vpruthi/doc-exports
1
0
Fork 0
forked from docs/doc-exports
Code Pull Requests Activity
doc-exports/docs/vpc/umn/acl_0002.html
Qin Ying, Fan 662ede2c6b VPC UMN 20240105 version 
Reviewed-by: Sarda, Priya <prsarda@noreply.gitea.eco.tsi-dev.otc-service.com>
Co-authored-by: Qin Ying, Fan <fanqinying@huawei.com>
Co-committed-by: Qin Ying, Fan <fanqinying@huawei.com>
2024-04-18 12:13:40 +00:00

204 lines
18 KiB
HTML
Raw Blame History

<a name="acl_0002"></a><a name="acl_0002"></a>
<h1 class="topictitle1"><span id="text16414121073416">Firewall</span><span id="text541415104349"></span> Configuration Examples</h1>
<div id="body1544424023306"><p id="acl_0002__p1822014275313">This section provides examples for configuring <span id="acl_0002__text11248715171311">firewall</span><span id="acl_0002__text45551720134"></span>s.</p>
<ul id="acl_0002__ul7360923145515"><li id="acl_0002__li3360102315515"><a href="#acl_0002__section11312173319432">Denying Access from a Specific Port</a></li><li id="acl_0002__li17814142865511"><a href="#acl_0002__section61291659102216">Allowing Access from Specific Ports and Protocols</a></li></ul>
<div class="section" id="acl_0002__section11312173319432"><a name="acl_0002__section11312173319432"></a><a name="section11312173319432"></a><h4 class="sectiontitle">Denying Access from a Specific Port</h4><p id="acl_0002__p37592398439">You might want to block TCP port 445 to protect against the WannaCry ransomware attacks. You can add a <span id="acl_0002__text171730540162">firewall</span><span id="acl_0002__text6173105416168"></span> rule to deny all incoming traffic from TCP port 445.</p>
</div>
<p id="acl_0002__p17694527626"><span id="acl_0002__text43867419349">Firewall</span><span id="acl_0002__text2038694143414"></span> Configuration</p>
<div class="p" id="acl_0002__p11246171945810"><a href="#acl_0002__table553618145582">Table 1</a> lists the inbound rules required.
<div class="tablenoborder"><a name="acl_0002__table553618145582"></a><a name="table553618145582"></a><table cellpadding="4" cellspacing="0" summary="" id="acl_0002__table553618145582" frame="border" border="1" rules="all"><caption><b>Table 1 </b><span id="acl_0002__text01831859163820">Firewall</span><span id="acl_0002__text5183759123816"></span> rules</caption><thead align="left"><tr id="acl_0002__row1536191465810"><th align="left" class="cellrowborder" valign="top" width="9.000000000000002%" id="mcps1.3.5.2.2.9.1.1"><p id="acl_0002__p6536131425817"><strong id="acl_0002__b118251314859">Direction</strong></p>
</th>
<th align="left" class="cellrowborder" valign="top" width="6.000000000000001%" id="mcps1.3.5.2.2.9.1.2"><p id="acl_0002__p1253641416587"><strong id="acl_0002__b187114616617">Action</strong></p>
</th>
<th align="left" class="cellrowborder" valign="top" width="9.000000000000002%" id="mcps1.3.5.2.2.9.1.3"><p id="acl_0002__p5536171415817"><strong id="acl_0002__b1976385613">Protocol</strong></p>
</th>
<th align="left" class="cellrowborder" valign="top" width="9.000000000000002%" id="mcps1.3.5.2.2.9.1.4"><p id="acl_0002__p853691455815"><strong id="acl_0002__b63477914611">Source</strong></p>
</th>
<th align="left" class="cellrowborder" valign="top" width="12.000000000000002%" id="mcps1.3.5.2.2.9.1.5"><p id="acl_0002__p8536114165813"><strong id="acl_0002__b19670523366">Source Port Range</strong></p>
</th>
<th align="left" class="cellrowborder" valign="top" width="18.000000000000004%" id="mcps1.3.5.2.2.9.1.6"><p id="acl_0002__p15536181495819"><strong id="acl_0002__b246520201615">Destination</strong></p>
</th>
<th align="left" class="cellrowborder" valign="top" width="13.000000000000004%" id="mcps1.3.5.2.2.9.1.7"><p id="acl_0002__p135361214105818"><strong id="acl_0002__b1231942917613">Destination Port Range</strong></p>
</th>
<th align="left" class="cellrowborder" valign="top" width="24.000000000000004%" id="mcps1.3.5.2.2.9.1.8"><p id="acl_0002__p85369147584"><strong id="acl_0002__b1638217306615">Description</strong></p>
</th>
</tr>
</thead>
<tbody><tr id="acl_0002__row20536131455815"><td class="cellrowborder" valign="top" width="9.000000000000002%" headers="mcps1.3.5.2.2.9.1.1 "><p id="acl_0002__p175361814165817">Inbound</p>
</td>
<td class="cellrowborder" valign="top" width="6.000000000000001%" headers="mcps1.3.5.2.2.9.1.2 "><p id="acl_0002__p1053616146583">Deny</p>
</td>
<td class="cellrowborder" valign="top" width="9.000000000000002%" headers="mcps1.3.5.2.2.9.1.3 "><p id="acl_0002__p453651419586">TCP</p>
</td>
<td class="cellrowborder" valign="top" width="9.000000000000002%" headers="mcps1.3.5.2.2.9.1.4 "><p id="acl_0002__p153691419583">0.0.0.0/0</p>
</td>
<td class="cellrowborder" valign="top" width="12.000000000000002%" headers="mcps1.3.5.2.2.9.1.5 "><p id="acl_0002__p5536181412589">1-65535</p>
</td>
<td class="cellrowborder" valign="top" width="18.000000000000004%" headers="mcps1.3.5.2.2.9.1.6 "><p id="acl_0002__p8536171495815">0.0.0.0/0</p>
</td>
<td class="cellrowborder" valign="top" width="13.000000000000004%" headers="mcps1.3.5.2.2.9.1.7 "><p id="acl_0002__p65360144584">445</p>
</td>
<td class="cellrowborder" valign="top" width="24.000000000000004%" headers="mcps1.3.5.2.2.9.1.8 "><p id="acl_0002__p13536614155813">Denies inbound traffic from any IP address through TCP port 445.</p>
</td>
</tr>
<tr id="acl_0002__row183317402455"><td class="cellrowborder" valign="top" width="9.000000000000002%" headers="mcps1.3.5.2.2.9.1.1 "><p id="acl_0002__p173271575112">Inbound</p>
</td>
<td class="cellrowborder" valign="top" width="6.000000000000001%" headers="mcps1.3.5.2.2.9.1.2 "><p id="acl_0002__p09375481311">Allow</p>
</td>
<td class="cellrowborder" valign="top" width="9.000000000000002%" headers="mcps1.3.5.2.2.9.1.3 "><p id="acl_0002__p234294719114">All</p>
</td>
<td class="cellrowborder" valign="top" width="9.000000000000002%" headers="mcps1.3.5.2.2.9.1.4 "><p id="acl_0002__p441232491318">0.0.0.0/0</p>
</td>
<td class="cellrowborder" valign="top" width="12.000000000000002%" headers="mcps1.3.5.2.2.9.1.5 "><p id="acl_0002__p14135242137">1-65535</p>
</td>
<td class="cellrowborder" valign="top" width="18.000000000000004%" headers="mcps1.3.5.2.2.9.1.6 "><p id="acl_0002__p13413152415134">0.0.0.0/0</p>
</td>
<td class="cellrowborder" valign="top" width="13.000000000000004%" headers="mcps1.3.5.2.2.9.1.7 "><p id="acl_0002__p434204741117">All</p>
</td>
<td class="cellrowborder" valign="top" width="24.000000000000004%" headers="mcps1.3.5.2.2.9.1.8 "><p id="acl_0002__p153421247191118">Allows all inbound traffic.</p>
</td>
</tr>
</tbody>
</table>
</div>
<div class="note" id="acl_0002__note197771737151813"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><ul id="acl_0002__ul1921959467"><li id="acl_0002__li16285184619">By default, a <span id="acl_0002__text1935832351719">firewall</span><span id="acl_0002__text1535872314170"></span> denies all inbound traffic. You can add a rule to allow all inbound traffic if necessary.</li><li id="acl_0002__li163471871466">If you want a deny rule to be matched first, insert the deny rule above the allow rule. For details, see <a href="vpc_acl_0004.html">Changing the Sequence of a Firewall Rule</a>.</li></ul>
</div></div>
</div>
<div class="section" id="acl_0002__section61291659102216"><a name="acl_0002__section61291659102216"></a><a name="section61291659102216"></a><h4 class="sectiontitle">Allowing Access from Specific Ports and Protocols</h4><p id="acl_0002__p1925418304513">In this example, an ECS in a subnet is used as the web server, and you need to allow inbound traffic from HTTP port 80 and HTTPS port 443 and allow all outbound traffic. You need to configure both the <span id="acl_0002__text188951531191716">firewall</span><span id="acl_0002__text20895203161713"></span> rules and security group rules to allow the traffic.</p>
<p id="acl_0002__p162351250175215"><span id="acl_0002__text35451725203413">Firewall</span><span id="acl_0002__text1354517256344"></span> Configuration</p>
<p id="acl_0002__p18763948135714"><a href="#acl_0002__table195634095313">Table 2</a> lists the inbound and outbound rules required.</p>
<div class="tablenoborder"><a name="acl_0002__table195634095313"></a><a name="table195634095313"></a><table cellpadding="4" cellspacing="0" summary="" id="acl_0002__table195634095313" frame="border" border="1" rules="all"><caption><b>Table 2 </b><span id="acl_0002__text2876195173913">Firewall</span><span id="acl_0002__text118765518396"></span> rules</caption><thead align="left"><tr id="acl_0002__row56214055319"><th align="left" class="cellrowborder" valign="top" width="8.91089108910891%" id="mcps1.3.6.5.2.9.1.1"><p id="acl_0002__p16212405538"><strong id="acl_0002__b1324725910194">Direction</strong></p>
</th>
<th align="left" class="cellrowborder" valign="top" width="8.91089108910891%" id="mcps1.3.6.5.2.9.1.2"><p id="acl_0002__p1863340165319"><strong id="acl_0002__b131356012020">Action</strong></p>
</th>
<th align="left" class="cellrowborder" valign="top" width="10.891089108910892%" id="mcps1.3.6.5.2.9.1.3"><p id="acl_0002__p10631640155318"><strong id="acl_0002__b223313112204">Protocol</strong></p>
</th>
<th align="left" class="cellrowborder" valign="top" width="10.891089108910892%" id="mcps1.3.6.5.2.9.1.4"><p id="acl_0002__p66324013535"><strong id="acl_0002__b1656915916213">Source</strong></p>
</th>
<th align="left" class="cellrowborder" valign="top" width="12.871287128712872%" id="mcps1.3.6.5.2.9.1.5"><p id="acl_0002__p1659407534"><strong id="acl_0002__b13983339192419">Source Port Range</strong></p>
</th>
<th align="left" class="cellrowborder" valign="top" width="9.900990099009901%" id="mcps1.3.6.5.2.9.1.6"><p id="acl_0002__p56554075310"><strong id="acl_0002__b87684114247">Destination</strong></p>
</th>
<th align="left" class="cellrowborder" valign="top" width="12.871287128712872%" id="mcps1.3.6.5.2.9.1.7"><p id="acl_0002__p106694013537"><strong id="acl_0002__b1720864232419">Destination Port Range</strong></p>
</th>
<th align="left" class="cellrowborder" valign="top" width="24.752475247524753%" id="mcps1.3.6.5.2.9.1.8"><p id="acl_0002__p66717405533"><strong id="acl_0002__b113781445162411">Description</strong></p>
</th>
</tr>
</thead>
<tbody><tr id="acl_0002__row196712405536"><td class="cellrowborder" valign="top" width="8.91089108910891%" headers="mcps1.3.6.5.2.9.1.1 "><p id="acl_0002__p069124055316">Inbound</p>
</td>
<td class="cellrowborder" valign="top" width="8.91089108910891%" headers="mcps1.3.6.5.2.9.1.2 "><p id="acl_0002__p1670204016533">Allow</p>
</td>
<td class="cellrowborder" valign="top" width="10.891089108910892%" headers="mcps1.3.6.5.2.9.1.3 "><p id="acl_0002__p117112409536">TCP</p>
</td>
<td class="cellrowborder" valign="top" width="10.891089108910892%" headers="mcps1.3.6.5.2.9.1.4 "><p id="acl_0002__p10721240185320">0.0.0.0/0</p>
</td>
<td class="cellrowborder" valign="top" width="12.871287128712872%" headers="mcps1.3.6.5.2.9.1.5 "><p id="acl_0002__p7742404539">1-65535</p>
</td>
<td class="cellrowborder" valign="top" width="9.900990099009901%" headers="mcps1.3.6.5.2.9.1.6 "><p id="acl_0002__p177484025315">0.0.0.0/0</p>
</td>
<td class="cellrowborder" valign="top" width="12.871287128712872%" headers="mcps1.3.6.5.2.9.1.7 "><p id="acl_0002__p1211320362012">80</p>
</td>
<td class="cellrowborder" valign="top" width="24.752475247524753%" headers="mcps1.3.6.5.2.9.1.8 "><p id="acl_0002__p3772407536">Allows inbound HTTP traffic from any IP address to ECSs in the subnet through port 80.</p>
</td>
</tr>
<tr id="acl_0002__row160981135413"><td class="cellrowborder" valign="top" width="8.91089108910891%" headers="mcps1.3.6.5.2.9.1.1 "><p id="acl_0002__p11609119544">Inbound</p>
</td>
<td class="cellrowborder" valign="top" width="8.91089108910891%" headers="mcps1.3.6.5.2.9.1.2 "><p id="acl_0002__p960910113543">Allow</p>
</td>
<td class="cellrowborder" valign="top" width="10.891089108910892%" headers="mcps1.3.6.5.2.9.1.3 "><p id="acl_0002__p96091313540">TCP</p>
</td>
<td class="cellrowborder" valign="top" width="10.891089108910892%" headers="mcps1.3.6.5.2.9.1.4 "><p id="acl_0002__p12609616544">0.0.0.0/0</p>
</td>
<td class="cellrowborder" valign="top" width="12.871287128712872%" headers="mcps1.3.6.5.2.9.1.5 "><p id="acl_0002__p1760910165412">1-65535</p>
</td>
<td class="cellrowborder" valign="top" width="9.900990099009901%" headers="mcps1.3.6.5.2.9.1.6 "><p id="acl_0002__p136093175411">0.0.0.0/0</p>
</td>
<td class="cellrowborder" valign="top" width="12.871287128712872%" headers="mcps1.3.6.5.2.9.1.7 "><p id="acl_0002__p9208174116114">443</p>
</td>
<td class="cellrowborder" valign="top" width="24.752475247524753%" headers="mcps1.3.6.5.2.9.1.8 "><p id="acl_0002__p36241816183320">Allows inbound HTTPS traffic from any IP address to ECSs in the subnet through port 443.</p>
</td>
</tr>
<tr id="acl_0002__row27210235717"><td class="cellrowborder" valign="top" width="8.91089108910891%" headers="mcps1.3.6.5.2.9.1.1 "><p id="acl_0002__p1372192105711">Outbound</p>
</td>
<td class="cellrowborder" valign="top" width="8.91089108910891%" headers="mcps1.3.6.5.2.9.1.2 "><p id="acl_0002__p16721823575">Allow</p>
</td>
<td class="cellrowborder" valign="top" width="10.891089108910892%" headers="mcps1.3.6.5.2.9.1.3 "><p id="acl_0002__p1372192145710">All</p>
</td>
<td class="cellrowborder" valign="top" width="10.891089108910892%" headers="mcps1.3.6.5.2.9.1.4 "><p id="acl_0002__p204401137135716">0.0.0.0/0</p>
</td>
<td class="cellrowborder" valign="top" width="12.871287128712872%" headers="mcps1.3.6.5.2.9.1.5 "><p id="acl_0002__p37211215719">All</p>
</td>
<td class="cellrowborder" valign="top" width="9.900990099009901%" headers="mcps1.3.6.5.2.9.1.6 "><p id="acl_0002__p99971040195713">0.0.0.0/0</p>
</td>
<td class="cellrowborder" valign="top" width="12.871287128712872%" headers="mcps1.3.6.5.2.9.1.7 "><p id="acl_0002__p1972114217575">All</p>
</td>
<td class="cellrowborder" valign="top" width="24.752475247524753%" headers="mcps1.3.6.5.2.9.1.8 "><p id="acl_0002__p207214210578">Allows all outbound traffic from the subnet.</p>
</td>
</tr>
</tbody>
</table>
</div>
<p id="acl_0002__p610242375819"><strong id="acl_0002__b17588516280">Security group configuration</strong></p>
<p id="acl_0002__p410452316588"><a href="#acl_0002__table30323767195135">Table 3</a> lists the inbound and outbound security group rules required.</p>
<div class="tablenoborder"><a name="acl_0002__table30323767195135"></a><a name="table30323767195135"></a><table cellpadding="4" cellspacing="0" summary="" id="acl_0002__table30323767195135" frame="border" border="1" rules="all"><caption><b>Table 3 </b>Security group rules</caption><thead align="left"><tr id="acl_0002__row15770184195135"><th align="left" class="cellrowborder" valign="top" width="10%" id="mcps1.3.6.8.2.6.1.1"><p id="acl_0002__p1235112172119"><strong id="acl_0002__b15280238142814">Direction</strong></p>
</th>
<th align="left" class="cellrowborder" valign="top" width="14.330000000000002%" id="mcps1.3.6.8.2.6.1.2"><p id="acl_0002__p2316559195135"><strong id="acl_0002__b842352706104812">Protocol/Application</strong></p>
</th>
<th align="left" class="cellrowborder" valign="top" width="15.879999999999999%" id="mcps1.3.6.8.2.6.1.3"><p id="acl_0002__p32340552195135"><strong id="acl_0002__b842352706161911_1">Port</strong></p>
</th>
<th align="left" class="cellrowborder" valign="top" width="24.759999999999998%" id="mcps1.3.6.8.2.6.1.4"><p id="acl_0002__p2339084195135"><strong id="acl_0002__b84235270615214">Source/Destination</strong></p>
</th>
<th align="left" class="cellrowborder" valign="top" width="35.03%" id="mcps1.3.6.8.2.6.1.5"><p id="acl_0002__p1096519542911"><strong id="acl_0002__b142754662817">Description</strong></p>
</th>
</tr>
</thead>
<tbody><tr id="acl_0002__row55248116195135"><td class="cellrowborder" valign="top" width="10%" headers="mcps1.3.6.8.2.6.1.1 "><p id="acl_0002__p153542182110">Inbound</p>
</td>
<td class="cellrowborder" valign="top" width="14.330000000000002%" headers="mcps1.3.6.8.2.6.1.2 "><p id="acl_0002__p45912425195135">TCP</p>
</td>
<td class="cellrowborder" valign="top" width="15.879999999999999%" headers="mcps1.3.6.8.2.6.1.3 "><p id="acl_0002__p46840856195135">80</p>
</td>
<td class="cellrowborder" valign="top" width="24.759999999999998%" headers="mcps1.3.6.8.2.6.1.4 "><p id="acl_0002__p36012962195135">Source: 0.0.0.0/0</p>
</td>
<td class="cellrowborder" valign="top" width="35.03%" headers="mcps1.3.6.8.2.6.1.5 "><p id="acl_0002__p1616504613311">Allows inbound HTTP traffic from any IP address to ECSs associated with the security group through port 80.</p>
</td>
</tr>
<tr id="acl_0002__row5566305020026"><td class="cellrowborder" valign="top" width="10%" headers="mcps1.3.6.8.2.6.1.1 "><p id="acl_0002__p1335112162119">Inbound</p>
</td>
<td class="cellrowborder" valign="top" width="14.330000000000002%" headers="mcps1.3.6.8.2.6.1.2 "><p id="acl_0002__p3120540920026">TCP</p>
</td>
<td class="cellrowborder" valign="top" width="15.879999999999999%" headers="mcps1.3.6.8.2.6.1.3 "><p id="acl_0002__p5665449220026">443</p>
</td>
<td class="cellrowborder" valign="top" width="24.759999999999998%" headers="mcps1.3.6.8.2.6.1.4 "><p id="acl_0002__p2561110020026">Source: 0.0.0.0/0</p>
</td>
<td class="cellrowborder" valign="top" width="35.03%" headers="mcps1.3.6.8.2.6.1.5 "><p id="acl_0002__p11273949183317">Allows inbound HTTPS traffic from any IP address to ECSs associated with the security group through port 443.</p>
</td>
</tr>
<tr id="acl_0002__row711437142712"><td class="cellrowborder" valign="top" width="10%" headers="mcps1.3.6.8.2.6.1.1 "><p id="acl_0002__p31141071272">Outbound</p>
</td>
<td class="cellrowborder" valign="top" width="14.330000000000002%" headers="mcps1.3.6.8.2.6.1.2 "><p id="acl_0002__p711457182715">All</p>
</td>
<td class="cellrowborder" valign="top" width="15.879999999999999%" headers="mcps1.3.6.8.2.6.1.3 "><p id="acl_0002__p1011487182717">All</p>
</td>
<td class="cellrowborder" valign="top" width="24.759999999999998%" headers="mcps1.3.6.8.2.6.1.4 "><p id="acl_0002__p20126774286">Destination: 0.0.0.0/0</p>
</td>
<td class="cellrowborder" valign="top" width="35.03%" headers="mcps1.3.6.8.2.6.1.5 "><p id="acl_0002__p20965751299">Allows all outbound traffic from the security group.</p>
</td>
</tr>
</tbody>
</table>
</div>
<p id="acl_0002__p123682016162615">A <span id="acl_0002__text169180071811">firewall</span><span id="acl_0002__text79181016181"></span> adds an additional layer of security. Even if the security group rules allow more traffic than that actually required, the <span id="acl_0002__text137150024215">firewall</span><span id="acl_0002__text15716501426"></span> rules allow only access from HTTP port 80 and HTTPS port 443 and deny other inbound traffic.</p>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="vpc_acl_0000.html">Firewall</a></div>
</div>
</div>
View Git Blame Copy Permalink