Cloud firewall
Cloud firewall is a free stateful firewall. Allows you to configure network security for private subnets and public IP addresses in the cloud platform.
The cloud firewall can be managed through the control panel, OpenStack CLI and Terraform.
Filtered traffic
With the firewall, you can configure IPv4 traffic filtering for a private subnet, open and close specific ports or their range, allow and deny access from specific IP addresses or subnets.
The cloud firewall filters all IPv4 traffic passing through the cloud router port to which it is assigned:
- incoming traffic to a private subnet from another private subnet. Subnets must belong to different networks;
- incoming traffic to the private subnet from the Internet, going to the public IP addresses of devices (cloud servers and balancers) that are associated with their private address via NAT 1:1;
- outgoing traffic — traffic from a private subnet to the Internet or another private subnet.
The cloud firewall doesn't filter:
- traffic between devices within a private subnet;
- traffic between devices from different private subnets within the same private network;
- traffic for public subnets. Public addresses from such subnets are assigned directly to the devices, and traffic does not pass through the cloud router port.
Use operating system utilities such as iptables to filter these types of traffic. Read more in the blog article Configuring iptables in Linux.
Working principle
A cloud firewall is not a separate device. It is assigned to the internal port of the cloud router on the private subnet that is connected to the router. The firewall can be over-utilized and assigned to multiple router ports at the same time. You cannot assign more than one firewall to a single router port.
The firewall, using the added filtering rules, analyzes and filters traffic: incoming traffic that goes to the private subnet through the cloud router, and traffic coming from that subnet. Firewall rules do not act on the cloud server or load balancer, but on the IP address. If you connected a different public IP address to the device or recreated the device with a different public IP, you must change the IP address in the rule so that traffic will continue to be filtered.
The cloud firewall uses the OpenStack model:
- Firewall Groups (firewalls) — contain policies. A single firewall can contain only one ingress policy for inbound traffic and one egress policy for outbound traffic;
- Firewall Policies — Lists firewall rules in a specific order;
- Firewall Rules — A set of parameters by which traffic is filtered: protocols, IP addresses, and ports. The rules are carried out in the order given. More information about rules and parameters in the Rules subsection.
Learn more about the OpenStack model in the FWaaS section of the OpenStack documentation.
Example of a network with a cloud firewall that filters traffic to a private subnet from the Internet and traffic from the subnet to the Internet
Example of a network with two cloud firewalls on one cloud router that filter traffic between two private subnets
When filtering traffic between private subnets connected to the same router, the rules of the firewall that is assigned to the router port on that subnet are applied to outgoing traffic. If the firewall on the other subnet has rules configured for incoming traffic from the first subnet, they are ignored.
For example, a permissive rule is created for firewall 1 to allow outbound traffic from the 192.168.0.0.0/24 subnet to any subnets. Even if there is a deny rule on firewall 2 on subnet 10.10.0.0.0/24 for incoming traffic from subnet 192.168.0.0.0/24, it will be ignored. To deny access to the 10.10.0.0.0/24 subnet from the 192.168.0.0.0/24 subnet, you need to create a deny rule on firewall 1 for outgoing traffic to this subnet.
Rules
Two policies (two lists of rules in a specific order) are configured for the cloud firewall — for inbound and outbound traffic.
The rules are followed in order in the list — from top to bottom. If the first rule allows traffic through, traffic will be allowed even if the rules below are configured to deny it.
The firewall analyzes traffic based on parameters in the rules:
- traffic direction (policy) — inbound or outbound;
- allow or deny traffic;
- protocol — TCP, UDP, ICMP protocols are supported;
- source — IP address or subnet of the traffic source;
- source port — the port or range of ports of the traffic source;
- destination — IP address or subnet of the traffic destination;
- destination port — the port or range of ports of the traffic destination.
A cloud firewall has a basic property: all inbound and outbound traffic that is not allowed is denied. For example, you created a firewall with no rules and assigned it to a cloud router port. Until you add permissive rules, the following will be denied: traffic entering the private subnet that is connected to the router; traffic originating from that subnet.
Firewall policies and rules can be reused only when working through OpenStack CLI and Terraform — assign them to multiple firewalls (Firewall Groups) at the same time. In the control panel, you can use preconfigured templates with rules to filter traffic, for example, open port 22 (SSH/TCP), port 80 (HTTP/TCP), port 443 (HTTPS/TCP), port 1194 (OpenVPN/UDP), port 3389 (RDP/TCP), port 20-21 (FTP/TCP); open standard ports for IPsec or WireGuard and other rules.
Restrictions
You cannot assign more than one firewall to a single router port.
In one cloud platform project you can create:
- no more than 5 firewalls (for OpenStack CLI and Terraform — no more than 10 policies);
- no more than 100 rules for each traffic direction (policy) in a single firewall.
In Selectel by default some TCP/UDP ports are blocked, traffic through them is blocked.
If you have configured port forwarding, the port forwarding will be done first and then the firewall rules will take effect.
Cost
The cloud firewall is provided free of charge.