Manage cloud firewall rules
For a cloud firewall, you can add new rules, change the existing rules, reorder as well as include, shut down and deregulate.
Add rule
After adding a deny rule on the cloud router, active sessions that match the rule will be terminated.
You can add up to 100 rules per traffic direction (policy) for a single cloud firewall.
Control panel
OpenStack CLI
- In control panel go to Cloud platform → Firewalls.
- Open the firewall page.
- Select the direction of traffic:
Incoming traffic
Outgoing traffic
-
Open the tab Incoming traffic.
-
Click Create a rule.
-
Select an action:
- Allow — Allow traffic;
- Deny — Deny traffic.
-
If templates with rules for incoming traffic, select the rule. The Protocol, Source, Source Port, Traffic Destination, and Destination Port fields will be filled in automatically. Proceed to step 14.
-
If there is no suitable template, add your own rule for incoming traffic.
-
Select a protocol: ICMP, TCP, UDP or All (Any).
-
Enter the traffic source (Source) — IP address, subnet, or all addresses (Any).
-
Enter the source port (Src. port) — a single port, a range of ports, or all ports (Any).
-
Enter the Destination — IP address, subnet, or Any. If you specify a subnet, the rule applies to all devices on the subnet.
-
Enter the destination port (Dst. port) — a single port, a range of ports, or all ports (Any).
Traffic to any TCP/UDP port blocked in Selectel by default, will be denied even if you specify that port in the rule.
-
Enter a name for the rule or leave the name created automatically.
-
Optional: enter a comment for the rule.
-
Click Add.
-
Open the tab Outgoing traffic.
-
Click Create a rule.
-
Select an action:
- Allow — Allow traffic;
- Deny — Deny traffic.
-
If templates with rules for outbound traffic, select the rule. The Protocol, Source, Source Port, Traffic Destination, and Destination Port fields will be filled in automatically. Proceed to step 14.
-
If there is no suitable template, add your own rule for outbound traffic.
-
Select a protocol: ICMP, TCP, UDP or All (Any).
-
Enter the traffic source (Source) — IP address, subnet, or All (Any). If you specify a subnet, the rule applies to all devices on the subnet.
-
Enter the source port (Src. port) — a single port, a range of ports, or all ports (Any).
-
Enter the traffic destination (Destination) — IP address, subnet, or Any.
-
Enter the destination port (Dst. port) — a single port, a range of ports, or all ports (Any).
Traffic to any TCP/UDP port blocked in Selectel by default, will be denied even if you specify that port in the rule.
-
Enter a name for the rule or leave the name created automatically.
-
Optional: enter a comment for the rule.
-
Click Add.
- Check the order of the rules, they are executed in order in the list — from top to bottom. If necessary, change the order by dragging and dropping the rules. After creating the firewall, you can reorder.
-
Create a rule:
openstack firewall group rule create \
--action <action> \
--protocol <protocol> \
[--source-ip-address <source_ip_address> | --no-source-ip-address] \
[--source-port <source_port> | --no-source-port] \
[--destination-ip-address <destination_ip_address> | --no-destination-ip-address] \
[--destination-port <destination_port> | --no-destination-port]Specify:
-
<action>
— action:allow
— allow traffic;deny
— deny traffic;
-
<protocol>
— Protocol:icmp
— ICMP;tcp
— TCP;udp
— UDP;any
— all the protocols;
-
traffic source:
--source-ip-address <source_ip_address>
— IP address or subnet. If you specify a subnet and assign this rule to an outbound policy, the rule will apply to all devices on the subnet;--no-source-ip-address
— all addresses (Any);
-
source port:
--source-port <source_port>
— a single port or a range of ports;--no-source-port
— all ports (Any);
-
traffic assignment:
--destination-ip-address <destination_ip_address>
— IP address or subnet. If you specify a subnet and assign this rule to a policy for inbound traffic, the rule will apply to all devices on the subnet;--no-destination-ip-address
— all addresses (Any);
-
port of call:
--destination-port <destination_port>
— a single port or a range of ports;--no-destination-port
— all ports (Any).
Traffic to any TCP/UDP port blocked in Selectel by default, will be denied even if you specify that port in the rule.
-
-
Add a rule to the firewall policy:
openstack firewall group policy add rule \
[--insert-before <firewall_rule>] \
[--insert-after <firewall_rule>] \
<firewall_policy> \
<firewall_rule>Specify:
--insert-before <firewall_rule>
— ID or name of the rule before which the new rule will be added. The list can be viewed withopenstack firewall group rule list
;--insert-after <firewall_rule>
— ID or name of the rule after which the new rule will be added. The list can be viewed withopenstack firewall group rule list
;<firewall_policy>
— ID or policy name. The list can be viewed byopenstack firewall group policy list
;<firewall_rule>
— The ID or name of the rule that will be added to the policy. The list can be viewed byopenstack firewall group rule list
.
Change the rule
After changing a rule on the cloud router, active sessions that match the changed rule will be terminated.
Control panel
OpenStack CLI
-
In control panel go to Cloud platform → Firewalls.
-
Open the firewall page.
-
Open the tab depending on which traffic you want to change the rule for:
- for incoming traffic — Incoming traffic;
- for outbound traffic — Outgoing traffic.
-
On the menu. select the rules Change the rule.
Incoming traffic
Outgoing traffic
-
Select an action:
- Allow — Allow traffic;
- Deny — deny traffic.
-
If templates with rules for incoming traffic, select the rule. The Protocol, Source, Source Port, Traffic Destination, and Destination Port fields will be filled in automatically. Proceed to step 13.
-
If there is no suitable template, add your own rule for incoming traffic.
-
Select a protocol: ICMP, TCP, UDP or All (Any).
-
Enter the traffic source (Source) — IP address, subnet, or all addresses (Any).
-
Enter the source port (Src. port) — a single port, a range of ports, or all ports (Any).
-
Enter the Destination — IP address, subnet, or Any. If you specify a subnet, the rule applies to all devices on the subnet.
-
Enter the destination port (Dst. port) — a single port, a range of ports, or all ports (Any).
Traffic to any TCP/UDP port blocked in Selectel by default, will be denied even if you specify that port in the rule.
-
Select an action:
- Allow — Allow traffic;
- Deny — Deny traffic.
-
If templates with rules for outbound traffic, select the rule. The Protocol, Source, Source Port, Traffic Destination, and Destination Port fields will be filled in automatically. Proceed to step 13.
-
If there is no suitable template, add your own rule for outbound traffic.
-
Select a protocol: ICMP, TCP, UDP or All (Any).
-
Enter the traffic source (Source) — IP address, subnet, or All (Any). If you specify a subnet, the rule applies to all devices on the subnet.
-
Enter the source port (Src. port) — a single port, a range of ports, or all ports (Any).
-
Enter the traffic destination (Destination) — IP address, subnet, or Any.
-
Enter the destination port (Dst. port) — a single port, a range of ports, or all ports (Any).
Traffic to any TCP/UDP port blocked in Selectel by default, will be denied even if you specify that port in the rule.
- Enter a name for the rule or leave the name created automatically.
- Optional: enter a comment for the rule.
- Click Save.
-
Change the rule:
openstack firewall group rule set \
--action <action> \
--protocol <protocol> \
[--source-ip-address <source_ip_address> | --no-source-ip-address] \
[--source-port <source_port> | --no-source-port] \
[--destination-ip-address <destination_ip_address> | --no-destination-ip-address] \
[--destination-port <destination_port> | --no-destination-port] \
<firewall_rule>Specify:
-
<action>
— action:allow
— allow traffic;deny
— deny traffic;
-
<protocol>
— Protocol:icmp
— ICMP;tcp
— TCP;udp
— UDP;any
— all the protocols;
-
traffic source:
--source-ip-address <source_ip_address>
— IP address or subnet. If you specify a subnet and assign this rule to an outbound policy, the rule will apply to all devices on the subnet;--no-source-ip-address
— all addresses (Any);
-
source port:
--source-port <source_port>
— a single port or a range of ports;--no-source-port
— all ports (Any);
-
traffic assignment:
--destination-ip-address <destination_ip_address>
— IP address or subnet. If you specify a subnet and assign this rule to a policy for inbound traffic, the rule will apply to all devices on the subnet;--no-destination-ip-address
— all addresses (Any);
-
port of call:
--destination-port <destination_port>
— a single port or a range of ports;--no-destination-port
— all ports (Any).
Traffic to any TCP/UDP port blocked in Selectel by default, will be denied even if you specify that port in the rule.
-
<firewall_rule>
— ID or name of the rule. The list can be viewed withopenstack firewall group rule list
.
-
Change the order of the rules
After the rule order change, active sessions on the cloud router that match the new rule order will be terminated.
-
In control panel go to Cloud platform → Firewalls.
-
Open the firewall page.
-
Open the tab depending on which traffic you want to change the order of the rules for:
- for incoming traffic — Incoming traffic;
- for outbound traffic — Outgoing traffic.
-
Click Change the order of the rules.
-
Drag and drop the rules. The rules are executed in order in the list — from top to bottom.
-
Click Preserve the order of the rules.
Enable rule
Control panel
OpenStack CLI
-
In control panel go to Cloud platform → Firewalls.
-
Open the firewall page.
-
Open the tab depending on which traffic you want to enable the rule for:
- for incoming traffic — Incoming traffic;
- for outbound traffic — Outgoing traffic.
-
On the line with the rule, include the rule.
-
Include a rule:
openstack firewall group rule set --enable-rule <firewall_rule>
Specify
<firewall_rule>
— ID or name of the rule. The list can be viewed withopenstack firewall group rule list
. To delete multiple rules, specify their names or IDs separated by a space.
Disable rule
The rule will no longer be in effect — traffic that was allowed by this rule will be denied. Active sessions that were set by this rule will be terminated on the cloud router.
Control panel
OpenStack CLI
-
In control panel go to Cloud platform → Firewalls.
-
Open the firewall page.
-
Open the tab depending on which traffic you want to disable the rule for:
- for incoming traffic — Incoming traffic;
- for outbound traffic — Outgoing traffic.
-
In the line with the rule, disable the rule.
-
Disable the rule:
openstack firewall group rule set --disable-rule <firewall_rule>
Specify
<firewall_rule>
— ID or name of the rule. The list can be viewed withopenstack firewall group rule list
. To delete multiple rules, specify their names or IDs separated by a space.
Delete rule
The rule will no longer be in effect — traffic that was allowed by this rule will be denied. Active sessions that were set by this rule will be terminated on the cloud router.
Control panel
OpenStack CLI
-
In control panel go to Cloud platform → Firewalls.
-
Open the firewall page.
-
Open the tab depending on which traffic you want to remove the rule for:
- for incoming traffic — Incoming traffic;
- for outbound traffic — Outgoing traffic.
-
On the menu. select the rules Delete rule.
-
Click Delete.
-
Delete the rule:
openstack firewall group rule delete <firewall_rule>
Specify
<firewall_rule>
— The ID or name of the rule. The list can be viewed withopenstack firewall group rule list
. To delete multiple rules, specify their names or IDs separated by a space.