Create a cloud firewall
A cloud firewall has a basic property: all inbound and outbound traffic that is not allowed is denied. If you create a firewall without rules and assign it to a cloud router port, all traffic on the router's subnet will be denied. After creating a firewall on the router, all active sessions will be terminated.
Control panel
OpenStack CLI
Terraform
-
In control panel go to Cloud platform → Firewalls.
-
Click Create a firewall.
-
Select pool This is where the firewall will be created.
-
Optional: Select a private subnet with the cloud router for which you want to configure traffic filtering. The firewall is assigned to the cloud router port on this private subnet.
Assign a firewall to a router port you can after you create a firewall.
-
Select the direction of traffic:
Incoming traffic
Outgoing traffic
-
If templates with rules for incoming traffic Click on the rule. The Protocol, Source, Source Port, Traffic Destination, and Destination Port fields will be filled in automatically. Proceed to step 14.
-
If there is no suitable template, add your own rule for incoming traffic. Click Add an incoming traffic rule.
-
Select an action:
- Allow — Allow traffic;
- Deny — Deny traffic.
-
Select a protocol: ICMP, TCP, UDP or All (Any).
-
Enter the traffic source (Source) — IP address, subnet, or all addresses (Any).
-
Enter the source port (Src. port) — a single port, a range of ports, or all ports (Any).
-
Enter the Destination — IP address, subnet, or Any. If you specify a subnet, the rule applies to all devices on the subnet.
-
Enter the destination port (Dst. port) — a single port, a range of ports, or all ports (Any).
Traffic to any TCP/UDP port blocked in Selectel by default, will be denied even if you specify that port in the rule.
-
Enter a name for the rule or leave the name created automatically.
-
Optional: enter a comment for the rule.
-
Click Add. After creating a firewall, you can change the rule.
-
If templates with rules for outbound traffic Click on the rule. The Protocol, Source, Source Port, Traffic Destination, and Destination Port fields will be filled in automatically. Proceed to step 14.
-
If there is no suitable template, add your own rule for outbound traffic. Click Add an outbound traffic rule.
-
Select an action:
- Allow — Allow traffic;
- Deny — deny traffic.
-
Select a protocol: ICMP, TCP, UDP or All (Any).
-
Enter the traffic source (Source) — IP address, subnet, or All (Any). If you specify a subnet, the rule applies to all devices on the subnet.
-
Enter the source port (Src. port) — a single port, a range of ports, or all ports (Any).
-
Enter the traffic destination (Destination) — IP address, subnet, or Any.
-
Enter the destination port (Dst. port) — a single port, a range of ports, or all ports (Any).
Traffic to any TCP/UDP port blocked in Selectel by default, will be denied even if you specify that port in the rule.
-
Enter a name for the rule or leave the name created automatically.
-
Optional: enter a comment for the rule.
-
Click Add. After creating the firewall, you can change the rule.
- Check the order of the rules, they are executed in order in the list — from top to bottom. If necessary, change the order by dragging and dropping the rules. After creating the firewall, you can reorder.
- Optional: To add another rule to the firewall, go to step 5. you can add up to 100 rules per traffic direction.
- Enter the name of the firewall or leave the name created automatically.
- Optional: enter a comment for the firewall.
- Click Create a firewall.
-
Create a rule:
openstack firewall group rule create \
--action <action> \
--protocol <protocol> \
[--source-ip-address <source_ip_address> | --no-source-ip-address] \
[--source-port <source_port> | --no-source-port] \
[--destination-ip-address <destination_ip_address> | --no-destination-ip-address] \
[--destination-port <destination_port> | --no-destination-port]Specify:
-
<action>
— action:allow
— allow traffic;deny
— deny traffic;
-
<protocol>
— Protocol:icmp
— ICMP;tcp
— TCP;udp
— UDP;any
— all the protocols;
-
traffic source:
--source-ip-address <source_ip_address>
— IP address or subnet. If you specify a subnet and assign this rule to an outbound policy, the rule will apply to all devices on the subnet;--no-source-ip-address
— all addresses (Any);
-
source port:
--source-port <source_port>
— a single port or a range of ports;--no-source-port
— all ports (Any);
-
traffic assignment:
--destination-ip-address <destination_ip_address>
— IP address or subnet. If you specify a subnet and assign this rule to a policy for inbound traffic, the rule will apply to all devices on the subnet;--no-destination-ip-address
— all addresses (Any);
-
port of call:
--destination-port <destination_port>
— a single port or a range of ports;--no-destination-port
— all ports (Any).
Traffic to any TCP/UDP port blocked in Selectel by default, will be denied even if you specify that port in the rule.
-
-
Create a policy for the firewall:
openstack firewall group policy create \
--firewall-rule <firewall_rule> \
<policy_name>Specify:
<firewall_rule>
— ID or name of the rule. The list can be viewed withopenstack firewall group rule list
. To add multiple rules, separate their names or IDs with a space. Check the order of the rules, they are executed in order;<policy_name>
— the name of the policy.
-
Create a firewall:
openstack firewall group create \
[--ingress-firewall-policy <firewall_ingress_policy> | --no-ingress-firewall-policy] \
[--egress-firewall-policy <firewall_egress_policy> | --no-egress-firewall-policy] \
--port <router_port>Specify:
- policy for inbound traffic:
--ingress-firewall-policy <firewall_ingress_policy>
— ID or policy name for incoming traffic. The list can be viewed byopenstack firewall group policy list
. You can add only one policy for inbound traffic;--no-ingress-firewall-policy
— Specify if there is no policy for inbound traffic;
- policy for outbound traffic:
--egress-firewall-policy <firewall_egress_policy>
— ID or policy name for outbound traffic. The list can be viewed byopenstack firewall group policy list
. You can add only one policy for outbound traffic;--no-egress-firewall-policy
— Specify if there is no policy for outgoing traffic;
<router_port>
— The ID or port name of the router to which the firewall will be assigned. You can view the list byopenstack port list
. To assign a firewall to more than one router port, list their names or IDs separated by a space.
- policy for inbound traffic:
Use the instructions in the Terraform documentation: