← HeatShield Docs

Types of Server Firewall Rules

Each firewall rule consists of three parts:

  • Action: whether traffic should be allowed or denied
  • Destination port: the destination TCP or UDP port (or range of ports) the rule pertains to
  • Source address: the source IP address (or range of addresses) the rule pertains to


All traffic to your server that is not explicitly allowed due to an allow rule is blocked. Therefore, most of the rules you create in HeatShield will be allow rules that allow necessary traffic to your servers, such as allowing HTTP/HTTPS traffic to your web servers.

Occasionally, you might want to deny specific traffic that would have otherwise been allowed by an allow rule you created.

For example, you might have an allow rule that allows HTTP traffic (TCP port 80) from all IP addresses, but there's a particular IP address you still want blocked.

This is the purpose of a deny rule. Since deny rules are processed before allow rules, a specific deny rule to block a particular address will take precedence over a more general allow rule.

Destination Port

When services like web servers and database servers receive traffic, that traffic comes in to a specific port and protocol used by that service. For example, some common services and the ports and protocols they use are:

  • SSH: TCP port 22
  • HTTP: TCP port 80
  • HTTPS: TCP port 443
  • MySQL: TCP port 3306
  • DNS: UDP port 53

Each rule you create in HeatShield can apply to one of the following:

  • A single port on a specific protocol
  • A range of ports on a specific protocol
  • All ports of both protocols for a specific source

Port Ranges

You can specify a range of contiguous ports in a single rule by specifying the start and end ports separated by a hyphen (-) in the middle. For example, 60000-61000 would represent the ports 60000 through 61000, inclusive.

Any Port

You can also permit any port from a particular source by using the Any port selection.

Permitting Any port from Any source address is not permitted.

Source Address

When traffic comes in to your server, the source of the traffic always has an IP address. You can apply a firewall rule to traffic from a particular IP address by specifying that source IP address in the rule.

A rule's source IP address can be "Any" (meaning the rule applies to traffic from any address rather than a specific address), or it can be a specific IPv4 or IPv6 address.

You can also specify an address range for the source address by using CIDR notation. For example, is CIDR notation for the address range–

Advanced security for your WordPress sites