Create a cloud firewall

carefully

A cloud firewall has a basic property: all inbound and outbound traffic that is not allowed is denied. If you create a firewall without rules and assign it to a cloud router port, all traffic on the router's subnet will be denied. After creating a firewall on the router, all active sessions will be terminated.

Control panel
OpenStack CLI
Terraform

In the Control panel, on the top menu, click Products and select Cloud Servers.
Go to the Firewalls section.
Click Create Firewall.
Select the pool where the firewall will be created.
Optional: Select a private subnet with the cloud router for which you want to configure traffic filtering. The firewall is assigned to the cloud router port on this private subnet.

To assign a firewall to a router port You can assign a firewall to a router port after creating the firewall.
Select the direction of traffic:

Incoming traffic
Outgoing traffic

If the templates with rules for inbound traffic are suitable for you, click on the rule. The Protocol, Source, Source Port, Traffic Destination, and Destination Port fields will be filled in automatically. Proceed to step 15.
If there is no suitable template, add your own rule for incoming traffic. Click Add Inbound Traffic Rule.
Select an action:
- Allow — Allow traffic;
- Deny — deny traffic.
Select a protocol: ICMP, TCP, UDP or All (Any).
Enter the traffic source (Source) — IP address, subnet, or all addresses (Any).
Enter the source port (Src. port) — a single port, a range of ports, or all ports (Any).
Enter the Destination — IP address, subnet, or Any. If you specify a subnet, the rule applies to all devices on the subnet.
Enter the destination port (Dst. port) — a single port, a range of ports, or all ports (Any).

Traffic to any TCP/UDP port blocked in Servercore by default will be denied even if you specify that port in the rule.
Enter a name for the rule or leave the name created automatically.
Optional: enter a comment for the rule.
Click Add. After the firewall is created, you can modify the rule.

Check the order of the rules, they are executed in order in the list — from top to bottom. If necessary, change the order by dragging and dropping the rules. After creating the firewall, you can change the order of the rules.
Optional: To add another rule to the firewall. go to step 6. you can add up to 100 rules per traffic direction.
Enter the name of the firewall or leave the name created automatically.
Optional: enter a comment for the firewall.
Click Create Firewall.

Open the OpenStack CLI.
Create a rule:
```
openstack firewall group rule create \
    --action <action> \
    --protocol <protocol> \
    [--source-ip-address <source_ip_address> | --no-source-ip-address] \
    [--source-port <source_port> | --no-source-port] \
    [--destination-ip-address <destination_ip_address> | --no-destination-ip-address] \
    [--destination-port <destination_port> | --no-destination-port]
```
Specify:
- <action> — Action:
  - allow — allow traffic;
  - deny — deny traffic;
- <protocol> — Protocol:
  - icmp — ICMP;
  - tcp — TCP;
  - udp — UDP;
  - any — all protocols;
- traffic source:
  - --source-ip-address <source_ip_address> — IP address or subnet. If you specify a subnet and assign this rule to an outbound policy, the rule will apply to all devices on the subnet;
  - --no-source-ip-address — all addresses (Any);
- source port:
  - --source-port <source_port> — a single port or a range of ports;
  - --no-source-port — all ports (Any);
- traffic assignment:
  - --destination-ip-address <destination_ip_address> — IP address or subnet. If you specify a subnet and assign this rule to a policy for inbound traffic, the rule will apply to all devices on the subnet;
  - --no-destination-ip-address — all addresses (Any);
- port of call:
  - --destination-port <destination_port> — a single port or a range of ports;
  - --no-destination-port — all ports (Any).
  Traffic to any TCP/UDP port blocked in Servercore by default will be denied even if you specify that port in the rule.
Create a policy for the firewall:
```
openstack firewall group policy create \
    --firewall-rule <firewall_rule> \
    <policy_name>
```
Specify:
- <firewall_rule> — The ID or name of the rule. The list can be viewed with the command openstack firewall group rule list. To add multiple rules, separate their names or IDs with a space. Check the order of the rules, they are executed in order;
- <policy_name> — policy name.
Create a firewall:
```
openstack firewall group create \
    [--ingress-firewall-policy <firewall_ingress_policy> | --no-ingress-firewall-policy] \
    [--egress-firewall-policy <firewall_egress_policy> | --no-egress-firewall-policy] \
    --port <router_port>
```
Specify:
- policy for inbound traffic:
  - --ingress-firewall-policy <firewall_ingress_policy> — The ID or name of the policy for incoming traffic. The list can be viewed with the command openstack firewall group policy list. You can add only one policy for inbound traffic;
  - --no-ingress-firewall-policy — Specify if there is no policy for inbound traffic;
- policy for outbound traffic:
  - --egress-firewall-policy <firewall_egress_policy> — The ID or name of the policy for outgoing traffic. The list can be viewed with the command openstack firewall group policy list. You can add only one policy for outbound traffic;
  - --no-egress-firewall-policy — Specify if there is no policy for outgoing traffic;
- <router_port> — The ID or port name of the router to which the firewall will be assigned. The list can be viewed with the command openstack port list. To assign a firewall to multiple router ports, list their names or IDs with a space.