Skip to content

Best Practices

Recommendations for designing and rolling out firewall rules safely.

  • Start with Fall through. Don't change the default policy until you've added the rules you need. Once the firewall is doing what you want, then tighten to Drop or loosen to Accept.
  • Order specific rules above general ones. A rule that allows one IP must come above a rule that drops a CIDR range containing it — otherwise the broader drop wins first.
  • Prefer Drop over Accept as the default for security-sensitive services. Explicit allow-lists are easier to reason about than block-lists, and harder for attackers to bypass.
  • Use stateful rules (NEW + ESTABLISHED + RELATED) for TCP services where return traffic matters. Stateless rules can require additional rules to handle reply packets.
  • Apply changes during a maintenance window when making sweeping changes — especially when changing the default policy to Drop.
  • Document your intent — keep a note alongside your firewall describing why each rule exists. The UI doesn't have a notes field per rule, so an external doc or runbook helps.

Up: Configuring Firewall Rules (overview)