What are Hetzner Cloud Firewalls?
Hetzner Cloud Firewalls allow you to easily secure your servers by specifying the network traffic that's allowed to reach your server and what traffic your server is allowed to send out.
Are Cloud Firewalls stateful?
Yes, our Cloud Firewalls are stateful and track individual network connections and their states to and from your server. If your server sends out a request to the internet, the response traffic to that request is automatically allowed through the Firewall, and you don't need a separate inbound rule. Please note that some older protocols (e.g. FTP, TFTP, SIP, PPTP) might use some additional ports next to the ones you already allowed. This traffic is not considered response traffic and will be blocked if the Firewall does not include a rule that allows those additional ports. Whether or not additional ports are actually needed and which ports those are exactly, depends on the configuration and use of the protocols. To avoid any connection issues, you should check if your use case requires you to allow any additional port ranges in the Firewall.
How do the Firewalls work?
The Firewalls allow you the define a set of rules for incoming and outgoing network traffic of your cloud server. For the inbound direction (network traffic to your server): Your rules define all traffic that is allowed to reach the server. The inbound direction has an implicit "deny" at the end. All traffic that doesn't match any of your rules will be dropped and will not reach your server. If you don't define any rules here, all inbound traffic will be dropped.
For the outbound direction (network traffic from your server to the internet): If you don't define any rules for the outbound direction, all traffic is allowed. If you define one or more outbound rules, the outbound direction also changes to implicit "deny", and all traffic that doesn't match your rules is dropped.
What are the limitations of Firewalls?
- Assign up to 5 active Firewalls per server
- Create up to 50 Firewalls total across your projects
- Have up to 500 (effective) rules per Firewall
- Have up to 80000 active, concurrent connections per server (10000 new connections per second)
Is there traffic that's always allowed?
Yes, our Firewall will always allow traffic from certain Hetzner services to reach your server. This currently includes DNS resolver traffic, traffic from the Hetzner rescue system, and the cloud metadata server.
What is an effective rule?
The number of your Firewall's effective rules depends on how many different sources or destinations you have specified for each rule. An inbound rule that allows traffic to port 80 for 8 different sources counts as 8 effective rules.
Can I specify traffic that should get dropped?
No, you only define what traffic is allowed to and from your server. All other traffic will be dropped.
Can I assign multiple Firewalls to a single server?
Yes. In that case all rules from the assigned Firewalls will be combined and enforced on the server.
Does the order of my rules matter?
No, the order of your Firewall rules does not matter, since our Firewalls define what traffic is allowed.
What protocols do Firewalls support?
You can filter TCP, UDP, ICMP, ESP and GRE traffic. All other protocols (like IPIP) will be dropped if you attach a Firewall. GRE protocol has only IPv4 support. GRE traffic over IPv6 will be dropped.
Can Firewalls be applied to my Hetzner Cloud Load Balancers?
Not yet, but we plan to offer this functionality in the future.
Can Firewalls secure traffic to my private Hetzner Cloud Networks?
Not yet, because we consider the private networks to be "secure". We might later add the ability to secure private Cloud Networks.
Will you add more features in the future?
Yes, we plan to extend Hetzner Cloud Firewalls with more features and options in the future.