Firewall Rulesets¶
A Firewall Ruleset is your primary layer of defense. it acts as a virtual shield that controls exactly what traffic is allowed to enter or leave your services.
What is a Firewall?¶
Unlike a traditional physical firewall, these rulesets are applied directly to the virtual network interfaces of your resources. This means that security travels with the resource. Even if two Virtual Machines are on the same network, they cannot talk to each other unless you explicitly allow it in a Firewall Ruleset.
How it Works¶
The platform uses a Default Deny model for security:
- Everything is blocked by default: Unless you create a rule to allow specific traffic, nothing gets in.
- Rules are selective: You define rules based on the Protocol (TCP, UDP, ICMP), the Port (e.g., 80 for Web, 22 for SSH), and the Source/Destination (where the traffic is coming from or going to).
- Inbound vs. Outbound: You can separately control traffic coming into your service (Ingress) and traffic leaving your service (Egress).
Building rules¶
A new ruleset starts empty — until you add a rule, nothing is allowed. There are no deny rules and no priorities: every rule allows traffic, and anything not matched by a rule is denied.
You build each rule from a type that pre-fills common settings, then refine it. Available types:
- Custom:
custom-tcp,custom-udp,custom-icmp - All-ports:
all-tcp,all-udp,all-icmp - Presets:
dns,http,https,ssh,rdp,mysql,smtp— these fill in the protocol and port for you (for examplehttps→ TCP 443,ssh→ TCP 22).
Each rule has:
| Field | Values |
|---|---|
| Direction | Ingress (inbound) or Egress (outbound) |
| Protocol | TCP, UDP or ICMP |
| Port range | Port Min / Port Max, 0–65535 (use the full range for "any port") |
| Source / Destination | A CIDR — defaults to 0.0.0.0/0 (anywhere) |
ICMP and IP version
ICMP rules have no type/code fields — the port inputs are hidden for them. Rules apply to IPv4 traffic; IPv6 firewall rules are not configurable in the console.
Editing and deleting¶
Editing a ruleset lets you change its name and description and freely add, remove or edit rules. Saving replaces the entire rule set with what is on screen.
Importing an existing security group (OpenStack)
On OpenStack infrastructures you can import an existing security group as a ruleset, by its security group ID. Deleting an imported ruleset only detaches it (the security group in your cloud is kept); deleting one you created removes it.
Interactions¶
Firewalls are applied at the point of connection:
- Virtual Machines: When you attach a VM to a network, you select which Firewall Rulesets should protect that specific connection. You can apply multiple rulesets to a single interface.
- Networks: While networks provide isolation, firewalls provide the granular "who-can-talk-to-whom" logic within or across those networks.