Profiles
Open Network configuration > Profiles.
Profiles are ready-made protections for common server use cases, including game servers.
Table inputs and columns
Section titled “Table inputs and columns”| Column | Meaning |
|---|---|
| Profile | The protection name. |
| Value | A setting the profile needs, usually a port number. |
| About | What the profile does and when to use it. |
| Status | Whether the profile is enabled or disabled. |
Anti-spoofing
Section titled “Anti-spoofing”Drops packets that pretend to come from private, loopback, or link-local IPv4 ranges.
Use it when:
- The interface is public-facing.
- The server should not receive private-source internet traffic.
Avoid it when:
- The server is used inside a private LAN.
- Private networks must reach services on this interface.
Only Cloudflare proxy
Section titled “Only Cloudflare proxy”Allows website traffic on ports 80 and 443 only from Cloudflare IPv4 proxy ranges.
Use it when:
- Your website uses Cloudflare proxy mode.
- Visitors should connect through your domain, not directly to the server IP.
Avoid it when:
- You do not use Cloudflare proxy mode.
- Direct access to ports
80or443is required.
Website rate-limiting
Section titled “Website rate-limiting”Temporarily blocks clients that send unusually high-volume website traffic.
This profile protects HTTP, HTTPS, and HTTP/3-style QUIC traffic on your selected ports. It is useful when a small number of sources are sending too much traffic and you want LetSecure to slow them down before the web server has to handle the packets.
Input:
| Input | What to enter |
|---|---|
| HTTP port | The port used for plain HTTP. Default is 80. |
| HTTPS port | The port used for HTTPS and QUIC. Default is 443. |
Use it when:
- Your website is public and receives bursts from abusive clients.
- You want a simple rate-limiting profile for web ports.
Avoid it when:
- Your website legitimately receives very high traffic from a small number of IPs.
- You need application-level request rules, such as path-based or login-specific limits.
Website DDoS Protection
Section titled “Website DDoS Protection”Keeps your website reachable during sudden traffic floods.
When attack traffic spikes, LetSecure temporarily limits unknown new visitors on your web ports while allowing recently active visitors to keep browsing. This is native XDP protection, so it works before traffic reaches your web server.
Input:
| Input | What to enter |
|---|---|
| HTTP port | The port used for plain HTTP. Default is 80. |
| HTTPS port | The port used for HTTPS. Default is 443. |
| New connections | How many new web connections are allowed during the window. |
| Window seconds | The time window used for the connection threshold. |
| Lockdown seconds | How long unknown new visitors are limited after the threshold is crossed. |
| Trusted seconds | How long recently active visitors stay trusted. |
Use it when:
- Your website must stay available during traffic floods.
- You want established visitors to have a better chance of staying connected.
- You need host-level protection even before the web server or reverse proxy responds.
Avoid it when:
- You need full HTTP request inspection. HTTPS requests are encrypted before they reach XDP, so this profile tracks connection behavior, not page URLs.
- Your site frequently receives large legitimate bursts of new visitors and you have not tuned the threshold yet.
SSH Anti-brute-force
Section titled “SSH Anti-brute-force”Drops high-rate new SSH connection attempts and temporarily blocks abusive IPs.
Input:
| Input | What to enter |
|---|---|
| SSH port | The port your SSH server uses. Default is 22. |
If SSH uses another port, enter the correct port before enabling the profile.
SSH IP allowlist
Section titled “SSH IP allowlist”Allows SSH connections only from one selected IPv4 address or CIDR and drops other IPv4 TCP traffic to the selected SSH port.
Input:
| Input | What to enter |
|---|---|
| Allowed IPv4/CIDR | The source IP address or subnet that may open SSH. |
| SSH port | The port your SSH server uses. Default is 22. |
Keep a provider console or another access path available before enabling an SSH access rule.
How to change a profile value
Section titled “How to change a profile value”- Disable the profile.
- Change the value.
- Enable the profile again.
- Test the service.