vpruthi/doc-exports
1
0
Fork 0
forked from docs/doc-exports
Code Pull Requests Activity
doc-exports/docs/vpc/umn/acl_0001.html
fanqinying 44c0250eec VPC UMN 20241008 version 
Reviewed-by: Sarda, Priya <prsarda@noreply.gitea.eco.tsi-dev.otc-service.com>
Co-authored-by: fanqinying <fanqinying@huawei.com>
Co-committed-by: fanqinying <fanqinying@huawei.com>
2024-11-21 10:14:33 +00:00

89 lines
16 KiB
HTML
Raw Blame History

<a name="acl_0001"></a><a name="acl_0001"></a>
<h1 class="topictitle1"><span id="text15411215417">Firewall</span> Overview</h1>
<div id="body1544424023306"><p id="acl_0001__p13781551490">A <span id="acl_0001__text11248715171311">firewall</span> is an optional layer of security for your subnets. After you associate one or more subnets with a <span id="acl_0001__text13717202713198">firewall</span>, you can control traffic in and out of the subnets.</p>
<p id="acl_0001__p8060118">For details, see <a href="#acl_0001__fig9582182315479">Figure 1</a>.</p>
<div class="fignone" id="acl_0001__fig9582182315479"><a name="acl_0001__fig9582182315479"></a><a name="fig9582182315479"></a><span class="figcap"><b>Figure 1 </b>Security groups and firewalls</span><br><span><img class="eddx" id="acl_0001__en-us_topic_0118534001_image048361820309" src="en-us_image_0000001818982946.png"></span></div>
<p id="acl_0001__p668217610324">Similar to security groups, <span id="acl_0001__text127138429139">firewall</span>s control access to subnets and add an additional layer of defense to your subnets. Security groups only have the "allow" rules, but <span id="acl_0001__text3310185011135">firewall</span>s have both "allow" and "deny" rules. You can use <span id="acl_0001__text1554161716440">firewall</span>s together with security groups to implement comprehensive and fine-grained access control. </p>
<p id="acl_0001__p6398184124212"><a href="en-us_topic_0052003963.html">Differences Between Security Groups and Firewalls</a> summarizes the basic differences between security groups and <span id="acl_0001__text137415412138">firewall</span>s.</p>
<div class="section" id="acl_0001__section1952742625114"><h4 class="sectiontitle"><span id="acl_0001__text16549171719105">Firewall</span> Basics</h4><ul id="acl_0001__ul16670101419510"><li id="acl_0001__li1767091455112">Your VPC does not come with a <span id="acl_0001__text1681559201318">firewall</span>, but you can create a <span id="acl_0001__text193132025161912">firewall</span> and associate it with a VPC subnet if required. By default, each <span id="acl_0001__text17139141019144">firewall</span> denies all inbound traffic to and outbound traffic from the associated subnet until you add rules.</li><li id="acl_0001__li9670101412519">You can associate a <span id="acl_0001__text129685145149">firewall</span> with multiple subnets. However, a subnet can only be associated with one <span id="acl_0001__text1922420915259">firewall</span> at a time.</li><li id="acl_0001__li1670714145119">Each newly created <span id="acl_0001__text138342217143">firewall</span> is in the <strong id="acl_0001__b0772925121511">Inactive</strong> state until you associate subnets with it.</li><li id="acl_0001__li122989913316"><span id="acl_0001__en-us_topic_0118499057_text55841134105919">Firewalls</span> use connection tracking to track traffic to and from instances. Changes to inbound and outbound rules do not take effect immediately for the existing traffic.<p id="acl_0001__en-us_topic_0118499057_p12584634185913">If you add, modify, or delete a <span id="acl_0001__text58351373372">firewall</span> rule, or associate or disassociate a subnet with or from a <span id="acl_0001__text2836167183717">firewall</span>, all the inbound and outbound persistent connections will not be disconnected. New rules will only be applied for the new connections.</p>
</li></ul>
<div class="notice" id="acl_0001__note191885121325"><span class="noticetitle"><img src="public_sys-resources/notice_3.0-en-us.png"> </span><div class="noticebody"><p id="acl_0001__en-us_topic_0118499057_p982720180553">After a persistent connection is disconnected, new connections will not be established immediately until the timeout period of connection tracking expires. For example, after an ICMP persistent connection is disconnected, a new connection will be established and a new rule will be applied when the timeout period (30s) expires.</p>
<ul id="acl_0001__en-us_topic_0118499057_ul0719132175510"><li id="acl_0001__en-us_topic_0118499057_li31956209554">The timeout period of connection tracking varies by protocol. The timeout period of a TCP connection in the established state is 600s, and that of an ICMP connection is 30s. For other protocols, if packets are received in both inbound and outbound directions, the connection tracking timeout period is 180s. If packets are received only in one direction, the connection tracking timeout period is 30s.</li><li id="acl_0001__en-us_topic_0118499057_li131754585612">The timeout period of TCP connections varies by connection status. The timeout period of a TCP connection in the established state is 600s, and that of a TCP connection in the FIN-WAIT state is 30s.</li></ul>
</div></div>
</div>
<div class="section" id="acl_0001__section99541345213"><a name="acl_0001__section99541345213"></a><a name="section99541345213"></a><h4 class="sectiontitle">Default <span id="acl_0001__text17811727151018">Firewall</span><span id="acl_0001__text96061321162714"></span> Rules</h4><p id="acl_0001__p1767071405116">By default, each <span id="acl_0001__text28540545146">firewall</span><span id="acl_0001__text12854205411419"></span> has preset rules that allow the following packets:</p>
<ul id="acl_0001__ul116891923175218"><li id="acl_0001__li4671121410513">Packets whose source and destination are in the same subnet.</li><li id="acl_0001__li20671101455117">Broadcast packets with the destination 255.255.255.255/32, which is used to configure host startup information.</li><li id="acl_0001__li867110142516">Multicast packets with the destination 224.0.0.0/24, which is used by routing protocols.</li><li id="acl_0001__li1067121414513">Metadata packets with the destination 169.254.169.254/32 and TCP port number 80, which is used to obtain metadata.</li><li id="acl_0001__li166902023175218">Packets from CIDR blocks that are reserved for public services (for example, packets with the destination 100.125.0.0/16).</li><li id="acl_0001__li11670914165110">A <span id="acl_0001__text13558171917362">firewall</span><span id="acl_0001__text1755991943617"></span> denies all traffic in and out of a subnet excepting the preceding packets. <a href="#acl_0001__table1034601475112">Table 1</a> shows the default rules. You cannot modify or delete the default rules.
<div class="tablenoborder"><a name="acl_0001__table1034601475112"></a><a name="table1034601475112"></a><table cellpadding="4" cellspacing="0" summary="" id="acl_0001__table1034601475112" frame="border" border="1" rules="all"><caption><b>Table 1 </b>Default <span id="acl_0001__text16669711181515">firewall</span> rules</caption><thead align="left"><tr id="acl_0001__row1267171445118"><th align="left" class="cellrowborder" valign="top" width="15.53398058252427%" id="mcps1.3.7.3.6.4.2.8.1.1"><p id="acl_0001__p4671214185116">Direction</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="11.650485436893202%" id="mcps1.3.7.3.6.4.2.8.1.2"><p id="acl_0001__p46711614195111">Priority</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="10.679611650485436%" id="mcps1.3.7.3.6.4.2.8.1.3"><p id="acl_0001__p186711114105115">Action</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="13.59223300970874%" id="mcps1.3.7.3.6.4.2.8.1.4"><p id="acl_0001__p86711114195114">Protocol</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="11.650485436893202%" id="mcps1.3.7.3.6.4.2.8.1.5"><p id="acl_0001__p12671101405114">Source</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="18.446601941747574%" id="mcps1.3.7.3.6.4.2.8.1.6"><p id="acl_0001__p2671814165117">Destination</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="18.446601941747574%" id="mcps1.3.7.3.6.4.2.8.1.7"><p id="acl_0001__p136711114195118">Description</p>
</th>
</tr>
</thead>
<tbody><tr id="acl_0001__row167117147516"><td class="cellrowborder" valign="top" width="15.53398058252427%" headers="mcps1.3.7.3.6.4.2.8.1.1 "><p id="acl_0001__p14671214175113">Inbound</p>
</td>
<td class="cellrowborder" valign="top" width="11.650485436893202%" headers="mcps1.3.7.3.6.4.2.8.1.2 "><p id="acl_0001__p467181413516">*</p>
</td>
<td class="cellrowborder" valign="top" width="10.679611650485436%" headers="mcps1.3.7.3.6.4.2.8.1.3 "><p id="acl_0001__p767141475110">Deny</p>
</td>
<td class="cellrowborder" valign="top" width="13.59223300970874%" headers="mcps1.3.7.3.6.4.2.8.1.4 "><p id="acl_0001__p12671161413512">All</p>
</td>
<td class="cellrowborder" valign="top" width="11.650485436893202%" headers="mcps1.3.7.3.6.4.2.8.1.5 "><p id="acl_0001__p1967117148511">0.0.0.0/0</p>
</td>
<td class="cellrowborder" valign="top" width="18.446601941747574%" headers="mcps1.3.7.3.6.4.2.8.1.6 "><p id="acl_0001__p10671101425118">0.0.0.0/0</p>
</td>
<td class="cellrowborder" valign="top" width="18.446601941747574%" headers="mcps1.3.7.3.6.4.2.8.1.7 "><p id="acl_0001__p967101418517">Denies all inbound traffic.</p>
</td>
</tr>
<tr id="acl_0001__row11671414155113"><td class="cellrowborder" valign="top" width="15.53398058252427%" headers="mcps1.3.7.3.6.4.2.8.1.1 "><p id="acl_0001__p1567121445119">Outbound</p>
</td>
<td class="cellrowborder" valign="top" width="11.650485436893202%" headers="mcps1.3.7.3.6.4.2.8.1.2 "><p id="acl_0001__p2671161475110">*</p>
</td>
<td class="cellrowborder" valign="top" width="10.679611650485436%" headers="mcps1.3.7.3.6.4.2.8.1.3 "><p id="acl_0001__p18671181425114">Deny</p>
</td>
<td class="cellrowborder" valign="top" width="13.59223300970874%" headers="mcps1.3.7.3.6.4.2.8.1.4 "><p id="acl_0001__p667111455114">All</p>
</td>
<td class="cellrowborder" valign="top" width="11.650485436893202%" headers="mcps1.3.7.3.6.4.2.8.1.5 "><p id="acl_0001__p3671114195119">0.0.0.0/0</p>
</td>
<td class="cellrowborder" valign="top" width="18.446601941747574%" headers="mcps1.3.7.3.6.4.2.8.1.6 "><p id="acl_0001__p06711814205118">0.0.0.0/0</p>
</td>
<td class="cellrowborder" valign="top" width="18.446601941747574%" headers="mcps1.3.7.3.6.4.2.8.1.7 "><p id="acl_0001__p17671814105114">Denies all outbound traffic.</p>
</td>
</tr>
</tbody>
</table>
</div>
</li></ul>
</div>
<div class="section" id="acl_0001__section74125695419"><h4 class="sectiontitle">How Traffic Matches <span id="acl_0001__text1373134095410">Firewall</span><span id="acl_0001__text1573194085414"></span> Rules</h4><ul id="acl_0001__ul2671914175111"><li id="acl_0001__li290111810455">Each <span id="acl_0001__text18509112231513">firewall</span><span id="acl_0001__text1950962261517"></span> rule has a priority value where a smaller value corresponds to a higher priority. Any time two rules conflict, the rule with the higher priority is the one that gets applied. The rule whose priority value is an asterisk (*) has the lowest priority.</li><li id="acl_0001__li167117146513">If multiple <span id="acl_0001__text2596102581517">firewall</span><span id="acl_0001__text15596102571513"></span> rules conflict, only the rule with the highest priority takes effect. If you need a rule to take effect before or after a specific rule, you can insert that rule before or after the specific rule.</li></ul>
</div>
<div class="section" id="acl_0001__section1864416226298"><h4 class="sectiontitle">Application Scenarios</h4><ul id="acl_0001__ul107461633193215"><li id="acl_0001__li174611336324">If the application layer needs to provide services for users, traffic must be allowed to reach the application layer from all IP addresses. However, you also need to prevent illegal access from malicious users.<p id="acl_0001__p75381836122820"><a name="acl_0001__li174611336324"></a><a name="li174611336324"></a>Solution: You can add <span id="acl_0001__text67171932111520">firewall</span><span id="acl_0001__text571818328153"></span> rules to deny access from suspect IP addresses.</p>
</li><li id="acl_0001__li18386203923318">How can I isolate ports with identified vulnerabilities? For example, how do I isolate port 445 that can be exploited by WannaCry worm?<p id="acl_0001__p1653983682815"><a name="acl_0001__li18386203923318"></a><a name="li18386203923318"></a>Solution: You can add <span id="acl_0001__text18921336191512">firewall</span><span id="acl_0001__text1292173681512"></span> rules to deny access traffic from a specific port and protocol, for example, TCP port 445.</p>
</li><li id="acl_0001__li10923457123511">No defense is required for the east-west traffic between subnets, but access control is required for north-south traffic.<p id="acl_0001__p17539173617284"><a name="acl_0001__li10923457123511"></a><a name="li10923457123511"></a>Solution: You can add <span id="acl_0001__text12105466158">firewall</span><span id="acl_0001__text10101946151511"></span> rules to protect north-south traffic.</p>
</li><li id="acl_0001__li14614936123711">For frequently accessed applications, a security rule sequence may need to be adjusted to improve performance.<p id="acl_0001__p15539183632810"><a name="acl_0001__li14614936123711"></a><a name="li14614936123711"></a>Solution: A <span id="acl_0001__text733510502153">firewall</span><span id="acl_0001__text20335115019159"></span> allows you to adjust the rule sequence so that frequently used rules are applied before other rules.</p>
</li></ul>
</div>
<div class="section" id="acl_0001__section14396131910515"><h4 class="sectiontitle">Configuration Procedure</h4><p id="acl_0001__p10538937853"><a href="#acl_0001__fig1643183218163">Figure 2</a> shows the procedure for configuring a <span id="acl_0001__text599516189168">firewall</span><span id="acl_0001__text599512187168"></span>.</p>
<div class="fignone" id="acl_0001__fig1643183218163"><a name="acl_0001__fig1643183218163"></a><a name="fig1643183218163"></a><span class="figcap"><b>Figure 2 </b><span id="acl_0001__text668616281164">firewall</span><span id="acl_0001__text06861728121612"></span> configuration procedure</span><br><span><img class="vsd" id="acl_0001__image49772046165815" src="en-us_image_0000001818982962.png"></span></div>
<ol id="acl_0001__ol64961250174814"><li id="acl_0001__li1849614505486">Create a <span id="acl_0001__text71827337167">firewall</span><span id="acl_0001__text7183173318168"></span> by following the steps described in <a href="en-us_topic_0051746698.html">Creating a Firewall</a>.</li><li id="acl_0001__li1518417537486">Add <span id="acl_0001__text593833511166">firewall</span><span id="acl_0001__text9938635141617"></span> rules by following the steps described in <a href="en-us_topic_0051746702.html">Adding a Firewall Rule</a>.</li><li id="acl_0001__li2758155517484">Associate subnets with the <span id="acl_0001__text4742139191618">firewall</span><span id="acl_0001__text4742173951610"></span> by following the steps described in <a href="en-us_topic_0051746700.html">Associating Subnets with a Firewall</a>. After subnets are associated with the <span id="acl_0001__text64553435162">firewall</span><span id="acl_0001__text045594311612"></span>, the subnets will be protected by the configured <span id="acl_0001__text13398324163514">firewall</span><span id="acl_0001__text20400182493515"></span> rules.</li></ol>
</div>
<div class="section" id="acl_0001__section28487131277"><h4 class="sectiontitle">Notes and Constraints</h4><ul id="acl_0001__ul4835849194111"><li id="acl_0001__li9945175894218">By default, each account can have up to 200 <span id="acl_0001__text1128221665812">firewall</span><span id="acl_0001__text02838165587"></span>s in a region.</li><li id="acl_0001__li20790333175612">A <span id="acl_0001__text9494437195619">firewall</span><span id="acl_0001__text164943373568"></span> can contain no more than 20 rules in one direction, or performance will deteriorate.</li></ul>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="vpc_acl_0000.html">Firewall</a></div>
</div>
</div>
View Git Blame Copy Permalink