Firewall is a software-hardware or software package that monitors network packets, blocks or allows their passage. In filtering traffic the Firewall relies on the set parameters - mostly they are called brandmauer’s rules or security groups.
A security group is a set of custom permissive traffic rules that can be assigned to virtual server ports.
By default, each client has “default” security groups in each region. They allow any traffic in any direction. Network traffic going through the firewall is being compared with the rules to determine whether let it through or not.
Creation a security group#
In the Control Panel go to the “Cloud” / “Firewalls” section.
Click the “Create” button.
Specify the name of the security group. It is acceptable to use letters of the Latin alphabet, numbers and symbols (within reasonable limits).
Select the region which the security group creats for. The firewall will be available in all zones of the selected region. The following regions are available for selection:
It is possible to make a note of the purpose of the security group creation in the “Description” section.
Click “Create Security Group”.
Changing a security group#
The created security group will appear in the “Cloud” / “Firewalls” section.
To change a group click “More” on the required group.
In the opened information about the selected security group you can:
change the name of the security group;
add a rule to the rules table;
connect the group to the servers.
By default, when creating a security group two egress rules are created for ipv4 and ipv6. They allow all ports and protocols on output traffic. If necessary, any rule can be deleted by clicking on the trash icon on the right.
To add new rules click “Add rule” and then:
select traffic direction: ingress - incoming, egress - outgoing;
specify type of traffic this rule is created for: IPv4 or IPv6;
select which protocol the rule applies to: ICMP, TCP, UDP, or any. Choosing TCP or UDP protocols you will also should specify: a specific port, a range of ports, or select all ports. When choosing the ICMP protocol, you can specify its type (Type) and code (Code), or leave the Type and Code fields empty;
next, there should be configured the address which the selected type of traffic will be allowed for. CIDR format or security group selection are supported to specify a network address - in the second case the traffic from servers in selected group will be allowed.
To add a new rule to the table, click “Save Rule”.
Next, you should connect the created security group to the server, to do this, in the Connection with servers section, click “Connect”, from the proposed list of servers in this region, select the required server and click “Connect”.