What does 0.0.0.0/0 mean in a firewall rule?

0.0.0.0/0 matches all IPv4 addresses — it is the default route covering the entire internet. In a firewall or security group rule, it means 'allow (or deny) traffic from any IP address.' Use it with caution for inbound rules: allowing 0.0.0.0/0 inbound on a port means any IP on the internet can reach that port.

What does /32 mean in a firewall rule?

A /32 prefix identifies exactly one IP address — the host route. In a firewall rule, x.x.x.x/32 means only that single specific IP is matched. This is the most restrictive CIDR you can use and is ideal for allowing access from a single known IP such as a specific server, office NAT gateway, or administrator workstation.

How do I allow only traffic from within my AWS VPC?

Use your VPC's CIDR block (e.g., 10.0.0.0/16) as the source in the inbound security group rule. This matches all IP addresses within the VPC and nothing outside it. Alternatively, reference another Security Group ID as the source — this is more maintainable in dynamic environments where IP addresses change frequently.

How-To

Writing Firewall Rules with CIDR Notation

How to express network access rules using CIDR blocks: allowing a range, blocking a subnet, AWS security groups, iptables, and cloud firewall examples.

CIDR in firewall rules

A CIDR block in a firewall rule means "match any IP address within this range." The special cases:

CIDR in Rule	Meaning
`0.0.0.0/0`	All IPv4 addresses (the entire internet + private ranges)
`10.0.0.0/8`	All traffic from any 10.x.x.x address
`192.168.1.0/24`	All traffic from 192.168.1.1 – 192.168.1.254
`203.0.113.5/32`	Exactly one IP address: 203.0.113.5 (host route)

AWS Security Group examples

# Allow HTTPS from anywhere
Inbound  TCP 443   0.0.0.0/0     ALLOW

# Allow SSH only from your office IP range
Inbound  TCP 22    203.0.113.0/24  ALLOW

# Allow PostgreSQL only from the app subnet
Inbound  TCP 5432  10.0.10.0/24  ALLOW

# Allow all traffic within the VPC
Inbound  ALL  ALL  10.0.0.0/16   ALLOW

# Allow all outbound (default)
Outbound ALL  ALL  0.0.0.0/0     ALLOW

iptables / nftables examples

# Allow HTTP and HTTPS from anywhere
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT

# Allow SSH from a specific subnet only
iptables -A INPUT -p tcp --dport 22 -s 10.0.0.0/8 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j DROP

# Block a specific CIDR range
iptables -A INPUT -s 198.51.100.0/24 -j DROP

# Allow MySQL from private network only
iptables -A INPUT -p tcp --dport 3306 -s 192.168.0.0/16 -j ACCEPT
iptables -A INPUT -p tcp --dport 3306 -j DROP

Common CIDR rule patterns

Goal	CIDR to Use	Notes
Allow all internet	0.0.0.0/0	Use with caution — open to all IPs
Allow only RFC 1918 (private)	10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16	Requires three separate rules
Allow only your VPC	10.0.0.0/16	Scope to your VPC CIDR exactly
Allow a single server	203.0.113.5/32	/32 = exactly one IP
Allow a /24 office range	203.0.113.0/24	Covers .1 through .254
Block everything else	0.0.0.0/0 DENY	Default-deny after allow rules