When you navigate to the Firewall tab, you will encounter an interface that looks roughly like this:
Firewall template – This includes a set of predefined rules for services like SSH, Webserver, Mailserver, FTP.
Status – This determines the state of the Firewall. By default, it is set to "Active."
Hetzner Services – When you check this box, you add all Hetzner services to the Firewall exceptions, such as Hetzner Rescue-System, DNS, Backup-Server/StorageBoxes, and System Monitor (SysMon).
You can set a maximum of 10 rules for the Firewall.
When attempting to add a rule, you will see the following fields:
Name – The name of the rule (you can specify any name as per your preference).
Source IP – The source IP address from which the connection to your server originates.
Destination IP – The target address (i.e., your server, as the Firewall filters incoming traffic only).
Source Port – The source port; you can specify multiple values separated by commas (corresponds to the previously mentioned Source IP).
Destination Port – The ports on your dedicated server; you can also specify multiple ports separated by commas.
"*" – All protocols.
TCP – This is one of the main data transmission protocols. Its advantages include features like data retrieval upon establishing a connection, discarding duplicate packets, and retransmitting them in case of errors. Unlike UDP, it provides a higher guarantee of packet delivery.
UDP – A high-speed protocol designed for transmitting large volumes of data at high speeds. Its significant advantage over TCP is its speed, but it doesn't include error checking and packet corrections, as these are typically handled at the application level.
GRE – A protocol used for packet tunneling.
ICMP – Used by various devices to transmit information about network activities and errors.
IPIP – Encapsulates one IP packet within another IP packet, adding additional headers for Source and Destination IP.
AH – Necessary for securing transmitted packets and preventing duplicate packets.
ESP – Used for security by encrypting packets and also includes AH protocol capabilities.
Next, let's look at the available TCP flags, namely syn, fin, rst, psh, urg. You can specify them individually or as a logical combination.
| – Represents a logical "OR," where at least one of the specified flags must be executed.
& – Represents a logical "AND," where all specified flags must be executed.
Examples of such combinations can include:
Accept – Allow.
Discard – Reject.
Rules are executed in order, from top to bottom.
If Rule #1 does not apply, Rule #2 will be checked. If Rule #2 also does not apply, Rule #3 will be checked, and so on, until one of the rules is applied, and the packet is either discarded or accepted according to the specified action. For instance, if the second rule is applied, subsequent rules will not be checked. If none of the rules apply, the packet will be discarded.
For example, let's try to block all SSH connections to our server (on port 22). To do this, create a rule that supersedes the one accepting all packets for all protocols.
After applying the new set of rules, attempt to connect to our server and you will receive an error, as your connection was rejected due to the created rule.
To revert changes, simply delete the new rule and save the list.
You can experiment with rules and even create a small DDoS protection system that may not be extremely effective but can provide some level of defense.