Manage cloud firewall rules

Last update: November 12 2024

Manage cloud firewall rules

For a cloud firewall, you can add new rules, change the existing rules, reorder as well as include, shut down and deregulate.

Add rule⁠

carefully

After adding a deny rule on the cloud router, active sessions that match the rule will be terminated.

You can add up to 100 rules per traffic direction (policy) for a single cloud firewall.

Control panel

1. В control panels go to Cloud platform → Firewalls.
2. Open the firewall page.
3. Select the direction of traffic:

Incoming traffic

4. Open the tab Incoming traffic.

5. Click Create a rule.

6. Select an action:

   • Allow — Allow traffic;
   • Deny — Deny traffic.

7. If templates with rules for incoming traffic, select the rule. The Protocol, Source, Source Port, Traffic Destination, and Destination Port fields will be filled in automatically. Proceed to step 14.

8. If there is no suitable template, add your own rule for incoming traffic.

9. Select a protocol: ICMP, TCP, UDP or All (Any).

10. Enter the traffic source (Source) — IP address, subnet, or all addresses (Any).

11. Enter the source port (Src. port) — a single port, a range of ports, or all ports (Any).

12. Enter the Destination — IP address, subnet, or Any. If you specify a subnet, the rule applies to all devices on the subnet.

13. Enter the destination port (Dst. port) — a single port, a range of ports, or all ports (Any).

    Traffic to any TCP/UDP port blocked in Selectel by default, will be denied even if you specify that port in the rule.

14. Enter a name for the rule or leave the name created automatically.

15. Optional: enter a comment for the rule.

16. Click Add.

Outgoing traffic

4. Open the tab Outgoing traffic.

5. Click Create a rule.

6. Select an action:

   • Allow — Allow traffic;
   • Deny — Deny traffic.

7. If templates with rules for outbound traffic, select the rule. The Protocol, Source, Source Port, Traffic Destination, and Destination Port fields will be filled in automatically. Proceed to step 14.

8. If there is no suitable template, add your own rule for outbound traffic.

9. Select a protocol: ICMP, TCP, UDP or All (Any).

10. Enter the traffic source (Source) — IP address, subnet, or All (Any). If you specify a subnet, the rule applies to all devices on the subnet.

11. Enter the source port (Src. port) — a single port, a range of ports, or all ports (Any).

12. Enter the traffic destination (Destination) — IP address, subnet, or Any.

13. Enter the destination port (Dst. port) — a single port, a range of ports, or all ports (Any).

    Traffic to any TCP/UDP port blocked in Selectel by default, will be denied even if you specify that port in the rule.

14. Enter a name for the rule or leave the name created automatically.

15. Optional: enter a comment for the rule.

16. Click Add.

17. Check the order of the rules, they are executed in order in the list — from top to bottom. If necessary, change the order by dragging and dropping the rules. After creating the firewall, you can reorder.

OpenStack CLI

1. Open the OpenStack CLI.

2. Create a rule:

   openstack firewall group rule create \
       --action <action> \
       --protocol <protocol> \
       [--source-ip-address <source_ip_address> | --no-source-ip-address] \
       [--source-port <source_port> | --no-source-port] \
       [--destination-ip-address <destination_ip_address> | --no-destination-ip-address] \
       [--destination-port <destination_port> | --no-destination-port]

   Specify:

   • <action> — action:

     • allow — allow traffic;
     • deny — deny traffic;

   • <protocol> — Protocol:

     • icmp — ICMP;
     • tcp — TCP;
     • udp — UDP;
     • any — all the protocols;

   • traffic source:

     • --source-ip-address <source_ip_address> — IP address or subnet. If you specify a subnet and assign this rule to an outbound policy, the rule will apply to all devices on the subnet;
     • --no-source-ip-address — all addresses (Any);

   • source port:

     • --source-port <source_port> — a single port or a range of ports;
     • --no-source-port — all ports (Any);

   • traffic assignment:

     • --destination-ip-address <destination_ip_address> — IP address or subnet. If you specify a subnet and assign this rule to a policy for inbound traffic, the rule will apply to all devices on the subnet;
     • --no-destination-ip-address — all addresses (Any);

   • port of call:

     • --destination-port <destination_port> — a single port or a range of ports;
     • --no-destination-port — all ports (Any).

     Traffic to any TCP/UDP port blocked in Selectel by default, will be denied even if you specify that port in the rule.

3. Add a rule to the firewall policy:

   openstack firewall group policy add rule \
       [--insert-before <firewall_rule>] \
       [--insert-after <firewall_rule>] \
       <firewall_policy> \
       <firewall_rule>

   Specify:

   • --insert-before <firewall_rule> — ID or name of the rule before which the new rule will be added. The list can be viewed with openstack firewall group rule list;
   • --insert-after <firewall_rule> — ID or name of the rule after which the new rule will be added. The list can be viewed with openstack firewall group rule list;
   • <firewall_policy> — ID or policy name. The list can be viewed by openstack firewall group policy list;
   • <firewall_rule> — The ID or name of the rule that will be added to the policy. The list can be viewed by openstack firewall group rule list.

Change the rule⁠

carefully

After changing a rule on the cloud router, active sessions that match the changed rule will be terminated.

Control panel

1. В control panels go to Cloud platform → Firewalls.

2. Open the firewall page.

3. Open the tab depending on which traffic you want to change the rule for:

   • for incoming traffic — Incoming traffic;
   • for outbound traffic — Outgoing traffic.

4. On the menu. select the rules Change the rule.

Incoming traffic

5. Select an action:

   • Allow — Allow traffic;
   • Deny — deny traffic.

6. If templates with rules for incoming traffic, select the rule. The Protocol, Source, Source Port, Traffic Destination, and Destination Port fields will be filled in automatically. Proceed to step 13.

7. If there is no suitable template, add your own rule for incoming traffic.

8. Select a protocol: ICMP, TCP, UDP or All (Any).

9. Enter the traffic source (Source) — IP address, subnet, or all addresses (Any).

10. Enter the source port (Src. port) — a single port, a range of ports, or all ports (Any).

11. Enter the Destination — IP address, subnet, or Any. If you specify a subnet, the rule applies to all devices on the subnet.

12. Enter the destination port (Dst. port) — a single port, a range of ports, or all ports (Any).

    Traffic to any TCP/UDP port blocked in Selectel by default, will be denied even if you specify that port in the rule.

Outgoing traffic

5. Select an action:

   • Allow — Allow traffic;
   • Deny — Deny traffic.

6. If templates with rules for outbound traffic, select the rule. The Protocol, Source, Source Port, Traffic Destination, and Destination Port fields will be filled in automatically. Proceed to step 13.

7. If there is no suitable template, add your own rule for outbound traffic.

8. Select a protocol: ICMP, TCP, UDP or All (Any).

9. Enter the traffic source (Source) — IP address, subnet, or All (Any). If you specify a subnet, the rule applies to all devices on the subnet.

10. Enter the source port (Src. port) — a single port, a range of ports, or all ports (Any).

11. Enter the traffic destination (Destination) — IP address, subnet, or Any.

12. Enter the destination port (Dst. port) — a single port, a range of ports, or all ports (Any).

    Traffic to any TCP/UDP port blocked in Selectel by default, will be denied even if you specify that port in the rule.

13. Enter a name for the rule or leave the name created automatically.
14. Optional: enter a comment for the rule.
15. Click Save.

OpenStack CLI

1. Open the OpenStack CLI.

2. Change the rule:

   openstack firewall group rule set \
       --action <action> \
       --protocol <protocol> \
       [--source-ip-address <source_ip_address> | --no-source-ip-address] \
       [--source-port <source_port> | --no-source-port] \
       [--destination-ip-address <destination_ip_address> | --no-destination-ip-address] \
       [--destination-port <destination_port> | --no-destination-port] \
       <firewall_rule>

   Specify:

   • <action> — action:

     • allow — allow traffic;
     • deny — deny traffic;

   • <protocol> — Protocol:

     • icmp — ICMP;
     • tcp — TCP;
     • udp — UDP;
     • any — all the protocols;

   • traffic source:

     • --source-ip-address <source_ip_address> — IP address or subnet. If you specify a subnet and assign this rule to an outbound policy, the rule will apply to all devices on the subnet;
     • --no-source-ip-address — all addresses (Any);

   • source port:

     • --source-port <source_port> — a single port or a range of ports;
     • --no-source-port — all ports (Any);

   • traffic assignment:

     • --destination-ip-address <destination_ip_address> — IP address or subnet. If you specify a subnet and assign this rule to a policy for inbound traffic, the rule will apply to all devices on the subnet;
     • --no-destination-ip-address — all addresses (Any);

   • port of call:

     • --destination-port <destination_port> — a single port or a range of ports;
     • --no-destination-port — all ports (Any).

     Traffic to any TCP/UDP port blocked in Selectel by default, will be denied even if you specify that port in the rule.

   • <firewall_rule> — ID or name of the rule. The list can be viewed with openstack firewall group rule list.

Change the order of the rules⁠

carefully

After the rule order change, active sessions on the cloud router that match the new rule order will be terminated.

1. В control panels go to Cloud platform → Firewalls.

2. Open the firewall page.

3. Open the tab depending on which traffic you want to change the order of the rules for:

   • for incoming traffic — Incoming traffic;
   • for outbound traffic — Outgoing traffic.

4. Click Change the order of the rules.

5. Drag and drop the rules. The rules are executed in order in the list — from top to bottom.

6. Click Preserve the order of the rules.

Enable rule⁠

Control panel

1. В control panels go to Cloud platform → Firewalls.

2. Open the firewall page.

3. Open the tab depending on which traffic you want to enable the rule for:

   • for incoming traffic — Incoming traffic;
   • for outbound traffic — Outgoing traffic.

4. On the line with the rule, include the rule.

OpenStack CLI

1. Open the OpenStack CLI.

2. Include a rule:

   openstack firewall group rule set --enable-rule <firewall_rule>

   Specify <firewall_rule> — ID or name of the rule. The list can be viewed with openstack firewall group rule list. To delete multiple rules, specify their names or IDs separated by a space.

Disable rule⁠

carefully

The rule will no longer be in effect — traffic that was allowed by this rule will be denied. Active sessions that were set by this rule will be terminated on the cloud router.

Control panel

1. В control panels go to Cloud platform → Firewalls.

2. Open the firewall page.

3. Open the tab depending on which traffic you want to disable the rule for:

   • for incoming traffic — Incoming traffic;
   • for outbound traffic — Outgoing traffic.

4. In the line with the rule, disable the rule.

OpenStack CLI

1. Open the OpenStack CLI.

2. Disable the rule:

   openstack firewall group rule set --disable-rule <firewall_rule>

   Specify <firewall_rule> — ID or name of the rule. The list can be viewed with openstack firewall group rule list. To delete multiple rules, specify their names or IDs separated by a space.

Delete rule⁠

carefully

The rule will no longer be in effect — traffic that was allowed by this rule will be denied. Active sessions that were set by this rule will be terminated on the cloud router.

Control panel

1. В control panels go to Cloud platform → Firewalls.

2. Open the firewall page.

3. Open the tab depending on which traffic you want to remove the rule for:

   • for incoming traffic — Incoming traffic;
   • for outbound traffic — Outgoing traffic.

4. On the menu. select the rules Delete rule.

5. Click Delete.

OpenStack CLI

1. Open the OpenStack CLI.

2. Delete the rule:

   openstack firewall group rule delete <firewall_rule>

   Specify <firewall_rule> — The ID or name of the rule. The list can be viewed with openstack firewall group rule list. To delete multiple rules, specify their names or IDs separated by a space.