Last change on 2022-09-21 • Created on 2020-03-25


Hetzner Online's stateless firewall is a free security solution for your dedicated root server. On the customer administration interface Robot, you can use the firewall feature to define your own filtering settings for incoming traffic.

With our stateless firewall, or static firewall, data packets are not unpacked; rather, the head of each individual packet is inspected, and depending on the pre-defined settings, the firewall will decide whether to allow or reject these packets. In this way, the firewall prevents unpermitted access to your server.

However, with firewalls, it is important to remember that they do not actually recognize attempted attacks themselves. They only enforce a set of pre-defined rules for network communications. In addition to our stateless firewall feature, Hetzner Online offers DDoS protection; therefore, you have yet another security guard to protect your dedicated root servers from Internet dangers.

The firewall for Robot customers (who use dedicated root servers) is configured to the switch port and filters incoming IPv4 traffic.

How do I activate the firewall?

You can activate the firewall by going to Main functions -> Servers. Then choose the server you would like, go to Firewall, and activate it. If you activate the firewall before entering any firewall rules, you will block all incoming traffic.

The firewall will immediately become active and will be configured to the switch. The configuration takes approximately 20-30 seconds.

Firewall active

Firewall rules

You can use a maximum of 10 rules.


  • Name: You can choose any name you like. Only special characters are not permitted.
  • Destination IP and source IP: You can enter IP addresses either as single IPs or as a subnet in CIDR notation (for example, <> or <>). Since the firewall is configured on the switch port, the rule without specified destination IP will apply to all IP addresses for the server.
  • Destination port and source port: You can enter ports as single ports or port ranges (for example, 80 or 32768-65535).
  • Protocol: Selection of protocol (for example, TCP or UDP).
  • TCP flags: You can enter TCP flags (syn, fin, rst, psh, urg) individually or as a logical combination (| for logical OR = At least one of the flags must be set; & for logical AND = All flags must be set).
  • Action: The action defines what should happen with the packets when a rule applies, meaning it defines if the packets should be rejected (discard) or if they should be forwarded (accept).


Rules are applied in the same order as they are defined in Robot. They are executed from top to bottom. You can change the order of the rules after you enter them by using the green arrow icons at the end of each rule.

If rule #1 does not apply, then rule #2 will be checked. If rule #2 also does not apply, then rule #3 will be checked and so on until one rule applies and the packet is either discarded or accepted in accordance with the defined action. If the second rule applies, for example, then all rules after that will not be checked. If none of the rules apply, then the packet will be discarded.

Rule Prioritizing

Enabling Hetzner Services

By clicking on the checkbox Hetzner Services, you can activate all important infrastructural services from Hetzner Online without having to do any additional configuration. If you activate this option, services such as the Hetzner Rescue-System, DNS, Backup-Server/StorageBoxes, System Monitor (SysMon) will no longer be blocked, but will rather be enabled.

Out-going TCP connections

A static firewall only makes decisions about packets by inspecting individual packets. Therefore, the firewall doesn't "keep track of" whether or not an incoming packet belongs to an outgoing connection from the server. For this reason, unless you enter an additional rule, all outgoing connections from the server will not work. Server services (for example, enabling webservers for port 80) are not affected.

You can use the following rule to generally allow all responses to TCP connections:

 Source IP: No entry
 Destination IP: No entry
 Source port: No entry
 Destination port: 32768-65535 (Ephemeral Port Range)
 Protocol: tcp
 TCP flags: ack
 Action: accept

By entering IP addresses and TCP ports, you can, of course, make this rule more restrictive.


The server <> establishes a connection to the external webserver and sends the following TCP packet:

 Source IP:
 Destination IP:
 Source port: 44563 (random port from the ephemeral port range)
 Destination port: 80
 Protocol: tcp
 TCP flags: syn

In this example, the outgoing packet is not blocked by the firewall at all since only incoming connections are filtered.

The webserver <> responds with the following packet:

 Source IP:
 Destination IP:
 Source port: 80
 Destination port: 44563
 Protocol: tcp
 TCP flags: syn & ack

This packet is blocked without the additional rule. So a connection cannot be established.

Firewall templates

If you click on the Firewall templates button in the server overview (Main functions -> Servers), you can create your own rulesets. Then you can paste these rules via the drop-down menu for the servers' firewall configuration and configure them.

In addition, there are several pre-defined example templates for common server services by default.


You can also configure your firewall via the Robot web service (API).

Table of Contents