DocsAPI Explorer
ZHEN
DocumentationZCFZStack CloudUser GuideZCF

Firewall

What is Firewall?

A firewall is an access control policy that monitors ingress and egress traffic of VPC vRouters and decides whether to allow or block specific traffic based on the associated rule sets and rules.

Concepts

  • Firewall rule set: A firewall rule set is a set of rules that a firewall uses to defend against network attacks. You need to associate a rule set with the egress or ingress flow direction of VPC vRouter NICs to make the rule set take effect.
    • You can associate a rule set with the egress or ingress flow direction of VPC vRouter NICs:
      • Ingress: applies to the traffic that flows into the specified VPC vRouter via a network.
      • Egress: applies to the traffic that flows out of the specified VPC vRouter via a network.
  • Firewall rule: A firewall rule is an access control entry associated with the egress or ingress flow direction of VPC vRouter NICs to defend against network attacks. A firewall rule includes rule priority, match condition, and behavior.
    • You can associate a rule with the egress or ingress flow direction of VPC vRouter NICs:
      • Ingress: applies to the traffic that flows into the specified VPC vRouter via a network.
      • Egress: applies to the traffic that flows out of the specified VPC vRouter via a network.
    • Firewall rules can be categorized into custom rules and system rules:
      • Custom rules: rules that you customize. You can select the ingress or egress direction that the rules take effect and configure the rule priorities, match conditions, and behaviors.
        • Rule priority: the priority of a rule to be matched and take effect when compared with other firewall rules. Valid values: 1001 to 2999.
          • Generally, a rule with a higher priority is primarily matched when compared to a rule with a lower priority. Priorities are represented by using numbers. A smaller number indicates a higher priority.
          • Generally, the more specific the match condition that you configure for a rule is, the higher priority you shall configure for the rule.
        • Match condition: the condition based on which traffic flowing into or out of a VPC network is matched. It includes source IP address, destination IP address, source port, destination port, packet status, and protocol.
          • You can specify one or more source and destination IP addresses. These IP addresses can be static IP addresses, IP ranges, CIDR blocks, or a mix of the three.
          • If you specify multiple entries, which include one or more CIDR blocks, the netmask of the CIDR block must be 24. If you specify only one CIDR block, the netmask of the CIDR block is not limited.
          • You can enter a maximum of ten entries, with each entry separated by a comma (,).
        • Behavior: the action to be applied to traffic that meets the match condition. Valid values: accept, drop, and reject.
          • Accept: accepts the traffic that flows in or out of the specified VPC vRouter.
          • Drop: drops the traffic that flows in or out of the specified VPC vRouter and does not respond to the client.
          • Reject: rejects the traffic that flows in or out of the specified VPC vRouter and responds to the client.
      • System rules: rules predefined to support system services. The system predefines the direction that the rules take effect, and the priority, match condition, and behavior of the rules.
        • The priority of system rules ranges from 1 to 1000 or from 4000 to 9999.
        • ZStack Cloud has predefined the following system rules:
          • Firewall rules that take effect on the ingress direction of VPC vRouter NICs:
            • Rule 1: The priority is 4000, and the behavior and match condition combination determines to allow established or related data packets from any IP address/port, with any protocol, or to any IP address/port, to flow into the specified VPC vRouter via a network.
            • Rule 2: The priority is 9999, and the behavior and match condition combination determines to allow new data packets from any IP address/port, with any protocol, or to any IP address/port, to flow into the specified VPC vRouter via a network.
            • Rule 3: the default rule with a priority of 10000. The behavior and match condition combination determines to reject data packets from any IP address/port, with any protocol, in any status, or to any IP address/port, from flowing into the specified VPC vRouter via a network. You can modify the behavior of the rule. Valid values: accept, drop, and reject.
          • Firewall rules that take effect on the egress direction of VPC vRouter NICs:
            • Rule 1: the default rule with a priority of 10000. The behavior and match condition combination determines to reject data packets from any IP address/port, with any protocol, in any status, or to any IP address/port, from flowing into the specified VPC vRouter via a network. You can modify the behavior of the rule. Valid values: accept, drop, and reject.
          • System rules cannot be modified, except the behavior of the default rule.
          • System rules cannot be created or deleted.
  • Rule template: A rule template is a template that you can select when you add rules to a rule set or a firewall.
  • IP/Port set: An IP or port set is a set of IP addresses or ports that you can select when you add rules to a rule set or a firewall.

Fundamentals

ZStack Cloud allows you to associate rule sets and rules with the ingress and egress direction of VPC vRouter NICs. Then traffics that flow in or out of the VPC vRouter NICs are filtered based on the rule priority, match condition, behavior, and the effect direction. This ensures the security of data communications across VPC networks, of VPC vRouters, and of user business operations.

Figure 1. Firewall


Assume that a server and two VM instances are deployed in a VPC network to run significant business applications. To ensure business security, firewall rule sets and rules are associated with the ingress or egress direction of VPC vRouters, so that only trustful traffics from the public network are allowed to access VM data in the VPC network and that the server in the VPC network can access the server data in the public network.
  • When VM-1 attempts to access VM-3: The traffic from VM-1 will match the inbound rule set of the public NIC on the VPC vRouter. If malicious traffics are detected, the access is denied.
  • When VM-2 attempts to access VM-4: The traffic from VM-2 will match the inbound rule of the public NIC on the VPC vRouter, and then will match the outbound rule set of the private NIC on the VPC vRouter. If trusted traffics are detected, the access is allowed.
  • When Server-2 attempts to access Server-1: The traffic from Sever-2 will match the inbound rule set of the private NIC on the VPC vRouter, and then will match the outbound rule set of the public NIC on the VPC vRouter. If trusted traffics are detected, the access is allowed.

Firewall vs Security

A firewall manages the south-north traffic of VPC networks. A security group manages the east-west traffic of VPC networks and is applied to VM NICs. The two services complement with each other. The following table compares the two services from three aspects.
Item Security Group Firewall
Application scope VM NIC The entire VPC network
Deployment mode Distributed Centralized
Deployment location VM instance VPC vRouter
Configuration policy Supports only Allow and Reject policies Allows you to customize Accept, Drop, or Reject policies as needed
Priority Allows you to customize priorities Allows you to customize priorities
Match condition Source IP/security group, destination IP/security group, source port, destination port, and protocol Source IP address, source port, destination IP address, destination port, protocol, and packet status

Create a Firewall

On the main menu of ZStack Cloud, choose Resource Center > Network Service > Advanced Network Service > Firewall. On the Firewall page, click Create Firewall. Then, the Create Firewall page is displayed.

On the displayed page, set the following parameters:
  • Name: Enter a name for the firewall.
  • Description: Optional. Enter a description for the firewall.
  • VPC vRouter: Select a VPC vRouter that you want to defend against attacks .
    Note: The VPC vRouter that you select must be in running state and is not associated with a firewall.
Figure 1. Create Firewall


After you create a firewall, you can add firewall rules on the details page to defend the VPC vRouter against attacks.

Manage a Firewall

On the main menu of ZStack Cloud, choose Resource Center > Network Service > Advanced Network Service > Firewall. Then, the Firewall page is displayed.

The following table lists the actions that you can perform on a firewall.
Action Description
Create Firewall Create a firewall.
Delete Firewall Delete a firewall.

Firewall Details

Add a Firewall Rule

On the main menu of ZStack Cloud, choose Resource Center > Network Service > Advanced Network Service > Firewall. Then, the Firewall page is displayed. You can add a firewall rule on the details page of Firewall or Rule Set.

If you choose to add a firewall rule from the details page of Firewall, click Add Rule. Then, the Add Rule page is displayed.

On the displayed page, set the following parameters:
  • Priority: Set the priority of a rule.
    Note:
    • A smaller number indicates a higher priority. Valid values: 1001 to 2999.
    • Priorities that range from 1 to 1000 and 4000 to 9999 are for the preset rules of system service. You cannot add, edit, or delete a system rule. However, you can modify the behavior of default rules.
    • The priority of a rule in a rule set must be unique.
  • Action: Select a method to handle incoming network requests. Valid values: Accept, Drop, and Reject.
    • Accept: Accept the traffic that flows in or out of the specified VPC vRouter.
    • Drop: Drop the traffic that flows in or out of the specified VPC vRouter and does not respond to the client.
    • Reject: Reject the traffic that flows in or out of the specified VPC vRouter and responds to the client.
  • Packet Status: Optional. Select a packet status for the rule that a VPC firewall needs to match. For example, if you select new, then all new packets will be processed according the actions set in the current rule.
    • new: new connection requests
    • established: established connections
    • invalid: unidentifiable connections
    • related: new connection requests that are associated with existing connections
  • Protocol: Select a protocol for the firewall rule. For example, if you select TCP, then all requests of TCP protocol will be processed according the actions set in the current rule.
  • IP Address: Optional. Set a source IP address and destination IP address for the rule.
    • You can specify an IP address, IP range, or CIDR block. If you specify an IP range, use a hyphen (-) to indicate the range, for example, 192.168.0.1-192.168.0.100.
    • You can specify up to 10 source/destination IP addresses. If you specify an IP address, IP range or a mix of IP/netmask format, separate them with a comma (,).
    • If you specify multiple IP address and one or more CIDR formats, you can set the netmask of the CIDR blocks only to /24. If you specify only one CIDR block, you can set a random netmask.
    • You can select an IP/port set to quickly fill in the IP address.
  • Description: Optional. Enter a description for the rule.
  • Enable Now: Specify whether to enable rules after the rules are added to the Cloud. If not specified, the rules are disabled after they are added to the Cloud. You need to manually enable these rules to take effect.
  • Save as Rule Template: Save the current rule configuration as a rule template.
Figure 1. Add Rule


If you choose to add a firewall rule from the details page of Rule Set, click Add Rule. Then, the Add Rule page is displayed. You can add a rule by one of the following methods:
  • Manual addition
  • Import template

Manual Addition

With this method, you can specify individual IP address or an IP range to add rules. You can add a maximum of 1998 rules to the Cloud in a batch.

To use this method, set the following parameters:
  • Priority: Set the priority of a rule.
    Note:
    • A smaller number indicates a higher priority. Valid values: 1001 to 2999.
    • Priorities that range from 1 to 1000 and 4000 to 9999 are for the preset rules of system service. You cannot add, edit, or delete a system rule. However, you can modify the behavior of default rules.
    • The priority of a rule in a rule set must be unique.
  • Action: Select a method to handle incoming network requests. Valid values: Accept, Drop, and Reject.
    • Accept: Accept the traffic that flows in or out of the specified VPC vRouter.
    • Drop: Drop the traffic that flows in or out of the specified VPC vRouter and does not respond to the client.
    • Reject: Reject the traffic that flows in or out of the specified VPC vRouter and responds to the client.
  • Packet Status: Optional. Select a packet status for the rule that a VPC firewall needs to match. For example, if you select new, then all new packets will be processed according the actions set in the current rule.
    • new: new connection requests
    • established: established connections
    • invalid: unidentifiable connections
    • related: new connection requests that are associated with existing connections
  • Protocol: Select a protocol for the firewall rule. For example, if you select TCP, then all requests of TCP protocol will be processed according the actions set in the current rule.
  • IP Address: Optional. Set a source IP address and destination IP address for the rule.
    • You can specify an IP address, IP range, or CIDR block. If you specify an IP range, use a hyphen (-) to indicate the range, for example, 192.168.0.1-192.168.0.100.
    • You can specify up to 10 source/destination IP addresses. If you specify an IP address, IP range or a mix of IP/netmask format, separate them with a comma (,).
    • If you specify multiple IP address and one or more CIDR formats, you can set the netmask of the CIDR blocks only to /24. If you specify only one CIDR block, you can set a random netmask.
    • You can select an IP/port set to quickly fill in the IP address.
  • Description: Optional. Enter a description for the rule.
  • Enable Now: Specify whether to enable rules after the rules are added to the Cloud. If not specified, the rules are disabled after they are added to the Cloud. You need to manually enable these rules to take effect.
  • Save as Rule Template: Save the current rule configuration as a rule template.
Figure 2. Manual Addition


Import Template

With this method, you can add some or all ingress/egress rules of other firewalls to the current firewall. If you need to modify or add a large number of rules in the template, we recommend that you can use Manual Addition, which is more convenient and easy to use.

To use this method, follow these steps:
  1. Go to the details page of the current/other firewall and rule set and export the added rules into a CSV-formatted template file.
    Figure 3. Template File


  2. Fill in the rule information according to the specified format.
    Set the following parameters in the template:
    • Priority: Set the priority of a rule.
      Note:
      • A smaller number indicates a higher priority. Valid values: 1001 to 2999.
      • Priorities that range from 1 to 1000 and 4000 to 9999 are for the preset rules of system service. You cannot add, edit, or delete a system rule.
      • The priority of a rule in a rule set must be unique.
    • Protocol: Optional. You can specify multiple protocols, including ALL, TCP, UDP, ICMP, GRE, ESP, AH, IPIP, VRRP, IPENCAP, PIM, OSPF, IGMP. If you do, separate each protocol with a semicolon (;). If you do not specify this parameter, the system specifies ALL.
    • Creation Time: Optional. This parameter is available only in the template file that exported from the details page of a rule set.
    • Associated Rule Set: Optional. This parameter is available only in the template file that exported from the details page of a firewall.
    • Action: Select a method to handle incoming network requests. Valid values: Accept, Drop, and Reject.
      • Accept: Accept the traffic that flows in or out of the specified VPC vRouter.
      • Drop: Drop the traffic that flows in or out of the specified VPC vRouter and does not respond to the client.
      • Reject: Reject the traffic that flows in or out of the specified VPC vRouter and responds to the client.
    • State: Optional. Specifies whether to enable the rules after the rules are added to the Cloud.
      • If you do not specify this parameter or set the parameter to disable, the rules are disabled after they are added to the Cloud.
      • If you set the parameter to enable, the rules are enabled after they are added to the Cloud.
    • Packet Status: Optional. You can specify multiple status. If you do, separate each status with a semicolon (;). The following packet status are supported:
      • new: new connection requests
      • established: established connections
      • invalid: unidentifiable connections
      • related: new connection requests that are associated with existing connections
    • TCP flag: Optional. This parameter is available only when you set the parameter to TCP. You can specify multiple flags, including SYN, ACK, FIN, RST, URG, and PSH. If you do, separate each flag with a semicolon (;).
    • ICMP Type: Optional. This parameter is available only when you set the parameter to ICMP. Supported ICMP types: echo-reply, echo-request, destination-unreachable, source-quench, redirect, router-advertisement, router-solicitation, time-exceeded, parameter-problem, timestamp-reply, timestamp-request, address-mask-request, and address-mask-reply
    • Source Port: Optional. The source port is available only when you set the parameter to TCP or UDP.
      • You can specify a port or port range. If you specify a port range, use a hyphen (-) to indicate the range, for example, 1-100.
      • You can specify a maximum of 10 entries. If you do, separate each entry with a semicolon(;).
    • Destination Port: Optional. The destination port is available only when you set the parameter to TCP or UDP.
      • You can specify a port or port range. If you specify a port range, use a hyphen (-) to indicate the range, for example, 1-100.
      • You can specify a maximum of 10 entries. If you do, separate each entry with a semicolon(;).
    • Source IP Address: Optional. You can specify an IP address, IP range, or CIDR block for the source IP address.
      • If you specify an IP range, use a hyphen (-) to indicate the range, for example, 192.168.0.1-192.168.0.100.
      • If you specify multiple CIDR blocks, or a mix of CIDR blocks and other formats of entries, you can set the netmask of the CIDR blocks only to /24. If you specify only one CIDR block, you can set a random netmask. You can specify a maximum of 10 entries. If you do, separate each entry with a semicolon (;).
    • Destination IP Address: Optional. You can specify an IP address, IP range, or CIDR block for the destination IP address.
      • If you specify an IP range, use a hyphen (-) to indicate the range, for example, 192.168.0.1-192.168.0.100.
      • If you specify multiple CIDR blocks, or a mix of CIDR blocks and other formats of entries, you can set the netmask of the CIDR blocks only to /24. If you specify only one CIDR block, you can set a random netmask. You can specify a maximum of 10 entries. If you do, separate each entry with a semicolon (;).
    • Description: Optional. Enter a description for the rule.
  3. Upload the configuration file.

    After you fill in the configuration information, verify that the syntax is correct, and then upload the file to the Cloud.

    Figure 4. Import Template


    Note: You need to synchronize configurations of the rule set to make configurations take effect after importing a template.

Manage a Firewall Rule

On the main menu of ZStack Cloud, choose Resource Center > Network Service > Advanced Network Service > Firewall. Then, the Firewall page is displayed. You can manage a firewall rule on the details page of Firewall or Rule Set.

The following table lists the actions that you can perform on a firewall rule.
Action Description
Enable Firewall Rule Enable a disabled firewall rule.
Disable Firewall Rule Disable an enabled firewall rule.
Edit Rule Edit the rule of a firewall rule.
Note:
  • You cannot edit the rule of a rule set on the details page of the firewall.
  • You can edit the behavior of default rules. You cannot edit on system rules.
Delete Firewall Rule Delete a firewall rule.
Note: You cannot delete a system rule.
Export CSV Export firewall rules in the CSV format.

Rule Set

Create a Rule Set

On the main menu of ZStack Cloud, choose Resource Center > Network Service > Advanced Network Service > Firewall. On the Firewall page, click the Rule Set tab. On the tab, click Create Rule Set. Then, the Create Rule Set page is displayed.

On the displayed page, set the following parameters:
  • Name: Enter a name for the rule set.
  • Description: Optional. Enter a description for the rule set.
Figure 1. Create Rule Set


After you create a rule set, you can add rules on the details page and associate the rules on the egress or ingress direction of a VPC vRouter NIC to defend the VPC vRouter against attacks.

Manage a Rule Set

On the main menu of ZStack Cloud, choose Resource Center > Network Service > Advanced Network Service > Firewall. On the Firewall page, click the Rule Set tab. Then, the Rule Set tab is displayed.

The following table lists the actions that you can perform on a rule set.
Action Description
Create Rule Set Create a rule set.
Edit Rule Set Edit the name and description of a rule set.
Synchronize Configurations Synchronize configurations to make rule modifications in the rule set take effect.
Add Rule Add a rule to a rule set.
Associate Network Associate a network for a rule set.
Disassociate Network Disassociate a network from a rule set.
Delete Rule Set Delete a rule set.

Rule Template

On the main menu of ZStack Cloud, choose Resource Center > Network Service > Advanced Network Service > Firewall. On the Firewall page, click the Rule Template tab. On the tab, click Create Rule Template. Then, the Create Rule Template page is displayed.

On the displayed page, set the following parameters:
  • Name: Enter a name for the rule template.
  • Description: Optional. Enter a description for the rule set.
  • Priority: Set the priority of a rule.
    Note:
    • A smaller number indicates a higher priority. Valid values: 1001 to 2999.
    • Priorities that range from 1 to 1000 and 4000 to 9999 are for the preset rules of system service. You cannot add, edit, or delete a system rule. However, you can modify the behavior of default rules.
    • The priority of a rule in a rule set must be unique.
  • Action: Select a method to handle incoming network requests. Valid values: Accept, Drop, and Reject.
    • Accept: Accept the traffic that flows in or out of the specified VPC vRouter.
    • Drop: Drop the traffic that flows in or out of the specified VPC vRouter and does not respond to the client.
    • Reject: Reject the traffic that flows in or out of the specified VPC vRouter and responds to the client.
  • Packet Status: Optional. Select a packet status for the rule that a VPC firewall needs to match. For example, if you select new, then all new packets will be processed according the actions set in the current rule.
    • new: new connection requests
    • established: established connections
    • invalid: unidentifiable connections
    • related: new connection requests that are associated with existing connections
  • Protocol: Select a protocol for the firewall rule. For example, if you select TCP, then all requests of TCP protocol will be processed according the actions set in the current rule.
  • IP Address: Optional. Set a source IP address and destination IP address for the rule.
    • You can specify an IP address, IP range, or CIDR block. If you specify an IP range, use a hyphen (-) to indicate the range, for example, 192.168.0.1-192.168.0.100.
    • You can specify up to 10 source/destination IP addresses. If you specify an IP address, IP range or a mix of IP/netmask format, separate them with a comma (,).
    • If you specify multiple IP address and one or more CIDR formats, you can set the netmask of the CIDR blocks only to /24. If you specify only one CIDR block, you can set a random netmask.
    • You can select an IP/port set to quickly fill in the IP address.
Figure 1. Create Rule Template


IP/Port Set

On the main menu of ZStack Cloud, choose Resource Center > Network Service > Advanced Network Service > Firewall. On the Firewall page, click the IP/Port Set tab. On the tab, click Create IP/Port Set. Then, the Create IP/Port Set dialogue box is displayed.

On the displayed dialogue box, set the following parameters:
  • Name: Enter a name for the IP/port set.
  • Type: Specify the type of the set. Valid values: IP and Port.
    If you choose IP, set the following parameters:
    • Source IP Address: Enter the source IP address to be integrated.
    • Destination IP Address: Enter the destination IP address to be integrated.
    Note:
    • You can specify a static IP address, IP range, or CIDR block. If you specify an IP range, use a hyphen (-) to indicate the range, for example, 192.168.0.1-192.168.0.100.
    • You can specify up to 10 source/destination IP addresses. If you specify an IP address, IP range or a mix of IP/netmask format, separate them with a comma (,).
    • If you specify multiple IP address and one or more CIDR formats, you can set the netmask of the CIDR blocks only to /24. If you specify only one CIDR block, you can set a random netmask.
    If you choose Port, set the following parameters:
    • Source Port: Enter the source port to be integrated.
    • Destination Port: Enter the destination port to be integrated.
    Note:
    • You can enter ports or port ranges. A port range is formatted by using a hyphen (-), for example, 1-100.
    • You can specify up to 10 source/destination ports. If you enter a mix of port and port range, separate them with comma (,).
Figure 1. Create IP/Port Set


PreviousLoad BalancingNextIPsec Tunnel