Firewall rules reference

Modified: 17 Sep 2019 20:31 UTC

Firewall rules apply to all instances in the same data center that have Triton's firewall feature enabled. This document covers the following firewall rule topics:

The default rules

By default, when an instance is provisioned, the firewall is disabled. It must be enabled explicitly, either at provision-time or after an instance has been provisioned. If it is not enabled, all traffic is permitted, both inbound and outbound.

When firewall rules are enabled, the default rules apply. These rules block all incoming traffic and allow all outgoing traffic as follows:

Traffic to ICMP type 8 code 0 (ping) is always allowed.

Since the default behavior for inbound connections is to block everything and the outbound connections is to allow everything, rules must be added to specify inbound and outbound network connections.

Firewall rule commands

The following table lists firewall commands and their corresponding actions:

Command Function
triton fwrule create <RULE> Adds a new firewall rule for the specified account. New rules have a unique rule ID and are in an enabled state.
triton fwrule enable <FWRULE-ID> Enables the given firewall rule if it is disabled.
triton fwrule disable <FWRULE-ID> Disables the given firewall rule if it is enabled.
triton fwrule update <FWRULE-ID> <FIELD=VALUE ...> Updates the given rule record by adding/removing/updating the rule on all the required instances.
triton fwrule delete <FWRULE-ID> Removes the given firewall rule from all specified instances.
triton fwrule list Lists all firewall rules for the current account.
triton fwrule get <FWRULE-ID> Retrieves an individual firewall rule.
triton fwrule instances <FWRULE-ID> Lists all instances a firewall rule is applied to.
triton instance fwrules <instance> Lists all firewall rules applied to a specified instance.

Rule components

Rules are created with several different components:

There is also a global property on predefined rules which apply to all VMs in the data center. (You can use priorities to override the effects of these rules.)

Basic rule syntax

Triton firewall rules have the following syntax:

FROM <target a> TO <target b> <action> <protocol> <port>
`FROM <target a> TO <target b> <action> <protocol> <port>` example

Valid values

This table describes the valid values for each parameter:

Parameter Description Argument
target A list of sources and destinations any, ip, subnet, tag, all vms, or instance
action Describes the rule behavior allow or block
protocol Specifies what ports or types to use TCP, UDP, ICMP, ESP, AH
port Specifies the port number a valid port number

Parameter limits

The limits for the parameters are:

Targets

Targets are FROM sources and TO destinations that use the following syntax:

chart of target list syntax

Target types

FROM targets and TO targets can be any of the following types:

Target Description
ANY Any machine anywhere on the Internet
ALL VMS All instances in a data center that have Triton's firewall feature enabled.
IP ADDRESS An IPv4 or IPv6 address: nnn.nnn.nnn.nnn
SUBNET CIDR A specified IPv4 or IPv6 subnet range
tag_string Any instance in a data center that has Triton's firewall feature enabled and that has the tag tag_string
tag_string = tag_value Any instance in a data center that has Triton's firewall feature enabled and that has the tag tag_string with the value tag_value
UUID An instance with the specified UUID. The instance must be in the specified data center and have Triton's firewall feature enabled.

Target type examples

To allow HTTPS traffic from any machine on the Internet to all instances in a data center:

FROM any TO all vms ALLOW tcp port 80

To allow SSH traffic between all instances in a data center:

FROM all vms TO all vms ALLOW tcp port 22

To allow HTTP traffic from any host to VM :

FROM any to vm 04128191-d2cb-43fc-a970-e4deefe970d8 ALLOW tcp port 80

To block SMTP traffic to a specific IPv4 or IPv6 address:

FROM all vms to (ip 10.2.0.1 OR ip fd22::1234) BLOCK tcp port 25

To allow HTTPS traffic from a specific IPv4 subnet to a specific VM:

FROM subnet 10.8.0.0/16 TO vm 0f570678-c007-4610-a2c0-bbfcaab9f4e6 ALLOW tcp port 443

And to allow HTTPS traffic from a specific IPv6 subnet to the same VM, you can do:

FROM subnet fd22::/64 TO vm 0f570678-c007-4610-a2c0-bbfcaab9f4e6 ALLOW tcp port 443

Target lists

The vm, ip, subnet, and tag target types can be combined into a list surrounded by parentheses and joined by OR, such as:

( <target> OR <target> OR ... )

Target list examples

To block HTTPS traffic to an internal subnet and IP:

FROM (vm 163dcedb-828d-43c9-b076-625423250ee2 OR tag db) TO (subnet 10.2.2.0/24 OR ip 10.3.0.1) BLOCK tcp port 443

Action

Actions can ALLOW or BLOCK network traffic.

Term Meaning
ALLOW Allow traffic
BLOCK Do not allow traffic

Note that certain combinations of actions and directions have no effect.

Since the default policy blocks all incoming ports, this rule example has no effect on any instance:

FROM any TO all vms BLOCK tcp port 143

Since the default policy allows all outbound traffic, this rule example has no effect on any instance:

FROM all vms TO any ALLOW tcp port 25

Protocol

The protocol can be one of tcp, udp, icmp(6),ah, or esp. The protocol dictates whether ports or types can be used.

protocol ::= 'TCP' port_list
           | 'UDP' port_list
           | 'ICMP' type_list
Term Meaning
TCP port_list Rule applies to TCP traffic for given ports.
UDP port_list Rule applies to UDP traffic for given ports
ICMP type_list Rule refers to ICMP traffic for given types and codes.

For TCP and UDP, this specifies the port numbers that the rule applies to. Port numbers must be between 1 and 65535, inclusive.

For ICMP, this specifies the ICMP type and optional code that the rule applies to. Types and codes must be between 0 and 255, inclusive.

Ports

For TCP and UDP, port specifies the port numbers that the rule applies to.

Port examples

To allow HTTP and HTTPS traffic from any IP to all web servers:

FROM tag www TO any ALLOW TCP (port 80 AND port 443)

To allow pinging all instances in a data center. This is a default rule:

FROM any TO all vms ALLOW icmp TYPE 8 CODE 0

To block outgoing ping replies from all instances in data center:

FROM all vms TO any BLOCK icmp TYPE 0

To allow UDP traffic from any IP to all tagged mosh servers:

FROM any TO tag mosh ALLOW udp PORTS 60000 - 61000

To allow TCP traffic from any web server to all tagged API servers:

FROM tag www TO tag api ALLOW tcp PORTS 10000 - 50000

ICMP types

ICMP specifies the ICMP type and optional code that the rule applies to. Types and codes must be between 0 and 255, inclusive.

ICMP type list

To allow pinging all VMs:

FROM any TO all vms ALLOW icmp TYPE 8 CODE 0

The IPv6 equivalent of this rule is:

FROM any TO all vms ALLOW icmp6 TYPE 128 CODE 0

To block outgoing replies:

FROM all vms TO any BLOCK icmp TYPE 0
FROM all vms TO any BLOCK icmp6 TYPE 129

Priority

Specifying a priority for a rule allows defining its relation with other rules. By default, a rule has a priority level of 0, the lowest priority. Rules with a higher priority will be used before ones with a lower priority. The highest level that can be specified is 100.

The syntax for priority level is:

priority <level>

Priority examples:

To allow traffic from anyone but 10.20.30.0/24 to access an MTA:

FROM any TO tag mta ALLOW tcp PORT 25
FROM subnet 10.20.30.0/24 TO tag mta BLOCK tcp PORT 25 PRIORITY 1

To blocks all outbound traffic, overriding the default outbound policy, except for SSH:

FROM all vms TO any BLOCK tcp PORT all
FROM all vms TO any ALLOW tcp PORT 22 PRIORITY 1

Rule examples

If you are using the triton command line tools, use the triton fwrule create command:

$ triton fwrule create "FROM any TO tag www ALLOW tcp (port 80 and port 443)"
Created firewall rule 28cabe50-73c8-4443-b499-46ac4de3dc0d

New rules are immediately enabled. The command triton fwrule enable enables the given firewall rule if it is disabled. Use triton fwrule disable to disable a rule.

$ triton fwrule enable 28cabe50-73c8-4443-b499-46ac4de3dc0d
Enabled firewall rule 28cabe50-73c8-4443-b499-46ac4de3dc0d

Rule example syntax

Do not allow SMTP (port 25) traffic to an instance with the IP 10.2.0.1 from any of the instances on the same data center that have Triton's firewall feature enabled.

FROM all vms TO ip 10.2.0.1 BLOCK tcp port 25

To allow HTTPS (port 443) from a private subnet to a specific instance:

FROM subnet 10.8.0.0/16 TO vm 0f570678-c007-4610-a2c0-bbfcaab9f4e6 ALLOW tcp port 443

To allow syslog (port 514) traffic from any instance in this data center to any instance in this data center that has the tag syslog:

FROM all vms TO tag syslog ALLOW udp port 514

To allow database traffic from databases to web servers. Any other instances with different role tags, such as role = staging are not affected by this rule:

FROM tag role = db TO tag role = www ALLOW tcp port 5432

To allow LDAP (port 389) traffic from any instance in this data center to instances with tag VM type set to LDAP server:

FROM all vms TO tag "VM type" = "LDAP server" ALLOW tcp PORT 389

To allow only HTTP traffic from any machine on the Internet to a specific instance:

FROM any TO vm 04128191-d2cb-43fc-a970-e4deefe970d8 ALLOW tcp port 80

Rules which result in errors

Some rules cannot be created because they would not affect any instances in a data center. The following rules would result in a "rule does not affect VMs" error messages:

$ triton fwrule create "FROM any TO any ALLOW tcp port 22"
$ triton fwrule create "FROM ip 192.168.1.3 TO subnet 192.168.1.0/24 ALLOW tcp port 22"