Brazil's biggest MU Online portal — since 2003
Tutorial Advanced Tutoriais

How to Configure Advanced Firewall for MU Online Server

Complete technical guide to configure Windows Firewall rules and protect your private MU Online server against attacks, unauthorized access, and connection floods.

VI ViciadosMU Team · Updated on 3 jul 2026 · ⏱ 12 min read

Why Firewall Configuration is Critical for MU Online Servers

Private MU Online servers are frequent targets of DDoS attacks, unauthorized connection attempts, and port scans. Misconfiguration can expose SQL Server to the internet, allow unauthenticated access to the admin panel, or bring the server down with packet floods. This guide covers Windows Firewall with Advanced Security configuration on Windows Server 2012/2016/2019 — the most common hosting environments for MuServer Season 6 through Season 13.

Nota: This guide assumes your MuServer is already installed and working. Apply all rules in a test environment before production. Always have KVM console access to your VPS before modifying firewall rules.

Step 1: Map All MuServer Ports

Before creating any rules, document every port your server uses. The standard MuServer layout is:

ComponentPortProtocolExposure
ConnectServer44405TCPPublic (players)
GameServer 155901TCPPublic (players)
GameServer 255902TCPPublic (players)
GameServer N5590NTCPPublic (players)
DataServer55980TCPInternal only
EventServer55960TCPInternal only
SQL Server1433TCPInternal only
RDP/Admin3389TCPRestricted IP
Web Panel80/443TCPPublic or restricted

Verify the exact ports in your ConnectServer configuration file:

GameServer/Setup/ConnectServer.ini
[CONNECT_SERVER_INFO]
ServerPort=44405
ServerListenIP=0.0.0.0

[GAME_SERVER_GROUP]
ServerCount=2

And in GameServer/Setup/GameServerInfo.cfg:

[GameServer_1]
ServerPort=55901
InternalPort=55901

Step 2: Set Default Block Policy for All Inbound Traffic

The correct approach is: block everything by default, then allow only what is necessary. Run the following commands as Administrator in PowerShell or Command Prompt:

1. Set default deny policy for inbound traffic:

netsh advfirewall set allprofiles firewallpolicy blockinbound,allowoutbound

2. Ensure the firewall is active on all profiles:

netsh advfirewall set allprofiles state on
Atenção: Only run this step if you already have a rule allowing RDP (port 3389) from your IP. Otherwise you will lose remote access to the server immediately. If that happens, use your VPS provider's KVM console to recover.

Step 3: Create Inbound Rules for MuServer Components

3. Allow ConnectServer (port 44405 — public access):

netsh advfirewall firewall add rule name="MU - ConnectServer" dir=in action=allow protocol=TCP localport=44405 profile=any

4. Allow GameServers (ports 55901 and 55902):

netsh advfirewall firewall add rule name="MU - GameServer 1" dir=in action=allow protocol=TCP localport=55901 profile=any

netsh advfirewall firewall add rule name="MU - GameServer 2" dir=in action=allow protocol=TCP localport=55902 profile=any

For multiple GameServers, repeat for each port or use the range format:

netsh advfirewall firewall add rule name="MU - GameServers" dir=in action=allow protocol=TCP localport=55901-55910 profile=any

5. Allow HTTP/HTTPS for the web panel:

netsh advfirewall firewall add rule name="MU - Web HTTP" dir=in action=allow protocol=TCP localport=80 profile=any

netsh advfirewall firewall add rule name="MU - Web HTTPS" dir=in action=allow protocol=TCP localport=443 profile=any

6. Allow RDP only from your administration IP (replace 203.0.113.10 with your real IP):

netsh advfirewall firewall add rule name="Admin - RDP Restricted" dir=in action=allow protocol=TCP localport=3389 remoteip=203.0.113.10 profile=any

Step 4: Explicitly Block Internal Ports

SQL Server and internal components must never be reachable from the internet:

7. Block SQL Server externally:

netsh advfirewall firewall add rule name="BLOCK - SQL Server External" dir=in action=block protocol=TCP localport=1433 profile=any

8. Block DataServer and EventServer externally:

netsh advfirewall firewall add rule name="BLOCK - DataServer External" dir=in action=block protocol=TCP localport=55980 profile=any

netsh advfirewall firewall add rule name="BLOCK - EventServer External" dir=in action=block protocol=TCP localport=55960 profile=any
Dica: In SQL Server Configuration Manager, also configure SQL Server to listen only on 127.0.0.1 rather than 0.0.0.0. Navigate to: SQL Server Configuration Manager → SQL Server Network Configuration → Protocols for MSSQLSERVER → TCP/IP → IP Addresses → disable all IP entries except the loopback (127.0.0.1).

Step 5: Anti-Flood Protection with Connection Limiting

The standard Windows Firewall does not offer native rate-limiting. Use PowerShell to create a monitoring script that blocks IPs with excessive simultaneous connections:

9. Create the anti-flood script at C:\MuServer\Scripts\AntiFlood.ps1:

# AntiFlood.ps1 - Monitors connections on port 44405 and blocks excessive IPs
$port = 44405
$connectionLimit = 15
$intervalSeconds = 30

while ($true) {
    $connections = Get-NetTCPConnection -LocalPort $port -State Established -ErrorAction SilentlyContinue
    $groupedIPs = $connections | Group-Object -Property RemoteAddress | Where-Object { $_.Count -ge $connectionLimit }

    foreach ($group in $groupedIPs) {
        $ip = $group.Name
        $existingRule = Get-NetFirewallRule -DisplayName "AUTOBLOCK - $ip" -ErrorAction SilentlyContinue
        if (-not $existingRule) {
            New-NetFirewallRule -DisplayName "AUTOBLOCK - $ip" -Direction Inbound -Action Block -RemoteAddress $ip -Protocol TCP
            Write-Output "$(Get-Date) - Blocked IP: $ip ($($group.Count) connections)"
        }
    }

    Start-Sleep -Seconds $intervalSeconds
}

10. Register the script as a scheduled task that runs at system startup:

schtasks /create /tn "MU AntiFlood Monitor" /tr "powershell -ExecutionPolicy Bypass -File C:\MuServer\Scripts\AntiFlood.ps1" /sc onstart /ru SYSTEM /f

Step 6: Database-Level Security in SQL Server

Add a security layer inside SQL Server to log suspicious login attempts:

11. Enable failed login auditing in SQL Server Management Studio:

-- Check current audit configuration
EXEC sp_configure 'show advanced options', 1;
RECONFIGURE;

-- Enable login auditing (2 = both failures and success, 1 = failures only)
EXEC xp_instance_regwrite 
    N'HKEY_LOCAL_MACHINE',
    N'Software\Microsoft\MSSQLServer\MSSQLServer',
    N'AuditLevel',
    REG_DWORD,
    2;

12. Create a security log table in the MuOnline database:

USE MuOnline;
GO

CREATE TABLE dbo.SecurityLog (
    LogID       INT IDENTITY(1,1) PRIMARY KEY,
    LogDate     DATETIME DEFAULT GETDATE(),
    AccountID   VARCHAR(10),
    IPAddress   VARCHAR(15),
    EventType   VARCHAR(50),
    Details     VARCHAR(255)
);
GO

13. Create a trigger to log automatic account blocks on the MEMB_INFO table:

USE MuOnline;
GO

CREATE TRIGGER trg_LoginFailed
ON dbo.MEMB_INFO
AFTER UPDATE
AS
BEGIN
    SET NOCOUNT ON;
    IF UPDATE(block_code)
    BEGIN
        INSERT INTO dbo.SecurityLog (AccountID, EventType, Details)
        SELECT i.memb___id, 'ACCOUNT_BLOCKED', 
               'Account automatically blocked - excessive failed attempts'
        FROM inserted i
        INNER JOIN deleted d ON i.memb___id = d.memb___id
        WHERE i.block_code <> d.block_code AND i.block_code = 1;
    END
END;
GO

Step 7: Verify and Audit All Rules

14. List all firewall rules created for MU Online:

netsh advfirewall firewall show rule name=all dir=in | findstr "MU\|BLOCK\|AUTOBLOCK\|Admin"

15. Check listening ports to confirm only expected ports are open:

netstat -ano | findstr "LISTENING" | findstr "44405\|55901\|55902\|1433\|3389"

16. Export current firewall configuration as a backup:

netsh advfirewall export "C:\MuServer\Backups\firewall-backup-%date:~-4,4%%date:~-10,2%%date:~-7,2%.wfw"
Dica: Schedule a weekly export of firewall rules using Windows Task Scheduler. If you need to roll back after a problematic change, simply run: netsh advfirewall import "C:\MuServer\Backups\firewall-backup-YYYYMMDD.wfw"

Step 8: Alternative GUI Configuration via wf.msc

If you prefer the graphical interface, open wf.msc and:

  1. Go to Inbound RulesNew Rule
  2. Select PortTCP → enter the specific port number
  3. Select Allow the connection
  4. Check all profiles (Domain, Private, Public)
  5. Name it MU - [ComponentName]

To restrict by IP in the GUI: after creating the rule, right-click → Properties → Scope tab → under "Remote IP address" select "These IP addresses" and add the permitted IPs.


Troubleshooting

Players cannot connect after applying rules: Verify the ConnectServer rule is correct with netsh advfirewall firewall show rule name="MU - ConnectServer". Confirm that Action=Allow and Direction=In.

RDP accidentally blocked: Use your VPS provider's KVM console. Run netsh advfirewall reset to restore defaults, then reapply rules in the correct order — always start with the RDP rule for your IP.

AntiFlood script blocking legitimate players: Increase $connectionLimit to a higher value (e.g. 30), or add a whitelist of trusted IPs at the top of the script before the blocking loop.

Atenção: Never run MuServer as the SYSTEM or Administrator account in production. Create a dedicated service account with minimum required permissions. The firewall is one security layer — combine it with antivirus, Windows updates, and log monitoring for effective server protection.

Perguntas frequentes

Which ports does MU Online require open?

ConnectServer uses port 44405 (TCP). Each GameServer uses 55901-55910 (TCP, one port per server instance). DataServer uses 55980 (TCP, internal communication only). The web panel uses 80 and 443. Never expose SQL Server port 1433 directly to the internet.

How do I block brute-force login attacks?

Combine firewall rules with rate-limiting: block IPs attempting more than 10 simultaneous connections on port 44405 using netsh advfirewall, and create a SQL Server trigger on the MEMB_INFO table to log failures and optionally call xp_cmdshell to ban the IP via netsh.

What if the server becomes unreachable after applying rules?

Access your VPS via KVM/IPMI console (not RDP) so you retain access even if port 3389 gets blocked. Run 'netsh advfirewall reset' to restore defaults, then reapply rules one by one to identify the culprit.

How do I protect the web panel (webEngineNET/PHP) alongside the firewall?

Restrict /admin directory access by IP in IIS (via applicationHost.config or web.config with <ipSecurity>), enable HTTPS with a self-signed or Let's Encrypt certificate, and block port 80 on the external firewall leaving only port 443 open.

VI

ViciadosMU Team

Equipe editorial do ViciadosMU — portal de MU Online no ar desde 2003.

Keep reading

Related articles