Hetzner Cloud Firewalls allow you to easily secure your servers by specifying the network traffic that's allowed to reach your server and what traffic your server is allowed to send out.
Yes, our Cloud Firewalls are stateful and track individual network connections and their states to and from your server. If your server sends out a request to the internet, the response traffic to that request is automatically allowed through the Firewall, and you don't need a separate inbound rule. For protocols like SIP, the Firewall will also track "related" connections.
The Firewalls allow you the define a set of rules for incoming and outgoing network traffic of your cloud server. For the inbound direction (network traffic to your server): Your rules define all traffic that is allowed to reach the server. The inbound direction has an implicit "deny" at the end. All traffic that doesn't match any of your rules will be dropped and will not reach your server. If you don't define any rules here, all inbound traffic will be dropped.
For the outbound direction (network traffic from your server to the internet): If you don't define any rules for the outbound direction, all traffic is allowed. If you define one or more outbound rules, the outbound direction also changes to implicit "deny", and all traffic that doesn't match your rules is dropped.
- Assign up to 5 active Firewalls per server
- Create up to 50 Firewalls total across your projects
- Have up to 500 (effective) rules per Firewall
- Have up to 80000 active, concurrent connections per server (10000 new connections per second)
Yes, our Firewall will always allow traffic from certain Hetzner services to reach your server. This currently includes DNS resolver traffic, traffic from the Hetzner rescue system, and the cloud metadata server.
The number of your Firewall's effective rules depends on how many different sources or destinations you have specified for each rule. An inbound rule that allows traffic to port 80 for 8 different sources counts as 8 effective rules.
No, you only define what traffic is allowed to and from your server. All other traffic will be dropped.
Yes. In that case all rules from the assigned Firewalls will be combined and enforced on the server.
No, the order of your Firewall rules does not matter, since our Firewalls define what traffic is allowed.
You can filter TCP, UDP, ICMP, ESP and GRE traffic. All other protocols (like IPIP) will be dropped if you attach a Firewall. GRE protocol has only IPv4 support. GRE traffic over IPv6 will be dropped.
Not yet, but we plan to offer this functionality in the future.
Not yet, because we consider the private networks to be "secure". We might later add the ability to secure private Cloud Networks.
Yes, we plan to extend Hetzner Cloud Firewalls with more features and options in the future.