Game servers · 9 min read · Updated May 2026 · by Hostini Team

How to Open Port 30120 on the FiveM Firewall (Linux and Windows)

Technical guide to open port 30120 (TCP+UDP) on the FiveM firewall for Ubuntu, Debian, AlmaLinux and Windows Server. Includes verification and troubleshooting.

Your FiveM server is running, the FXServer console shows Server started, sv_licenseKey was validated, but players report a timeout when trying to connect. In 9 out of 10 new cases, the problem is port 30120 blocked at the operating system firewall or at the provider’s security group — not at FiveM itself.

This guide covers how to open port 30120 (TCP and UDP) on Ubuntu/Debian with UFW, AlmaLinux/Rocky with firewalld, direct iptables rules, and Windows Server with the Windows Defender Firewall. It also shows how to verify the port is actually reachable from outside and what to do when the problem persists.

Estimated execution time: 5 to 10 minutes, depending on the operating system and whether you already have administrative access.

Prerequisites

Before opening the port, confirm that FXServer is running and listening on 30120. Without that, opening the firewall solves nothing.

Prerequisites

Root or sudo access on the server. FXServer installed and running with server.cfg configured. The server’s public IP address (curl ifconfig.me returns it). On cloud hosts (AWS, GCP, Hetzner, Hostini), access to the network panel to adjust security groups if needed.

Default FiveM port 30120
Protocol TCP + UDP
txAdmin panel (optional) 40120/TCP
Direction Inbound

Quickly confirm that FXServer is listening on the port before touching the firewall:

sudo ss -tulnp | grep 30120

If it returns two lines (one tcp and one udp) with FXServer next to them, the service is ready. If it returns nothing, start the server first — there is no point in opening a port for something that is not running.

Ubuntu and Debian with UFW

UFW is the most common firewall frontend on Ubuntu 22.04/24.04 and Debian 12. The commands below open 30120 TCP+UDP and persist the rule across reboots.

01

Check the current UFW status:

sudo ufw status verbose

If the output is Status: inactive, UFW is off and iptables is probably empty too. Confirm the port is not already blocked by another layer before enabling UFW — activating it without proper rules can lock you out of SSH.

02

First, make sure SSH stays open:

sudo ufw allow 22/tcp

If you changed the SSH port (e.g. 2222), use the correct number. This step is defensive — skip it if you know SSH is already covered.

03

Open port 30120 on both protocols:

sudo ufw allow 30120/tcp
sudo ufw allow 30120/udp

Each command adds an inbound rule allowing any source. To restrict to a specific IP range (rare on a public game server), use sudo ufw allow from 1.2.3.0/24 to any port 30120.

04

If UFW is inactive, enable it now:

sudo ufw enable

Confirm with y when prompted. The rules added in the previous step are already in place — you will not lock yourself out if SSH was allowed in step 02.

05

Confirm the rules were applied:

sudo ufw status numbered

Expected output should include two lines referencing port 30120 — one 30120/tcp ALLOW and another 30120/udp ALLOW.

AlmaLinux, Rocky and CentOS with firewalld

Red Hat-based distributions use firewalld as the default firewall manager. The syntax is different from UFW but the result is equivalent.

01

Check if firewalld is active:

sudo systemctl status firewalld

If it is inactive, enable it with sudo systemctl enable --now firewalld before continuing.

02

Add permanent rules to the public zone (the default zone on most installations):

sudo firewall-cmd --permanent --zone=public --add-port=30120/tcp
sudo firewall-cmd --permanent --zone=public --add-port=30120/udp

The --permanent flag writes the rule to the configuration file; without it, the rule disappears on the next firewalld restart.

03

Reload firewalld to apply the saved rules:

sudo firewall-cmd --reload

This command is safe — it does not drop existing connections.

04

Confirm the active rules:

sudo firewall-cmd --list-ports

The output should list 30120/tcp 30120/udp together with any other ports previously opened (e.g. 22/tcp).

Direct iptables rules

If you manage the firewall manually via iptables (without UFW or firewalld), the rules need to be inserted explicitly and persisted with the iptables-persistent package (Debian/Ubuntu) or iptables-services (Red Hat).

sudo iptables -A INPUT -p tcp --dport 30120 -j ACCEPT
sudo iptables -A INPUT -p udp --dport 30120 -j ACCEPT
Manual iptables persistence

Rules added with iptables -A disappear on the next reboot. On Debian/Ubuntu, install iptables-persistent and run sudo netfilter-persistent save. On Red Hat, use sudo service iptables save. Without that, the server comes back without the rule after any restart.

Windows Server with Defender Firewall

On Windows Server 2019, 2022 and Windows 10/11 used as a FiveM host, Defender Firewall blocks inbound traffic by default. Create the rule via PowerShell to avoid clicking around the GUI.

01

Open PowerShell as Administrator (right-click the icon, “Run as administrator”).

02

Create the inbound rule for TCP/30120:

New-NetFirewallRule -DisplayName "FiveM TCP 30120" `
  -Direction Inbound `
  -Protocol TCP `
  -LocalPort 30120 `
  -Action Allow `
  -Profile Any

The -Profile Any flag applies to Public, Private and Domain networks — needed because cloud servers show up as Public on Windows.

03

Repeat for UDP/30120:

New-NetFirewallRule -DisplayName "FiveM UDP 30120" `
  -Direction Inbound `
  -Protocol UDP `
  -LocalPort 30120 `
  -Action Allow `
  -Profile Any
04

Confirm both rules exist:

Get-NetFirewallRule -DisplayName "FiveM*" | Format-Table DisplayName, Enabled, Direction, Action

Expected output: two lines with Enabled True, Direction Inbound and Action Allow.

External verification

Opening the port on the operating system does not guarantee it is reachable from outside — cloud providers (AWS, GCP, Hetzner) add a security group layer that must be adjusted separately.

From an external machine (your local computer, another VPS, or via a public service), test with:

nmap -p 30120 -sU -sT YOUR_PUBLIC_IP

The -sU flag tests UDP, -sT tests TCP. Expected output:

PORT      STATE         SERVICE
30120/tcp open          unknown
30120/udp open|filtered unknown

UDP frequently appears as open|filtered because it is stateless — nmap cannot tell apart “open port with no response” from “port filtered by firewall”. This is normal and does not indicate a problem if TCP returned open.

Quick test without nmap

If you don’t have nmap installed, use the site canyouseeme.org or run nc -zv YOUR_IP 30120 from another Linux machine. For UDP, nc -zuv YOUR_IP 30120. The results are less reliable than nmap but enough for a quick check.

Troubleshooting

nmap returns filtered on both protocols

It means some layer is blocking the packets before they reach your operating system. Usually it is:

  1. The cloud provider’s security group (AWS, GCP, Azure, Hetzner Cloud)
  2. The datacenter network firewall
  3. A NAT router between you and the internet (if it is a home server)

Open the provider’s panel and add an inbound TCP+UDP/30120 rule to the security group associated with the instance. On Hostini dedicated servers or VPS, there is no external security group — the operating system firewall is the only layer, so filtered usually points to a wrong rule in UFW/firewalld.

nmap returns closed on TCP

Firewall is fine but FXServer is not listening. Check:

sudo ss -tulnp | grep 30120

If empty, start FXServer and check the logs in ~/server-data/logs/. Common errors: endpoint_add_tcp pointing to the wrong IP in server.cfg, missing sv_licenseKey, or a conflict with another process already using the port.

Players connect but drop within seconds

Classic symptom of UDP blocked with TCP open. The initial handshake works (TCP), but the game traffic (UDP) does not pass through. Review whether the UDP rule was applied on every layer (operating system + security group).

txAdmin does not open in the browser

Port 30120 is only for the game. The txAdmin panel listens on 40120/TCP by default. Open that port separately, but restricted to your home IP (security):

sudo ufw allow from YOUR_HOME_IP to any port 40120 proto tcp

Next steps

With the port open and the server reachable, consider:

  • Configuring fail2ban to block brute-force attacks on SSH, since the server now has a public-facing port exposed
  • Enabling detailed connection logs in FXServer (con_miniconChannels in server.cfg) to investigate individual connectivity issues
  • Implementing automatic backups of server-data/resources/ and the MySQL database before promoting the server publicly
  • Evaluating dedicated DDoS protection if you expect more than 32 simultaneous slots — attacks against FiveM servers are common and cheap

If you are putting a FiveM server into production and need low latency for Brazilian players, a Hostini VPS already ships with in-kernel packet filtering against L3/L4 DDoS and direct routing to IXBR — no bandwidth charges and no need to configure an external security group.

Frequently asked questions

Why does port 30120 need TCP and UDP at the same time?

FXServer uses UDP/30120 for the main game traffic (movement, state sync, voice) because it has low latency and tolerates packet loss. It uses TCP/30120 for the initial handshake, authentication against the master server, and the HTTP endpoint of the server browser. Opening only one of the protocols makes the server disappear from the list or connect and drop within seconds.

Can I use a port other than 30120?

Yes. Change `endpoint_add_tcp` and `endpoint_add_udp` in `server.cfg` to another port (e.g. 30125) and open the new port on the firewall instead of 30120. Players have to connect using `connect IP:PORT` with the new port, since the FiveM client assumes 30120 by default.

I opened the port but the server does not show up on the server browser. What's missing?

Check if `sv_master1` is enabled in `server.cfg` (the default usually covers it), if the server has a valid `sv_licenseKey` from Keymaster, and if port 30120/TCP is also open for outbound. FXServer makes an outbound call to the master server to announce itself — blocking outbound TCP also causes the same symptom.

Do I need to open any other port besides 30120?

For a basic FiveM server, only 30120 (TCP+UDP). If you run txAdmin, the web panel opens on port 40120/TCP by default — open that only to your IP, never to the whole internet. If you use external MySQL/MariaDB, consider 3306 but restricted by IP.

How do I know if the problem is the server firewall or the datacenter/provider firewall?

Run `nmap -p 30120 YOUR_IP` from an external machine. If it returns `filtered`, some layer is silently blocking — probably a security group or network firewall at the provider. If it returns `closed`, the operating system firewall accepted the packet but nothing is listening on the port (FXServer is not running). If it returns `open`, the path is clear and the problem is somewhere else (e.g. licenseKey).

Can I just disable the firewall instead of opening the port?

Technically yes, but don't. Disabling ufw/firewalld/iptables exposes SSH, admin panels and any local service to the entire internet. On game servers this is a vector for intrusion and DDoS amplification. Always prefer opening only the ports you actually need.

Topics:
fivem firewall
Next steps VPS, dedicated or managed panel for FiveM, SAMP, MTA, Tibia and more.Host your game server with Hostini →
Was this tutorial helpful?
Chat on WhatsApp