Using Hetzner’s Free Firewall Instead of UFW

When you spin up a new server on Hetzner it has a public IP address. Anything on that IP is exposed to the entire internet. The first thing you should think about is a firewall.

Most tutorials will tell you to install and configure ufw the uncomplicated firewall. It is a tool that runs on your server and filters incoming and outgoing connections. This is a reasonable default. But for servers hosted on Hetzner there is a better way that is simpler and more secure.

The Firewall on Your Server

A host-based firewall like ufw runs as software directly on your server. It uses a small amount of CPU and memory to inspect network packets and decide whether to allow or deny them based on a set of rules you define.

This is like putting a strong lock on the door to your apartment. It is effective. If someone tries to access a port you have blocked ufw will stop them.

But it has weaknesses. Because it runs on the server it can only act on traffic that has already reached the server’s network interface. And if an attacker gains root access to your machine they can simply disable the firewall. The lock on your apartment door is useless if the thief is already inside with you.

Managing ufw also requires you to SSH into each machine to make changes. This is fine for one server but it becomes tedious with five or ten.

The Firewall in the Cloud

Hetzner provides a free service called Cloud Firewall. This is a network-level firewall. It does not run on your server. It runs on Hetzner’s infrastructure in front of your server.

This is like having a security guard at the main entrance to your apartment building. Unwanted visitors are stopped before they even get into the building let alone reach your floor. This is a fundamentally more secure position.

Traffic that you block with the Cloud Firewall never even reaches your server. It does not consume any of your server’s CPU or memory. An attacker cannot disable it even if they compromise your machine. And you can apply a single firewall policy to dozens of servers at once from a central web interface.

For most applications this is a better starting point. It is simpler to manage more efficient and arguably more secure.

A Simple Practical Setup

Setting up a basic firewall for a web server takes about two minutes. You want to deny all incoming traffic by default and then specifically allow only what you need.

A standard web server needs to allow three things: SSH for you to manage it HTTP for web traffic and HTTPS for secure web traffic.

Here is how to configure that in the Hetzner Cloud console:

1. Navigate to the Firewall section in the sidebar.
2. Click 'Add firewall'. Give it a descriptive name like web-server-default.
3. You will see two tabs: 'Inbound' and 'Outbound'. We will focus on Inbound rules.
4. Click 'Add rule'. For the first rule you must lock down SSH. Under 'Protocol' select TCP. For 'Port' enter 22. For 'Source IPs' you should add only your own IP address. If you do not know it you can find it by searching for “what is my ip”. This ensures only you can try to log in.
5. Add another rule for HTTP traffic. Select TCP as the protocol enter 80 for the port and leave the 'Source IPs' as 'Any IPv4' and 'Any IPv6'.
6. Add a final rule for HTTPS traffic. Select TCP enter 443 for the port and again allow all source IPs.

Your inbound rules should look something like this:

# Inbound Rules
Protocol   Port   Source IPs
--------------------------------------
TCP        22     [Your IP Address]
TCP        80     Any IPv4, Any IPv6
TCP        443    Any IPv4, Any IPv6

The default outbound rules allow all traffic. This is generally fine as it lets your server download software updates or connect to external APIs.

Once you save the firewall go to the 'Applied To' tab inside the firewall’s settings. Select the servers you want to protect and apply the ruleset. The change is instant.

When to Use Both

The Cloud Firewall and ufw are not mutually exclusive. You can use both. This is called defense in depth.

The Cloud Firewall acts as your coarse outer perimeter. It blocks the vast majority of malicious scans and probes. ufw can then be used for more specific rules inside your network.

For example you could use the Cloud Firewall to allow traffic between two of your servers on a private network. Then you could use ufw on the database server to ensure it only accepts connections on the database port from the web server’s private IP. This adds another layer of protection if one of your machines is compromised.

But for a single server running a web application the Hetzner Cloud Firewall alone is often sufficient. It is simpler to reason about and provides excellent protection.

It is a free powerful tool that you get with the platform. Using it should be your default choice for securing your instances. It saves you time and reduces the attack surface of your servers.

---

---

description: 'Using Hetzner''s Free Firewall Instead of UFW' date: September 2025 created: 2025-09-25T17:42:49.000Z publish: true

When you spin up a new server on Hetzner it has a public IP address. Anything on that IP is exposed to the entire internet. The first thing you should think about is a firewall.

Most tutorials will tell you to install and configure ufw the uncomplicated firewall. It is a tool that runs on your server and filters incoming and outgoing connections. This is a reasonable default. But for servers hosted on Hetzner there is a better way that is simpler and more secure.

The Firewall on Your Server

A host-based firewall like ufw runs as software directly on your server. It uses a small amount of CPU and memory to inspect network packets and decide whether to allow or deny them based on a set of rules you define.

This is like putting a strong lock on the door to your apartment. It is effective. If someone tries to access a port you have blocked ufw will stop them.

But it has weaknesses. Because it runs on the server it can only act on traffic that has already reached the server’s network interface. And if an attacker gains root access to your machine they can simply disable the firewall. The lock on your apartment door is useless if the thief is already inside with you.

Managing ufw also requires you to SSH into each machine to make changes. This is fine for one server but it becomes tedious with five or ten.

The Firewall in the Cloud

Hetzner provides a free service called Cloud Firewall. This is a network-level firewall. It does not run on your server. It runs on Hetzner’s infrastructure in front of your server.

This is like having a security guard at the main entrance to your apartment building. Unwanted visitors are stopped before they even get into the building let alone reach your floor. This is a fundamentally more secure position.

Traffic that you block with the Cloud Firewall never even reaches your server. It does not consume any of your server’s CPU or memory. An attacker cannot disable it even if they compromise your machine. And you can apply a single firewall policy to dozens of servers at once from a central web interface.

For most applications this is a better starting point. It is simpler to manage more efficient and arguably more secure.

A Simple Practical Setup

Setting up a basic firewall for a web server takes about two minutes. You want to deny all incoming traffic by default and then specifically allow only what you need.

A standard web server needs to allow three things: SSH for you to manage it HTTP for web traffic and HTTPS for secure web traffic.

Here is how to configure that in the Hetzner Cloud console:

1. Navigate to the Firewall section in the sidebar.
2. Click 'Add firewall'. Give it a descriptive name like web-server-default.
3. You will see two tabs: 'Inbound' and 'Outbound'. We will focus on Inbound rules.
4. Click 'Add rule'. For the first rule you must lock down SSH. Under 'Protocol' select TCP. For 'Port' enter 22. For 'Source IPs' you should add only your own IP address. If you do not know it you can find it by searching for “what is my ip”. This ensures only you can try to log in.
5. Add another rule for HTTP traffic. Select TCP as the protocol enter 80 for the port and leave the 'Source IPs' as 'Any IPv4' and 'Any IPv6'.
6. Add a final rule for HTTPS traffic. Select TCP enter 443 for the port and again allow all source IPs.

Your inbound rules should look something like this:

# Inbound Rules
Protocol   Port   Source IPs
--------------------------------------
TCP        22     [Your IP Address]
TCP        80     Any IPv4, Any IPv6
TCP        443    Any IPv4, Any IPv6

The default outbound rules allow all traffic. This is generally fine as it lets your server download software updates or connect to external APIs.

Once you save the firewall go to the 'Applied To' tab inside the firewall’s settings. Select the servers you want to protect and apply the ruleset. The change is instant.

When to Use Both

The Cloud Firewall and ufw are not mutually exclusive. You can use both. This is called defense in depth.

The Cloud Firewall acts as your coarse outer perimeter. It blocks the vast majority of malicious scans and probes. ufw can then be used for more specific rules inside your network.

For example you could use the Cloud Firewall to allow traffic between two of your servers on a private network. Then you could use ufw on the database server to ensure it only accepts connections on the database port from the web server’s private IP. This adds another layer of protection if one of your machines is compromised.

But for a single server running a web application the Hetzner Cloud Firewall alone is often sufficient. It is simpler to reason about and provides excellent protection.

It is a free powerful tool that you get with the platform. Using it should be your default choice for securing your instances. It saves you time and reduces the attack surface of your servers.

Now think about your own server setup and try the prompt below for yourself.

---

---

description: 'Using Hetzner''s Free Firewall Instead of UFW' date: September 2025 created: 2025-09-25T17:42:49.000Z publish: true

When you spin up a new server on Hetzner it has a public IP address. Anything on that IP is exposed to the entire internet. The first thing you should think about is a firewall.

Most tutorials will tell you to install and configure ufw the uncomplicated firewall. It is a tool that runs on your server and filters incoming and outgoing connections. This is a reasonable default. But for servers hosted on Hetzner there is a better way that is simpler and more secure.

The Firewall on Your Server

A host-based firewall like ufw runs as software directly on your server. It uses a small amount of CPU and memory to inspect network packets and decide whether to allow or deny them based on a set of rules you define.

This is like putting a strong lock on the door to your apartment. It is effective. If someone tries to access a port you have blocked ufw will stop them.

But it has weaknesses. Because it runs on the server it can only act on traffic that has already reached the server’s network interface. And if an attacker gains root access to your machine they can simply disable the firewall. The lock on your apartment door is useless if the thief is already inside with you.

Managing ufw also requires you to SSH into each machine to make changes. This is fine for one server but it becomes tedious with five or ten.

The Firewall in the Cloud

Hetzner provides a free service called Cloud Firewall. This is a network-level firewall. It does not run on your server. It runs on Hetzner’s infrastructure in front of your server.

This is like having a security guard at the main entrance to your apartment building. Unwanted visitors are stopped before they even get into the building let alone reach your floor. This is a fundamentally more secure position.

Traffic that you block with the Cloud Firewall never even reaches your server. It does not consume any of your server’s CPU or memory. An attacker cannot disable it even if they compromise your machine. And you can apply a single firewall policy to dozens of servers at once from a central web interface.

For most applications this is a better starting point. It is simpler to manage more efficient and arguably more secure.

A Simple Practical Setup

Setting up a basic firewall for a web server takes about two minutes. You want to deny all incoming traffic by default and then specifically allow only what you need.

A standard web server needs to allow three things: SSH for you to manage it HTTP for web traffic and HTTPS for secure web traffic.

Here is how to configure that in the Hetzner Cloud console:

1. Navigate to the Firewall section in the sidebar.
2. Click 'Add firewall'. Give it a descriptive name like web-server-default.
3. You will see two tabs: 'Inbound' and 'Outbound'. We will focus on Inbound rules.
4. Click 'Add rule'. For the first rule you must lock down SSH. Under 'Protocol' select TCP. For 'Port' enter 22. For 'Source IPs' you should add only your own IP address. If you do not know it you can find it by searching for “what is my ip”. This ensures only you can try to log in.
5. Add another rule for HTTP traffic. Select TCP as the protocol enter 80 for the port and leave the 'Source IPs' as 'Any IPv4' and 'Any IPv6'.
6. Add a final rule for HTTPS traffic. Select TCP enter 443 for the port and again allow all source IPs.

Your inbound rules should look something like this:

# Inbound Rules
Protocol   Port   Source IPs
--------------------------------------
TCP        22     [Your IP Address]
TCP        80     Any IPv4, Any IPv6
TCP        443    Any IPv4, Any IPv6

The default outbound rules allow all traffic. This is generally fine as it lets your server download software updates or connect to external APIs.

Once you save the firewall go to the 'Applied To' tab inside the firewall’s settings. Select the servers you want to protect and apply the ruleset. The change is instant.

When to Use Both

The Cloud Firewall and ufw are not mutually exclusive. You can use both. This is called defense in depth.

The Cloud Firewall acts as your coarse outer perimeter. It blocks the vast majority of malicious scans and probes. ufw can then be used for more specific rules inside your network.

For example you could use the Cloud Firewall to allow traffic between two of your servers on a private network. Then you could use ufw on the database server to ensure it only accepts connections on the database port from the web server’s private IP. This adds another layer of protection if one of your machines is compromised.

But for a single server running a web application the Hetzner Cloud Firewall alone is often sufficient. It is simpler to reason about and provides excellent protection.

It is a free powerful tool that you get with the platform. Using it should be your default choice for securing your instances. It saves you time and reduces the attack surface of your servers.

Now think about your own server setup and try the prompt below for yourself.

---

---

description: 'Using Hetzner''s Free Firewall Instead of UFW' date: September 2025 created: 2025-09-25T17:42:49.000Z publish: true

When you spin up a new server on Hetzner it has a public IP address. Anything on that IP is exposed to the entire internet. The first thing you should think about is a firewall.

Most tutorials will tell you to install and configure ufw the uncomplicated firewall. It is a tool that runs on your server and filters incoming and outgoing connections. This is a reasonable default. But for servers hosted on Hetzner there is a better way that is simpler and more secure.

The Firewall on Your Server

A host-based firewall like ufw runs as software directly on your server. It uses a small amount of CPU and memory to inspect network packets and decide whether to allow or deny them based on a set of rules you define.

This is like putting a strong lock on the door to your apartment. It is effective. If someone tries to access a port you have blocked ufw will stop them.

But it has weaknesses. Because it runs on the server it can only act on traffic that has already reached the server’s network interface. And if an attacker gains root access to your machine they can simply disable the firewall. The lock on your apartment door is useless if the thief is already inside with you.

Managing ufw also requires you to SSH into each machine to make changes. This is fine for one server but it becomes tedious with five or ten.

The Firewall in the Cloud

Hetzner provides a free service called Cloud Firewall. This is a network-level firewall. It does not run on your server. It runs on Hetzner’s infrastructure in front of your server.

This is like having a security guard at the main entrance to your apartment building. Unwanted visitors are stopped before they even get into the building let alone reach your floor. This is a fundamentally more secure position.

Traffic that you block with the Cloud Firewall never even reaches your server. It does not consume any of your server’s CPU or memory. An attacker cannot disable it even if they compromise your machine. And you can apply a single firewall policy to dozens of servers at once from a central web interface.

For most applications this is a better starting point. It is simpler to manage more efficient and arguably more secure.

A Simple Practical Setup

Setting up a basic firewall for a web server takes about two minutes. You want to deny all incoming traffic by default and then specifically allow only what you need.

A standard web server needs to allow three things: SSH for you to manage it HTTP for web traffic and HTTPS for secure web traffic.

Here is how to configure that in the Hetzner Cloud console:

1. Navigate to the Firewall section in the sidebar.
2. Click 'Add firewall'. Give it a descriptive name like web-server-default.
3. You will see two tabs: 'Inbound' and 'Outbound'. We will focus on Inbound rules.
4. Click 'Add rule'. For the first rule you must lock down SSH. Under 'Protocol' select TCP. For 'Port' enter 22. For 'Source IPs' you should add only your own IP address. If you do not know it you can find it by searching for “what is my ip”. This ensures only you can try to log in.
5. Add another rule for HTTP traffic. Select TCP as the protocol enter 80 for the port and leave the 'Source IPs' as 'Any IPv4' and 'Any IPv6'.
6. Add a final rule for HTTPS traffic. Select TCP enter 443 for the port and again allow all source IPs.

Your inbound rules should look something like this:

# Inbound Rules
Protocol   Port   Source IPs
--------------------------------------
TCP        22     [Your IP Address]
TCP        80     Any IPv4, Any IPv6
TCP        443    Any IPv4, Any IPv6

The default outbound rules allow all traffic. This is generally fine as it lets your server download software updates or connect to external APIs.

Once you save the firewall go to the 'Applied To' tab inside the firewall’s settings. Select the servers you want to protect and apply the ruleset. The change is instant.

When to Use Both

The Cloud Firewall and ufw are not mutually exclusive. You can use both. This is called defense in depth.

The Cloud Firewall acts as your coarse outer perimeter. It blocks the vast majority of malicious scans and probes. ufw can then be used for more specific rules inside your network.

For example you could use the Cloud Firewall to allow traffic between two of your servers on a private network. Then you could use ufw on the database server to ensure it only accepts connections on the database port from the web server’s private IP. This adds another layer of protection if one of your machines is compromised.

But for a single server running a web application the Hetzner Cloud Firewall alone is often sufficient. It is simpler to reason about and provides excellent protection.

It is a free powerful tool that you get with the platform. Using it should be your default choice for securing your instances. It saves you time and reduces the attack surface of your servers.

Now think about your own server setup and try the prompt below for yourself.

---

---

description: 'Using Hetzner''s Free Firewall Instead of UFW' date: September 2025 created: 2025-09-25T17:42:49.000Z publish: true

When you spin up a new server on Hetzner it has a public IP address. Anything on that IP is exposed to the entire internet. The first thing you should think about is a firewall.

Most tutorials will tell you to install and configure ufw the uncomplicated firewall. It is a tool that runs on your server and filters incoming and outgoing connections. This is a reasonable default. But for servers hosted on Hetzner there is a better way that is simpler and more secure.

The Firewall on Your Server

A host-based firewall like ufw runs as software directly on your server. It uses a small amount of CPU and memory to inspect network packets and decide whether to allow or deny them based on a set of rules you define.

This is like putting a strong lock on the door to your apartment. It is effective. If someone tries to access a port you have blocked ufw will stop them.

But it has weaknesses. Because it runs on the server it can only act on traffic that has already reached the server’s network interface. And if an attacker gains root access to your machine they can simply disable the firewall. The lock on your apartment door is useless if the thief is already inside with you.

Managing ufw also requires you to SSH into each machine to make changes. This is fine for one server but it becomes tedious with five or ten.

The Firewall in the Cloud

Hetzner provides a free service called Cloud Firewall. This is a network-level firewall. It does not run on your server. It runs on Hetzner’s infrastructure in front of your server.

This is like having a security guard at the main entrance to your apartment building. Unwanted visitors are stopped before they even get into the building let alone reach your floor. This is a fundamentally more secure position.

Traffic that you block with the Cloud Firewall never even reaches your server. It does not consume any of your server’s CPU or memory. An attacker cannot disable it even if they compromise your machine. And you can apply a single firewall policy to dozens of servers at once from a central web interface.

For most applications this is a better starting point. It is simpler to manage more efficient and arguably more secure.

A Simple Practical Setup

Setting up a basic firewall for a web server takes about two minutes. You want to deny all incoming traffic by default and then specifically allow only what you need.

A standard web server needs to allow three things: SSH for you to manage it HTTP for web traffic and HTTPS for secure web traffic.

Here is how to configure that in the Hetzner Cloud console:

1. Navigate to the Firewall section in the sidebar.
2. Click 'Add firewall'. Give it a descriptive name like web-server-default.
3. You will see two tabs: 'Inbound' and 'Outbound'. We will focus on Inbound rules.
4. Click 'Add rule'. For the first rule you must lock down SSH. Under 'Protocol' select TCP. For 'Port' enter 22. For 'Source IPs' you should add only your own IP address. If you do not know it you can find it by searching for “what is my ip”. This ensures only you can try to log in.
5. Add another rule for HTTP traffic. Select TCP as the protocol enter 80 for the port and leave the 'Source IPs' as 'Any IPv4' and 'Any IPv6'.
6. Add a final rule for HTTPS traffic. Select TCP enter 443 for the port and again allow all source IPs.

Your inbound rules should look something like this:

# Inbound Rules
Protocol   Port   Source IPs
--------------------------------------
TCP        22     [Your IP Address]
TCP        80     Any IPv4, Any IPv6
TCP        443    Any IPv4, Any IPv6

The default outbound rules allow all traffic. This is generally fine as it lets your server download software updates or connect to external APIs.

Once you save the firewall go to the 'Applied To' tab inside the firewall’s settings. Select the servers you want to protect and apply the ruleset. The change is instant.

When to Use Both

The Cloud Firewall and ufw are not mutually exclusive. You can use both. This is called defense in depth.

The Cloud Firewall acts as your coarse outer perimeter. It blocks the vast majority of malicious scans and probes. ufw can then be used for more specific rules inside your network.

For example you could use the Cloud Firewall to allow traffic between two of your servers on a private network. Then you could use ufw on the database server to ensure it only accepts connections on the database port from the web server’s private IP. This adds another layer of protection if one of your machines is compromised.

But for a single server running a web application the Hetzner Cloud Firewall alone is often sufficient. It is simpler to reason about and provides excellent protection.

It is a free powerful tool that you get with the platform. Using it should be your default choice for securing your instances. It saves you time and reduces the attack surface of your servers.

Now think about your own server setup and try the prompt below for yourself.

— Rishi Banerjee
September 2025