Some embodiments of the invention provide a novel method for specifying firewall rules. In some embodiments, the method provides the ability to specify for a particular firewall rule, a set of network nodes (also called a set of enforcement points) at which the particular firewall should be enforced. To provide this ability, the method of some embodiments adds an extra tuple (referred to below as the AppliedTo tuple) to a firewall rule. This added AppliedTo tuple lists the set of enforcement points at which the firewall rule has to be applied (i.e., enforced). As the AppliedTo tuples of the firewall rules can refer to dynamically modifiable constructs, the application of the AppliedTo firewall rules (i.e., rules that are specified to include an AppliedTo tuple) can be dynamically adjusted for different locations within a network by dynamically adjusting the membership of these modifiable constructs.