Skip to main content

General information about the Basic firewall product

Basic Firewall is a free stateless firewall (stateless firewall). Analyzes and filters all incoming and outgoing IPv4 traffic according to added filtering rules.

Create a basic firewall can only be created for public dedicated subnet (VLAN) dedicated server. You can view all created firewalls in the control panel: in the top menu, click Products → Dedicated Servers → section Basic firewall.

The basic firewall does not protect the network from DDoS attacks. For this purpose, Servercore has some TCP/UDP ports blocked by default and Servercore Protection is enabled.

Principle of operation

The basic firewall is deployed on the access layer router and is not configured by default.

To restrict traffic flow, add rules and activate the rule list. The rules are executed sequentially, in order in the list. When the first rule is added, the base rule is automatically activated: all traffic that is not allowed by the rules is prohibited. The base rule cannot be deleted.

The firewall analyzes incoming and outgoing traffic based on the values of the parameters in the rules:

  • protocol — TCP, UDP, ICMP, IPIP, GRE, ESP, NA protocols are supported;
  • The port or range of ports of the traffic source (source port);
  • port or range of destination ports (destination port);
  • The IP address or subnet of the traffic source (source address);
  • The IP address or subnet of the traffic destination (destination address).

The basic firewall processes each packet in isolation — it does not remember established connections and does not monitor the state of TCP sessions. When analyzing traffic, the firewall checks only the header of each packet for compliance with the rules:

  • outgoing packets are inspected by outgoing rules only;
  • incoming packets are checked only against incoming rules, even if the incoming packet is a response to an authorized outgoing request.

For example, a rule that allows incoming SSH connections on port 22 has been added to the base firewall. To allow the server to send responses to SSH requests, you must add a rule for outgoing traffic — either allow all outgoing traffic or allow outgoing packets only from port 22. For more information about configuring basic firewall rules, see the Basic Firewall Rules Configuration Examples subsection of the Manage Basic Firewall Rules tutorial .

Cost

A basic firewall is provided free of charge.

Limitations

Up to 15 rules can be configured per traffic direction.

Up to 30 IP addresses or subnets can be added to each rule for source address and destination address.

Only one firewall can be created per VLAN.