Firewall rule of a Server.
Each server has its own list of firewall rules, with a maximum of 1000 rules. The firewall of a server can be disabled or enabled without stopping the server by toggling the Server.firewall property.
The network traffic (each packet) is checked against the list of firewall rules. The rules are checked in
order from first rule (position 1
) onwards. The action property of the first rule
that matches the packet determines what happens to the packet, and the rest of the rules are ignored.
The last rule is a special case and corresponds to Default Rule set through Control Panel. It should contain only direction and action properties in addition of position.
A list of firewall rules for a server can be fetched using the Firewall Rules API.
Firewall rules must be created one by one. The description of the firewall rule can be created using the Builder API, and the description then passed to the Firewall creation API.
import static fi.linuxbox.upcloud.resource.Builder.firewallRule
def acceptHttp = firewallRule {
action = 'accept'
comment = 'Allow HTTP from anywhere'
destinationPortEnd = '80'
destinationPortStart = '80'
direction = 'in'
family = 'IPv4'
protocol = 'tcp'
}
serverApi.createFirewallRule acceptHttp, { resp, err ->
assert resp?.firewallRule instanceof FirewallRule
}
If the position property is not specified, then the rule will be appended to the list of rules. If the position is specified, then the rule is inserted at that position, and any following rules will have their positions increaded by one.
Firewall rules can not be modified. Modification must be emulated by deleting the rule that is to be updated, and then creating a new rule with the same position as the old rule.
Firewall rules must be removed one by one using the Firewall rule deletion API.
serverApi.deleteFirewallRule position, { resp, err ->
...
}
If the removed rule is not the last rule, the position property of the following rules will be decreased by one.
Fields inherited from class | Fields |
---|---|
class Resource |
__$stMC |
Type | Name and description |
---|---|
String |
action Action to take if a network packet matches this firewall rule: accept , or drop . |
String |
comment Human readable explanation of this firewall rule. |
String |
destinationAddressEnd The end of the destination IP address range this rule applies to. |
String |
destinationAddressStart The start of the destination IP address range this rule applies to. |
String |
destinationPortEnd The end of the destination (TCP/UDP) port range this rule applies to: 1 -65535 . |
String |
destinationPortStart The start of the destination (TCP/UDP) port range this rule applies to: 1 -65535 . |
String |
direction Whether this rule applies to incoming or outgoing traffic: in or out . |
String |
family The IP address family this rule applies to: IPv4 or IPv6 . |
String |
icmpType The ICMP type this rule applies to: 1 -255 . |
String |
position Position of this firewall rule in the server's firewall rule list. |
String |
protocol The network protocol this rule applies to: tcp , udp , or icmp . |
String |
sourceAddressEnd The end of the source IP address range this rule applies to. |
String |
sourceAddressStart The start of the source IP address range this rule applies to. |
String |
sourcePortEnd The end of the source (TCP/UDP) port range this rule applies to: 1 -65535 . |
String |
sourcePortStart The start of the source (TCP/UDP) port range this rule applies to: 1 -65535 . |
Methods inherited from class | Name |
---|---|
class Resource |
setProperty, getProperty, toString, asType, getMetaClass, setMetaClass, wrapper, propertyMissing, propertyMissing, methodMissing, proj, invokeMethod, this$dist$invoke$1, this$dist$set$1, this$dist$get$1, super$1$toString, getHTTP, getSESSION, getMETA, wait, wait, wait, equals, hashCode, getClass, notify, notifyAll |
class Object |
wait, wait, wait, equals, toString, hashCode, getClass, notify, notifyAll |
Action to take if a network packet matches this firewall rule: accept
, or drop
.
This is available in all firewall rule responses, and must be set when creating firewall rules.
Action accept
lets the packet through. Action drop
blocks the packet without sending an
error.
Human readable explanation of this firewall rule.
This is available in all firewall rule responses, and can optionally be set when creating a firewall rule.
The end of the destination IP address range this rule applies to.
This is a string representation of the IP address:
either in dotted decimal notation (for IPv4
family),
or hexadecimal representation (for IPv6
family).
This is available in all firewall rule responses, and can optionally be set when creating a firewall rule. If this is set, then destinationAddressStart property must be set also. If destinationAddressStart property is set, then this must be set also.
The start of the destination IP address range this rule applies to.
This is a string representation of the IP address:
either in dotted decimal notation (for IPv4
family),
or hexadecimal representation (for IPv6
family).
This is available in all firewall rule responses, and can optionally be set when creating a firewall rule. If this is set, then destinationAddressEnd property must be set also. If destinationAddressEnd property is set, then this must be set also.
The end of the destination (TCP/UDP) port range this rule applies to: 1
-65535
.
This is available in all firewall rule responses, and can optionally be set when creating a firewall rule. If this is set, then destinationPortStart property must be set also. If destinationPortStart property is set, then this must be set also.
The start of the destination (TCP/UDP) port range this rule applies to: 1
-65535
.
This is available in all firewall rule responses, and can optionally be set when creating a firewall rule. If this is set, then destinationPortEnd property must be set also. If destinationPortEnd property is set, then this must be set also.
Whether this rule applies to incoming or outgoing traffic: in
or out
.
This is available in all firewall rule responses, and must be set when creating firewall rules.
The IP address family this rule applies to: IPv4
or IPv6
.
This is available in all firewall rule responses, and must be set when creating firewall rules if protocol is set.
The ICMP type this rule applies to: 1
-255
.
This is available in all firewall rule responses, and can optionally be set when creating a firewall rule.
Position of this firewall rule in the server's firewall rule list.
This is available in all firewall rule responses, and can optionally be set when creating a firewall rule.
Position of the first rule is 1
and the maximum number of rules per server is 1000
.
The network protocol this rule applies to: tcp
, udp
, or icmp
.
This is available in all firewall rule responses, and can optionally be set when creating a firewall rule. If this is set when creating a rule, the family property must be set also.
The end of the source IP address range this rule applies to.
This is a string representation of the IP address:
either in dotted decimal notation (for IPv4
family),
or hexadecimal representation (for IPv6
family).
This is available in all firewall rule responses, and can optionally be set when creating a firewall rule. If this is set, then sourceAddressStart property must be set also. If sourceAddressStart property is set, then this must be set also.
The start of the source IP address range this rule applies to.
This is a string representation of the IP address:
either in dotted decimal notation (for IPv4
family),
or hexadecimal representation (for IPv6
family).
This is available in all firewall rule responses, and can optionally be set when creating a firewall rule. If this is set, then sourceAddressEnd property must be set also. If sourceAddressEnd property is set, then this must be set also.
The end of the source (TCP/UDP) port range this rule applies to: 1
-65535
.
This is available in all firewall rule responses, and can optionally be set when creating a firewall rule. If this is set, then sourcePortStart property must be set also. If sourcePortStart property is set, then this must be set also.
The start of the source (TCP/UDP) port range this rule applies to: 1
-65535
.
This is available in all firewall rule responses, and can optionally be set when creating a firewall rule. If this is set, then sourcePortEnd property must be set also. If sourcePortEnd property is set, then this must be set also.