM/IPMI console (not RDP) so you retain access even if port 3389 gets blocked. Run 'netsh advfirewall reset' to restore defaults, then reapply rules one by one to identify the culprit.
How do I protect the web panel (webEngineNET/PHP) alongside the firewall?
Restrict /admin directory access by IP in IIS (via applicationHost.config or web.config with <ipSecurity>), enable HTTPS with a self-signed or Let's Encrypt certificate, and block port 80 on the external firewall leaving only port 443 open.