Create a cloud firewall
A cloud firewall has a basic property: all incoming and outgoing traffic that is not explicitly allowed is denied. If you create a firewall without any rules and assign it to a cloud router port, all traffic in the router's subnet will be denied. Active sessions on the router will be interrupted after the firewall is created.
Control panel
OpenStack CLI
Terraform
-
In the Control panel, on the top menu, click Products and select Cloud Servers.
-
Go to the Firewalls section.
-
Click Create firewall.
-
Select the location where the firewall will be created.
-
Optional: select a private subnet with a cloud router for which you want to configure traffic filtering. The firewall is assigned to the cloud router port in this private subnet.
You can assign a firewall to a router port after the firewall has been created.
-
Select the traffic direction:
Incoming traffic
Outgoing traffic
-
If rules templates for incoming traffic work for you, click the rule. The protocol, source, source port, destination, and destination port fields will be filled in automatically. Proceed to step 15.
-
If no suitable template is available, add a custom rule for incoming traffic. Click Add incoming traffic rule.
-
Select an action:
- Allow — allow traffic;
- Deny — deny traffic.
-
Select a protocol: ICMP, TCP, UDP, or all protocols (Any).
-
Enter the traffic source (Source) — an IP address, a subnet, or all addresses (Any).
-
Enter the source port (Src. port) — one port, a range of ports, or all ports (Any).
-
Enter the traffic destination (Destination) — an IP address, a subnet, or all addresses (Any). If you specify a subnet, the rule will apply to all devices in the subnet.
-
Enter the destination port (Dst. port) — one port, a range of ports, or all ports (Any).
Traffic to any TCP/UDP port blocked in Selectel by default will be denied, even if you specify this port in the rule.
-
Enter a name for the rule or leave the automatically generated name.
-
Optional: enter a comment for the rule.
-
Click Add. After the firewall is created, you can edit a rule.
- Check the order of the rules; they are processed in the order listed, from top to bottom. Change the order if necessary by dragging the rules. After the firewall is created, you can change the rule order.
- Optional: to add another rule to the firewall, proceed to step 6. You can add up to 100 rules for each traffic direction.
- Enter a name for the firewall or leave the automatically generated name.
- Optional: enter a comment for the firewall.
- Click Create firewall.