Skip to main content

Product Description Basic Firewall

Last update:

Basic firewall is a free stateless firewall (firewall without state tracking). It analyzes and filters all incoming and outgoing IPv4 traffic according to the added filtering rules.

You can create a basic firewall only for a public dedicated subnet (VLAN) of a dedicated serveror colocated equipment. You can view all created firewalls in the control panel: in the top menu, click ProductsDedicated Servers → the Basic Firewall section.

Basic firewall does not protect the network from DDoS attacks. For this purpose, Selectel has some TCP/UDP ports blocked by default, and Selectel Protection is enabled.

If you need a stateful firewall (firewall with state tracking), order a firewall with advanced features.

How it works

A basic firewall is deployed on the access layer router and is not configured by default.

To restrict traffic flow, add rules and activate the rule list. Rules are executed sequentially, in the order they appear in the list. When the first rule is added, a basic rule is automatically applied: all traffic not permitted by the rules is denied. You cannot delete the basic rule.

The firewall analyzes incoming and outgoing traffic based on the parameter values in the rules:

  • protocol — supported protocols are TCP, UDP, ICMP, IPIP, GRE, ESP, AH;
  • the port or range of ports of the traffic source (source port);
  • the port or range of ports of the traffic destination (destination port);
  • IP address or subnet of the traffic source (source address);
  • IP address or subnet of the traffic destination (destination address).

A basic firewall processes each packet in isolation — it does not remember established connections and does not track the state of TCP sessions. When analyzing traffic, the firewall checks only the header of each packet for compliance with the rules:

  • outgoing packets are checked only against outgoing rules;
  • incoming packets are checked only against incoming rules, even if an incoming packet is a response to an allowed outgoing request.

For example, a rule is added to the basic firewall that allows incoming SSH connections on port 22. For the server to send responses to SSH requests, you must add a rule for outgoing traffic — either allow all outgoing traffic or allow outgoing packets only from port 22. Learn more about basic firewall rule settings in the Basic firewall rule usage examples subsection of the Manage basic firewall rules guide.

Cost

A basic firewall is provided free of charge.

Limitations

You can set up to 15 rules for each traffic direction.

For each rule, you can add up to 30 IP addresses or subnets for the traffic source (source address) and traffic destination (destination address).

You can create only one firewall for a single VLAN.