Skip to end of metadata
Go to start of metadata
Beta
Cloud Firewall is in beta at this time.

Cloud Firewall Rules let you control network traffic across a large number of SmartOS instances in a central, yet fine-grained, manner.

Cloud Firewall rules apply only to SmartOS instances. They do not apply to KVM instances such as Linux, Windows, FreeBSD, or any other KVM-based instance. For KVM-based instances, you can use your platform's traffic filtering package (IPTables, ufw) and a configuration manager like Chef or Puppet to distribute the rules to your instances.

You can add Cloud Firewall Rules to your SmartOS instances through the Joyent portal, or through the CloudAPI interface.

In this topic

In this section

Overview

Cloud Firewall Rules are TCP, UDP, and ICMP traffic rules that apply to all of the SmartOS instances in a datacenter that have this feature enabled. By default, Cloud Firewall Rules do not apply to newly provisioned instances. You have to enable this feature to use it.

You can set and edit the rules in the Joyent Portal or through the CloudAPI command line interface.

The Cloud Firewall rules let you specify whether network traffic should be allowed or blocked to an instance based on specific criteria:

  • a specific TCP, UDP, or ICMP port
  • a specific instance
  • a specific IP address
  • all instances in the data center
  • all instances with a specific tag

Note that all of the Cloud Firewall Rules apply to instances that have this feature enabled. You can use instance ids, IP addresses, and tags to specify individual instances or classes of instances.

How Rules Are Applied

The default Cloud Firewall Rules are quite restrictive. They apply to all the instances in your datacenter that have this feature enabled.

  • Block traffic from any source to all instances in this datacenter that have Cloud Firewall Rules enabled.
  • Allow traffic from any instance in this datacenter that has Cloud Firewall Rules enabled to any destination.

This rule is always enabled to allow pinging your instance.

  • Allow ICMP type 8 code 0 from any source to all instances in this datacenter that have Cloud Firewall Rules enabled.

Your Cloud Firewall Rules always take precedence over the default rules. The rules are not evaluated in order, but by how restrictive they are.

For incoming traffic, the least restrictive rule wins. The default rules for incoming traffic block everything, so any rule that allows incoming traffic is less restrictive.

For outgoing traffic, the most restrictive rule wins. The default rules for outgoing traffic allow everything, so any rule that blocks outgoing traffic is more restrictive.

Enabling and Disabling the Cloud Firewall Rules Feature

Cloud Firewall Rules apply only to instances in the datacenter that have the Cloud Firewall feature enabled.

To enable or disable the Cloud Firewall Rules feature for an instance in the Joyent Portal:

  1. Navigate to the Instance Details page of the instance that you want to enable Cloud Firewall Rules.
  2. Scroll to the Firewall Rules section of the page.
  3. Click Enable or Disable.

To enable Cloud Firewall Rules feature using the CloudAPI CLI, use the sdc-enablemachinefirewall command.

When the Cloud Firewall is enabled for that instance, its firewall_enabled property is true.

To disable Cloud Firewall Rules using the CloudAPI CLI, use the sdc-disablemachinefirewall command.

Creating a Cloud Firewall Rule

Take a look at Firewall Rules Reference to learn how to specify a rule. The Cloud Firewall Rules are similar to other firewall rules such as pf or ipfilter.

Since the default rules block all traffic to your instances, the first rule you may want to add is one that allows you to use SSH to log into your machines.

It will be useful to look over Firewall Rules Reference to learn how to write Cloud Firewall Rules.

To create a Cloud Firewall Rule in the portal:

  1. Click the Firewall link in the header of the Joyent Portal.
  2. Click Add New Rule.
  3. Choose the Action, Block or Allow.
  4. Choose whether the rule is initially enabled or not.
  5. Choose the datacenter that the rule will apply to.
  6. Select the protocol.
  7. Select the From to specify where the traffic comes from.
  8. Select the To to specify where the traffic is going.
  9. Click the Add, Add From, and Add To buttons to set up the rule to allow traffic from anywhere to all vms on port 22.
  10. Click Create Rule.
  11. If you created the rules as Disabled, click the Enable button next to the rule to enable it.

To create a Cloud Firewall Rule with the CloudAPI CLI, use the sdc-createfirewallrule command.

The --enabled option to create the rule and enable it immediately. You can also use sdc-enablefirewallrule. Use sdc-disablefirewallrule to disable a rule.

Listing All the Rules That Apply to a Machine

To see all the Cloud Firewall Rules that apply to a machine in the Joyent Portal:

  1. Navigate to the Instance Details page of the instance that you want to enable Cloud Firewall Rules.
  2. Scroll to the Firewall Rules section of the page.

All of the rules that apply to the machine are listed in the Firewall Rules section.

To see all the Cloud Firewall Rules that apply to a machine with the CloudAPI CLI, use the sdc-listmachinefirewallrules command:

List All the Instances a Rule Applies To

You can use the CloudAPI CLI to find out which instances a rule would apply to with the sdc-listfirewallrulemachines. You will need the id of the rule.

Note that the list includes instances that do not have the Cloud Firewall Feature enabled. Even though they are included in the result, the rules do not apply to those instances.

Editing a Cloud Firewall Rule

To edit a Cloud Firewall Rule in the portal:

  1. Click the Firewall link in the header of the Joyent Portal.
  2. Locate the rule you want to edit in the list of rules.
  3. Click the Edit button.
  4. Edit the rule using the menus.

To create a Cloud Firewall Rule with the CloudAPI CLI, use the sdc-updatefirewallrule command. Note that you must specify the entire rule, not just the part that you're changing.

Enabling and Disabling a Cloud Firewall Rule

To enable or disable a Cloud Firewall Rule in the portal:

  1. Click the Firewall link in the header of the Joyent Portal.
  2. Locate the rule you want to enable or disable in the list of rules.
  3. Click the Enable or Disable button.

To enable a Cloud Firewall rule using the CloudAPI CLI, use the sdc-enablefirewallrule command.

To disable a Cloud Firewall rule using the CloudAPI CLI, use the sdc-disablefirewallrule command.

Deleting a Cloud Firewall Rule

To delete a Cloud Firewall Rule in the portal:

  1. Click the Firewall link in the header of the Joyent Portal.
  2. Locate the rule you want to enable or disable in the list of rules.
  3. Click the Delete button.

To delete a Cloud Firewall rule using the CloudAPI CLI, use the sdc-deletefirewallrule command. Note that this command does not produce any output if it is successful.

Frequently Asked Questions

This section answers some questions you may have about Cloud Firewall Rules.

What is the relationship between Cloud Firewall Rules and IPFilter?

Cloud Firewall Rules apply to all the instances in the same datacenter that have the Cloud Firewall feature enabled. IPFilter rules apply only to the instance in which they are defined.

For incoming traffic, the Cloud Firewall Rules are applied first. If an instance has IPFilter rules, they are applied next.

For outgoing traffic, any IPFilter rules defined for the instance apply first, them the Cloud Firewall Rules are applied.

Labels:
fwapi fwapi Delete
firewall firewall Delete
Enter labels to add to this page:
Please wait 
Looking for a label? Just start typing.