The default FirewallService in an EdgeGatewayServiceConfiguration is enabled and configured to block all incoming traffic. You can modify that FirewallService to allow incoming traffic, block outgoing traffic, or both.
A firewall service configuration includes several important parameters.
Firewall Rules
Each firewall rule specifies a protocol, IP address, and port. Packets that match the criteria in the rule are subject to an action defined in the Policy element of the rule. The action can forward the packet to the destination IP address and port, or drop it and optionally log a message describing the packet that was dropped. Packets that do not match any rule are subject to the policy contained in the DefaultAction element of the FirewallService.
Firewall Rule Logging
Firewall rule actions can be logged to the system syslog server, and optionally to a syslog server you create and manage. When you specify a value of true
in the EnableLogging element of a FirewallRule, all packets that trigger the rule are logged to the system syslog server. Logging for all rules is controlled by the value of the LogDefaultAction element of the FirewallService.
To log firewall rule messages from this Edge Gateway to your own syslog server in addition to the system syslog server, add a SyslogServerSettings element to its Configuration element and specify your syslog server's IP address in the SyslogServerIp element of its TenantSyslogServerSettings.
Port and Address Ranges
These elements in a FirewallRule specify source and destination IP ports and addresses to which the rule applies.
Firewall Service Definition with Two Rules
This fragment of an EdgeGatewayServiceConfiguration defines a firewall service with two rules: one that allows incoming SSH connection, and one that denies incoming Telnet connections. These rules apply to any virtual machine that connects to a network backed by this Edge Gateway. Each rule is defined in a FirewallRule element, and can include the following specifications:
- Policy
- The default policy value, allow, causes the firewall to forward packets that match the rules. Specify drop to drop packets that match the rules.
- Protocols
-
By default, a rule applies to both UDP and TCP protocols. You can limit the rule to one protocol or the other by including
Tcp and
Udp elements in
Protocols and specifying a value of
true
orfalse
for each. - SourcePortRange
-
Specify a source IP port or port range, or set to
any
to match any port. - DestinationPortRange
-
Specify a destination IP port or port range, or set to
any
to match any port. - SourceIp
-
Specify a source IP address, or use one of these strings.
Table 1. SourceIp and DestinationIp Values Value Result Any Matches any IP address Internal Matches any IP address originating on an organization VDC network connected to this EdgeGateway. When used in a vApp network, matches any IP address assigned to a virtual machine in the vApp. External Matches any IP address originating on an external network connected to this EdgeGateway. When used in a vApp network, matches any IP address except those assigned to a virtual machine in the vApp. - DestinationIp
- Specify a source IP address, or use one of the strings shown in SourceIp and DestinationIp Values.
- EnableLogging
-
Set to
true
to log all packets that trigger this rule. See Firewall Rule Logging.
Rules are applied to packets in the order in which the FirewallRule elements appear in the FirewallService definition.
The system assigns an Id value to each rule you create and uses these values when logging rule actions.
<FirewallService> <IsEnabled>true</IsEnabled> <DefaultAction>allow</DefaultAction> <LogDefaultAction>false</LogDefaultAction> <FirewallRule> <IsEnabled>true</IsEnabled> <Description>allow incoming ssh</Description> <Policy>allow</Policy> <Protocols> <Tcp>true</Tcp> </Protocols> <DestinationPortRange>22</DestinationPortRange> <DestinationIp>Internal</DestinationIp> <SourcePortRange>Any</SourcePortRange> <SourceIp>External</SourceIp> <EnableLogging>false</EnableLogging> </FirewallRule> <FirewallRule> <IsEnabled>true</IsEnabled> <Description>deny incoming telnet</Description> <Policy>drop</Policy> <Protocols> <Tcp>true</Tcp> </Protocols> <DestinationPortRange>23</DestinationPortRange> <DestinationIp>Internal</DestinationIp> <SourcePortRange>Any</SourcePortRange> <SourceIp>External</SourceIp> <EnableLogging>false</EnableLogging> </FirewallRule> </FirewallService>
You can see this fragment in the context of an Edge Gateway configuration in Configure Services on an Edge Gateway.