Skip to main content
Cloud firewall
Last update:

Cloud firewall

Cloud Firewall is a free stateful firewall. It allows you to configure network security for private subnets and public IP addresses in a cloud platform.

You can work with the cloud firewall in the control panel with the help of OpenStack CLI or Terraform.

Filterable traffic

With the firewall, you can configure IPv4 traffic filtering for a private subnet, open and close specific ports or their range, allow and deny access from specific IP addresses or subnets.

What kind of traffic is filtered

The cloud firewall filters all IPv4 traffic passing through the port cloud router to which he is assigned:

  • incoming traffic to a private subnet from another private subnet. Private subnets must belong to different private networks:
note

For example, a private subnet 192.168.0.0/24 is on a private network network_1and the private subnet 10.0.0.0/24 are on a private network network_2. Traffic between devices on these subnets will be filtered.

Read more about private networks and subnets in the instructions Cloud platform networks;

  • incoming traffic to the private subnet from the Internet, going to the public IP addresses of devices (cloud servers and balancers) that are associated with their private address via NAT 1:1;
  • outgoing traffic — traffic from a private subnet to the Internet or another private network.

What traffic is not filtered

  • traffic between devices within a private subnet;

  • traffic between devices from different private subnets within the same private network:

note

For example, a private subnet 192.168.0.0/24 and a private subnet 10.0.0.0/24 are on the same private network network_1. Traffic between devices on these subnets will not be filtered.

  • traffic for public subnets. Public addresses from these subnets are assigned directly to the devices, and traffic does not pass through the cloud router port.

To filter these types of traffic, use security teams or operating system utilities, such as iptables. Read more in the blog article Configuring iptables in Linux.

Principle of operation

The cloud firewall is not a separate device. It is assigned to the internal port of the cloud router on the private subnet that is connected to the router. The firewall can be reused and assigned to multiple router ports at the same time. You cannot assign more than one firewall to a single router port.

Firewall by added filtering rules analyzes and filters traffic: inbound traffic that goes to a private subnet through the cloud router, and traffic outbound from that subnet. Firewall rules do not act on the cloud server or load balancer, but on the IP address. If you connect a different public IP address to the device or recreate it with a different public IP, you must change the IP address in the rule for traffic to continue to be filtered.

The cloud firewall uses the OpenStack model:

  • Firewall Groups (firewalls) — contain policies. One firewall can contain only one ingress policy for incoming traffic and one egress policy for outgoing traffic;
  • Firewall Policies — Lists firewall rules in a specific order;
  • Firewall Rules — A set of parameters by which traffic is filtered: protocols, IP addresses, and ports. The rules are executed in the specified order. For more information about rules and parameters, see the subsection Rules.

Read more about the OpenStack model in FWaaS. OpenStack documentation.

Example of a network with a cloud firewall that filters traffic to a private subnet from the Internet and traffic from the subnet to the Internet

Example of a network with two cloud firewalls on one cloud router that filter traffic between two private subnets

When filtering traffic between private subnets connected to the same router, the rules of the firewall that is assigned to the router port on that subnet are applied to outgoing traffic. If the firewall on the other subnet has rules configured for incoming traffic from the first subnet, they are ignored.

note

For example, for firewall 1, an allow rule is created for outgoing traffic from the subnet 192.168.0.0/24 to any subnets. Even if the firewall has 2 per subnet 10.10.0.0/24 there is a deny rule for incoming traffic from the subnetwork 192.168.0.0/24it will be ignored. To access the subnet 10.10.0.0/24 on a subnet 192.168.0.0/24 is denied, you need to create a deny rule on firewall 1 for outgoing traffic to this subnet.

Rules

Two policies (two lists of rules in a specific order) are configured for the cloud firewall — for inbound and outbound traffic.

Rules are executed in order from top to bottom in the list. If the first rule allows traffic to pass through, traffic will be allowed even if the rules below are set to deny it.

The firewall analyzes traffic based on parameters in the rules:

  • traffic direction (policy) — inbound or outbound;
  • allow or deny traffic;
  • protocol — TCP, UDP, ICMP protocols are supported;
  • source — IP address or subnet of the traffic source;
  • source port — the port or range of ports of the traffic source;
  • destination — IP address or subnet of the traffic destination;
  • destination port — the port or range of ports of the traffic destination.

A cloud firewall has a basic property: all inbound and outbound traffic that is not allowed is denied. For example, you created a firewall with no rules and assigned it to a port on a cloud router. Until you add enabling rules, the following will be denied: traffic entering the private subnet that is connected to the router; traffic coming from that subnet.

Firewall policies and rules can be reused only when working through the OpenStack CLI and Terraform — assign them to multiple firewalls (Firewall Groups) at the same time. In the control panel, you can use preconfigured templates with rules to filter traffic, for example, open port 22 (SSH/TCP), port 80 (HTTP/TCP), port 443 (HTTPS/TCP), port 1194 (OpenVPN/UDP), port 3389 (RDP/TCP), port 20-21 (FTP/TCP); open standard ports for IPsec or WireGuard and other rules.

Limitations

You cannot assign more than one firewall to a single router port.

In one. project a maximum of 10 firewalls can be created. One firewall has two policies, one for each traffic direction. One policy can have a maximum of 100 rules.

If you're set up NAT (port forwarding) If the firewall rules are applied, then first the forwarding will be performed and then the firewall rules will take effect.

In Selectel, the default some TCP/UDP ports are blocked.

Cost

The cloud firewall is provided free of charge.