How to manage firewall rules for your VDC

Introduction
Viewing the firewall rules for a network
Adding a firewall rule
Enabling ping access to a VM
Using CIDR notation

 

Introduction

Firewall rules control Internet network traffic into VDC, via 'Local with Internet Gateway' networks. The rules can be set for each individual port of a network. Every VM may be a member of up to 7 networks (that is, a VM can have a maximum of 7 virtual NICs).

Important

A new 'Local with Internet Gateway' network has its firewall set to ‘deny all’ and no connections are set up by default.

Take care that you have a secure root password set for your VM before you activate any public Internet network connection.

 

To create a connection from a network port to a VM, and hence open an inbound connection to your VM from the Internet, you first need to configure the firewall rules (as below). Then, you must set up either:

To make an outbound connection for your VM to access the public Internet, you need to configure the egress rules for a 'Local with Internet Gateway' network. See How to allow your VM to access the public Internet network.

The VDC firewall is based on VDC's native virtual router. If you wish instead to deploy a dedicated virtual machine running a firewall or load balancer application, then you should use a Public Direct Connect network which offers direct connection to the Internet without an additional firewall.

Viewing the firewall rules for a network

Click Network on the left-hand menu. Then click the name of the network you wish to use. Then click View IP Addresses, and from the list click the IP address you wish to use. You should now see the Details sub-panel for the IP address. Finally, click the Configuration tab to show the Configuration sub-panel:

Click View all under Firewall. This shows the list of firewall rules for this specific IP address. Here is an example:

The input boxes above the table provide inputs for adding a new rule. See below for explanation.

The information for each rule comprises:

  • Source CIDR: the public Internet IP address(es) which are granted access (specified using CIDR notation);

  • Protocol: one of TCP, UDP, or ICMP;

  • Start Port and End Port (for TCP or UDP): the port(s) which are controlled by this rule, or

  • ICMP type and ICMP code (for ICMP).

The only action for a rule is Delete firewall rule . You cannot edit the content of the rule, if a change is required you need to delete the rule and Add a new one.

Adding a firewall rule

In the Configuration sub-panel, use the Add row at the top and specify:

  • Source CIDR: the IP addresses which will be granted access to VDC, using CIDR notation (see below). Note that you must use the CIDR notation form for a single IP address (that is, the IP adddress plus '/31')

  • Protocol: TCP (default), UDP or ICMP.

  • For TCP or UDP, enter the Start Port and End Port, either a single port (the port numbers are equal) or a range of ports.

  • For ICMP, enter the ICMP Type and ICMP Code.

Click the Add button to create the firewall rule. It should appear in the list of firewall rules.

If you need to change the rule, you must delete it and Add a new rule.

Enabling ping access to a VM

A common way to test that virtual machines are running and responsive is to use 'ping' messages. These are also commonly used to measure network latency.

The 'Local with Internet Gateway' firewall does not enable ping access by default. To enable it, create a firewall rule as follows:

  • Source CIDR: 0.0.0.0/0

  • Protocol: ICMP

  • ICMP Type: 8, ICMP Code: 0

You can restrict access to particular Internet IP addresses by setting the Source CIDR input — see below.

There are security vulnerabilities associated with ping access so it is recommended to enable the firewall access only when it is needed for a specific reason.

Note: ping messages within the Interoute fibre backbone private network — that is, via Private Direct Connect networks — are not restricted by any firewalls. Firewall controls can be turned on for virtual machines within the operating system; for example, Ubuntu and Centos have firewall controls built-in, which are not turned on for the standard VDC machine templates.

Using CIDR notation

CIDR (Classless Inter-Domain Routing) notation is a compact way to write continuous ranges of IP addresses. Here are some typical values:

'0.0.0.0/0': all IP addresses (use this for an unrestricted firewall rule)

'192.168.101.54/31': a single IP address

'192.168.101.0/26': addresses in the range 192.168.101.0 to 192.168.101.63

'192.168.101.128/25': addresses in the range 192.168.101.128 to 192.168.101.255

'192.168.101.0/24': addresses in the range 192.168.101.0 to 192.168.101.255

'192.168.101.0/23': addresses in the range 192.168.101.0 to 192.168.102.255

'192.168.101.0/22': addresses in the range 192.168.101.0 to 192.168.104.255

'192.168.0.0/16': addresses in the range 192.168.0.0 to 192.168.255.255