Configuring inbound firewall rules

To prevent access from untrusted sources to the cluster, you can configure inbound firewall rules on your nodes. To enable traffic filtering, you need to configure allow and deny lists for a network or a traffic type. By default, the lists are empty and all incoming traffic is allowed. You can create access rules in them to configure access for incoming traffic. Access rules in the allow list have higher priority than those in the deny list. If you have access rules for both networks and traffic types, access lists configured for traffic types will have higher priority than those of networks.

Limitations

  • If you create allow rules but leave the deny list empty, all incoming traffic will still be allowed.

To filter incoming traffic for a network

Admin panel

  1. On the Infrastructure > Networks screen, click the cogwheel icon next to the network name.
  2. In the network summary window, click Edit.

  3. In the Edit network window, do the following:

    • To block traffic from particular IP addresses, IP address ranges, or subnets, specify them in the Deny list section.
    • To allow traffic from particular IP addresses, IP address ranges, or subnets, specify them in the Allow list section. Additionally, specify 0.0.0.0/0 in the Deny list section, to block all other traffic.

  4. Click Save to apply your changes.

The updated access rules will be applied on all nodes connected to this network.

Command-line interface

Use the following command:

vinfra cluster network set [--inbound-allow-list <addresses> | --add-inbound-allow-list <addresses> |
                           --del-inbound-allow-list <addresses> | --clear-inbound-allow-list]
                           [--inbound-deny-list <addresses> | --add-inbound-deny-list <addresses> |
                           --del-inbound-deny-list <addresses> | --clear-inbound-deny-list] <network>
--inbound-allow-list <addresses>
A comma-separated list of IP addresses (overwrites the current inbound allow rules)
--add-inbound-allow-list <addresses>
A comma-separated list of IP addresses (adds the specified inbound allow rules)
--del-inbound-allow-list <addresses>
A comma-separated list of IP addresses (removes the specified inbound allow rules)
--clear-inbound-allow-list
Clear all inbound allow rules
--inbound-deny-list <addresses>
A comma-separated list of IP addresses (overwrites the current inbound deny rules)
--add-inbound-deny-list <addresses>
A comma-separated list of IP addresses (adds the specified inbound deny rules)
--del-inbound-deny-list <addresses>
A comma-separated list of IP addresses (removes the specified inbound deny rules)
--clear-inbound-deny-list <addresses>
Clear all inbound deny rules
<network>
Network ID or name

For example, to allow traffic from the subnet 10.136.100.0/24 in the MyNet network, run:

# vinfra cluster network set MyNet --add-inbound-allow-list 10.136.100.0/24 --add-inbound-deny-list 0.0.0.0/0

To filter incoming traffic for a regular or custom traffic type

Admin panel

  1. On the Infrastructure > Networks screen, click the pencil icon next to the traffic type name.

  2. In the Edit regular traffic type window, do the following:

    • To block traffic from particular IP addresses, IP address ranges, or subnets, specify them in the Deny list section.
    • To allow traffic from particular IP addresses, IP address ranges, or subnets, specify them in the Allow list section. Additionally, specify 0.0.0.0/0 in the Deny list section, to block all other traffic.

  3. Click Save to apply your changes.

After you edit the allow and deny lists, the updated access rules are applied on all nodes connected to the network with this traffic type.

Command-line interface

Use the following command:

vinfra cluster traffic-type set [--inbound-allow-list <addresses> | --add-inbound-allow-list <addresses> |
                                --del-inbound-allow-list <addresses> | --clear-inbound-allow-list]
                                [--inbound-deny-list <addresses> | --add-inbound-deny-list <addresses> |
                                --del-inbound-deny-list <addresses> | --clear-inbound-deny-list] <traffic-type>
--inbound-allow-list <addresses>
A comma-separated list of IP addresses (overwrites the current inbound allow rules)
--add-inbound-allow-list <addresses>
A comma-separated list of IP addresses (adds the specified inbound allow rules)
--del-inbound-allow-list <addresses>
A comma-separated list of IP addresses (removes the specified inbound allow rules)
--clear-inbound-allow-list
Clear all inbound allow rules
--inbound-deny-list <addresses>
A comma-separated list of IP addresses (overwrites the current inbound deny rules)
--add-inbound-deny-list <addresses>
A comma-separated list of IP addresses (adds the specified inbound deny rules)
--del-inbound-deny-list <addresses>
A comma-separated list of IP addresses (removes the specified inbound deny rules)
--clear-inbound-deny-list <addresses>
Clear all inbound deny rules
<traffic-type>
Traffic type name

For example, to allow traffic from the subnet 10.136.100.0/24 for the MyTrafficType traffic type, run:

# vinfra cluster traffic-type set MyTrafficType --add-inbound-allow-list 10.136.100.0/24 --add-inbound-deny-list 0.0.0.0/0

To view access rules for a network or traffic type

Admin panel

  1. On the Infrastructure > Networks screen, find a network or a traffic type with the shield icon next to its name.
  2. Hover over the icon to see what access rules are configured.

Command-line interface

  • For a network, use vinfra cluster network show. For example:

    # vinfra cluster network show MyNet
+---------------------+------------------------------------------+
| Field               | Value                                    |
+---------------------+------------------------------------------+
| id                  | db43aed5-82ec-4c60-8c5a-d60767203d89     |
| inbound_allow_list  | - 10.136.100.0/24                        |
| inbound_deny_list   | - 0.0.0.0/0                              |
| name                | MyNet                                    |
| outbound_allow_list | - 0.0.0.0:tcp:8888:Admin panel           |
|                     | - 0.0.0.0:tcp:80:HTTP                    |
|                     | - 0.0.0.0:tcp:443:HTTPS                  |
|                     | - 0.0.0.0:udp:53:DNS                     |
|                     | - 0.0.0.0:tcp:53:DNS                     |
|                     | - 0.0.0.0:udp:123:NTP                    |
|                     | - 0.0.0.0:tcp:8443:ABGW registration     |
|                     | - 0.0.0.0:tcp:44445:ABGW Geo-replication |
|                     | - 0.0.0.0:tcp:9877:Acronis Cyber Protect |
|                     | - 0.0.0.0:tcp:5900-6079:VM VNC Legacy    |
|                     | - 0.0.0.0:udp:4789:VXLAN                 |
|                     | - 0.0.0.0:tcp:15900-16900:VM VNC         |
|                     | - 0.0.0.0:udp:2049:NFS                   |
|                     | - 0.0.0.0:tcp:2049:NFS                   |
|                     | - 0.0.0.0:tcp:111:NFS Rpcbind            |
|                     | - 0.0.0.0:any:0:Allow all                |
| traffic_types       |                                          |
| vlan                |                                          |
+---------------------+------------------------------------------+

  • For a traffic type, use vinfra cluster traffic-type show. For example:

    # vinfra cluster traffic-type show MyTrafficType
+--------------------+-------------------+
| Field              | Value             |
+--------------------+-------------------+
| exclusive          | False             |
| hidden             | False             |
| inbound_allow_list | - 10.136.100.0/24 |
| inbound_deny_list  | - 0.0.0.0/0       |
| name               | MyTrafficType     |
| port               | 6900              |
| type               | custom            |
+--------------------+-------------------+
Related Topics Link IconSee also