Cloud Firewall Rules Reference

Modified: 05 Jan 2015 18:04 UTC
Beta
Cloud Firewall is in beta at this time.

The Cloud Firewall rules apply to all instances in the same datacenter that have the Cloud Firewall feature enabled. Adding, updating, or deleting rules apply immediately to all such instances.

The Default Rules

The default Cloud Firewall rules block all incoming traffic and allow all outgoing traffic. Traffic to ICMP type 8 code 0 (ping) is always allowed.

Specifying Rules

If you are using the CloudAPI command line tools, use the sdc-createfirewallrule command:

$ sdc-createfirewallrule --rule "from any to tag www allow tcp (port 80 and port 443)"
{
  "id": "28cabe50-73c8-4443-b499-46ac4de3dc0d",
  "rule": "FROM any TO tag www ALLOW tcp (PORT 80 AND PORT 443)",
  "enabled": false
}

Note that every rule has a unique id. Use this id to work with the rule later.

Use the --enabled option to create the rule and enable it immediately. You can also use sdc-enablefirewallrule. Use sdc-disablefirewallrule to disable a rule.

$ sdc-enablefirewallrule 28cabe50-73c8-4443-b499-46ac4de3dc0d
{
  "id": "28cabe50-73c8-4443-b499-46ac4de3dc0d",
  "rule": "FROM any TO tag www ALLOW tcp (PORT 80 AND PORT 443)",
  "enabled": true
}

If you are using CloudAPI directly, you specify the rule using a JSON payload like this:

{
    "rule": "FROM any TO all vms ALLOW tcp port 22",
    "enabled": true,
}

The properties of this payload are:

Property Description
rule The rule written according to the rule syntax described below.
enabled Whether the rule is enabled (true) or disabled (false)

Cloud Firewall Rule Syntax

The following sections provide syntax diagrams and examples for Cloud Firewall Rules.

rule

rule     ::= 'FROM' target_list 'TO' target_list action protocol

Block or allow traffic (action) from target_list to target_list on the given protocol

target_list

target_list
         ::= 'ANY'
           | 'ALL VMS'
           | '(' target ( 'OR' target )* ')'
           | target
Term Meaning
ANY Any machine anywhere on the Internet
ALL VMS All instances on this datacenter that have the Cloud Firewall feature enabled.

Examples

Note that all vms means every instances in the datacenter in which the rule is defined that has the Cloud Firewall feature enabled.

target

target   ::= 'IP ADDRESS'
           | 'SUBNET'
           | 'TAG' tag_string
           | 'TAG' tag_string '=' tag_value
           | 'VM' uuid

Term Meaning
IP ADDRESS An IPv4 address: nnn.nnn.nnn.nnn
SUBNET An IPv4 CIDR subnet nnn.nnn.nnn.nnn/mm
TAG tag_string Any instance in this datacenter that has the Cloud Firewall feature enabled and that has the tag tag_string
TAG tag_string = tag_value Any instance in this datacenter that has the Cloud Firewall feature enabled and that has the tag tag_string with the value tag_value
VM uuid The instance whose ID is UUID. The instance must be on this datacenter and have the Cloud Firewall feature enabled.

Examples

action

action   ::= 'BLOCK'
           | 'ALLOW'

Term Meaning
BLOCK Do not allow traffic.
ALLOW Allow traffic.

Actions can be one of ALLOW or BLOCK. Note that certain combinations of
actions and directions have no effect:

protocol

protocol ::= 'TCP' port_list
           | 'UDP' port_list
           | 'ICMP' type_list

Term Meaning
TCP port_list Rule applies to TCP traffic for given ports.
UDP port_list Rule applies to UDP traffic for given ports
ICMP type_list Rule refers to ICMP traffic for given types and codes.

For TCP and UDP, this specifies the port numbers that the rule applies to.
Port numbers must be between 1 and 65535, inclusive.

For ICMP, this specifies the ICMP type and optional code that the rule
applies to. Types and codes must be between 0 and 255, inclusive.

Examples:

port_list

port_list
         ::= '(' port ( 'AND' port )* ')'
           | port
           | '(' 'PORT ALL' ')'
           | 'PORT ALL'

Term Meaning
PORT ALL All TCP or UDP ports: 1 - 65535
port A single TCP or UDP port: 1 - 65535

port

port     ::= 'PORT' 1 - 65535
Term Meaning
PORT nnn A TCP or UDP port number in the range 1 - 65535.

type_list

type_list
         ::= '(' type ( 'AND' type )* ')'
           | type

type

type     ::= 'TYPE' 0 - 255 'CODE' 0 - 255
           | 'TYPE' 0 - 255

Term Meaning
TYPE nnn CODE mmm ICMP traffic of type nnn and code mmm
TYPE nnn ICMP traffic of type nnn and any code

TYPE and CODE both range from 0 to 255.

Error Messages

Some rules cannot be created because they would not affect any instances in the datacenter. The following rules would result in a "rule does not affect VMs" error messages.

FROM any TO any ALLOW tcp port 22

FROM ip 192.168.1.3 TO subnet 192.168.1.0/24 ALLOW tcp port 22