CIDR Blocks in Firewall & Security Group Rules
Learn how to use CIDR blocks in firewall rules, security groups, and NACLs. Covers allow/deny patterns, 0.0.0.0/0, and least-privilege IP access control.
Detailed Explanation
Using CIDR Blocks in Firewall Rules
CIDR notation is the standard way to specify IP address ranges in firewall rules, cloud security groups, and network ACLs. Understanding CIDR is essential for writing secure, precise access control rules.
Common CIDR Patterns in Rules
Allow from anywhere (dangerous)
0.0.0.0/0 -> All IPv4 addresses
::/0 -> All IPv6 addresses
Only appropriate for public-facing HTTP/HTTPS ports.
Allow from a specific IP
203.0.113.42/32 -> Single IP address
Allow from your office network
198.51.100.0/24 -> 256 addresses (your office range)
Allow from a VPC / private network
10.0.0.0/16 -> Entire VPC
10.0.1.0/24 -> Specific subnet
AWS Security Group Examples
{
"IpPermissions": [
{
"IpProtocol": "tcp",
"FromPort": 443,
"ToPort": 443,
"IpRanges": [{"CidrIp": "0.0.0.0/0"}]
},
{
"IpProtocol": "tcp",
"FromPort": 22,
"ToPort": 22,
"IpRanges": [{"CidrIp": "10.0.0.0/16"}]
}
]
}
Least-Privilege CIDR Selection
Always use the most specific CIDR possible:
| Instead of | Use | Why |
|---|---|---|
| 0.0.0.0/0 for SSH | Your office /24 or /32 | Limits attack surface |
| 10.0.0.0/8 | 10.0.1.0/24 (specific subnet) | Limits blast radius |
| /16 for a database | /24 of the app subnet only | Defense in depth |
Checking Rule Overlaps
Enter all your firewall rule CIDRs in this calculator to identify:
- Rules that are redundant (one contains another)
- Rules that might conflict (overlapping allow and deny)
- Opportunities to merge rules via supernetting
Use Case
Auditing AWS security group rules for overly permissive 0.0.0.0/0 entries, writing NACL rules with precise CIDR ranges, or reviewing firewall configurations to identify redundant or conflicting IP-based rules.