Introducing Cloud Firewall

The Cloud Firewall is a feature of the Joyent Cloud that centralizes control of network traffic filtering rules across SmartOS instances.

Overview

Cloud Firewall maintains a list of rules that apply to all of the SmartOS instances in a datacenter that have the Cloud Firewall feature enabled. Rules can apply to:

  • a specific instance
  • a specific IP address or an IP subnet
  • all the instances in the datacenter (that have the feature enabled)
  • instances with a particular tag

Tags are one of the most common ways to apply Cloud Firewall rules to a pool of instances. Tags are user-defined name/value pairs attached to an instance. You can use tags identify groups of instances. For example, all of you web servers might have the tag role=Web, and all of your databases might have the tag role=database. Tags do not have to have values. You can simply tag instances with a name. Instead of using the role tag, you might just want to use the Web tag without a value to identify your web servers. You can learn more about tags here.

The Cloud Firewall Rules feature is enabled or disabled on an per-instance basis. A newly created instance has it disabled by default.

(This Cloud Firewall feature currently does not work with KVM instances, meaning that Linux, Windows, and other OSes should be protected by enabling and using local firewall software like iptables or Windows Firewall.)

Creating a rule

When FIRST using Cloud Firewall rules:

  1. Add a new rule
  2. Enable the Cloud Firewall Rules feature on each instance

In this example, you will set up rules that allow SSH, HTTP, and HTTPS access.

After logging into my.joyent.com, go to the Firewall section in the main menu, and click Add New Rule to expose the form.

cfw-addnew

Verify or set the first part of the form as below:

  • Action: Allow
  • State: Enabled
  • Data Center: The datacenter that house your instances. If you don't have any instances, use the default use-east-1.

In the Protocol column, choose TCP and set Port to 22. This is the SSH port.

In the From column, choose Any. This means that you'll accept traffic from any machine on the Internet (on port 22).

In the To column, choose All my VMs in DC. This means that the traffic on port 22 from anywhere on the Internet can go to any of the SmartOS instances in the datacenter you selected.

Click the Add, Add From, and Add To buttons under each column to set the rule.

cfw-anyrule

Click Create Rule, and the rule to allow SSH traffic from anywhere in the Internet will appear in the list.

Now you need to create the rules to allow HTTP and HTTPS traffic. You do this the same way. Click Add New Rule. Set the Action, State, and Data Center values as before. For the HTTP rule, use:

  • TCP Port 80. This is the port for HTTP traffic.
  • From: Any

This time, in the To column, choose Tag. A new field, Tag Name will appear. Set this to Role. Another field, Value will appear below it. Set this field to Web.

cfw-tagrule

Click Create Rule, and the rule to allow HTTP traffic from anywhere in the Internet to any SmartOS instance with the tag Role=Web will appear in the list.

Finally, create the rule for HTTPS traffic. Click Add New Rule. Set the Action, State, and Data Center values as before. For the HTTP rule, use:

  • TCP Port 443. This is the port for HTTPS traffic.
  • From: Any

In the To column, choose Tag. Set Tag Name to Role. Set Value to Web.

Click Create Rule, and the rule to allow HTTPS traffic from anywhere in the Internet to any SmartOS instance with the tag Role=Web will appear in the list.

You now have three rules ready to be enforced.

cfw-rulesdone

Enabling the rules on an instance

If you have existing SmartOS instances that do not have the Cloud Firewall feature enabled, they will appear in the list below. Click one that you would like to apply these rules (in the same datacenter that you defined the rules in). If you don't have any SmartOS instances, click Create Instance (it's in the upper right) and create a SmartOS instance with a base image. Wait for it to provision and proceed below.

In the Instance Detail page, scroll down to the Tags section.

cfw-instance

Click Add New Tag. Set the name to Role and the value to Web, and click Save.

Scroll down further to the Cloud Firewall section.

The two default rules are already there. Click Enable to turn on the feature. Refresh the page, and you should see a total of four rules. (The ICMP rule is a system rule that cannot be deleted.)

cfw-instanceon

If you were to run a port scan against the external interface against that machine you will see those ports open, but everything else is closed.

This concludes this tutorial. Stay safer out there with Cloud Firewall Rules.

Where to learn more

You can learn more about working with Cloud Firewall Rules here. In addition to the web interface described in this tutorial, you can use CloudAPI command line interface. The syntax for writing Cloud Firewall rules is in the Cloud Firewall Rules Reference.

:

Sign up now for Instant Cloud Access Get Started