# Firewalls Limits

DigitalOcean Cloud Firewalls are a network-based, stateful firewall service for Droplets provided at no additional cost. Cloud firewalls block all traffic that isn’t expressly permitted by a rule.

- You can have a maximum of **10 Droplets per firewall** and **5 tags per firewall**. If you have more than 10 Droplets that need the same firewall, [tag](https://docs.digitalocean.com/products/droplets/how-to/tag/index.html.md) the Droplets, then add that tag to the firewall.
- Each firewall can have up to 50 total incoming and outgoing rules.
- You cannot apply cloud firewalls to [load balancers](https://docs.digitalocean.com/products/networking/load-balancers/index.html.md).
- Firewalls affect both public and [VPC network](https://docs.digitalocean.com/products/networking/vpc/index.html.md) traffic. Rules specific to either must specify the public or private IP range.
- Firewalls only support ICMP, TCP, and UDP.
- Firewalls block traffic at the network layer before that traffic reaches your resources. Because of this, traffic logs are not available.
- Adding new rules to a firewall does not terminate existing connections.
- Firewall rules are limited to 1,000 entries in the **Sources** or **Destinations** field. To filter more than 1,000 IPs, use tags or network ranges instead of listing individual IPs. More information is available in [How to Configure Firewall Rules](https://docs.digitalocean.com/products/networking/firewalls/how-to/configure-rules/index.html.md).
- DigitalOcean uses DHCP on port `67` to configure networking for Droplets using custom images. If you put a Droplet created from a custom image behind a firewall, including a [DIgitalOcean Cloud Firewall](https://docs.digitalocean.com/products/networking/firewalls/index.html.md), you need to [create an outbound UDP rule](https://docs.digitalocean.com/products/networking/firewalls/how-to/configure-rules/index.html.md) that opens port `67`.