Contents

Cloud Firewall

The Brightbox Cloud Firewall provides a highly-configurable facility to control access to, from and between your Cloud Servers. Rather than laboriously writing rules for every one of your Cloud Servers, you define rules for your Server Groups. Then, whenever you add servers to the groups, all the rules are applied to all the relevant servers automatically.

Let’s set up firewalling for an example web cluster. We have two web servers and two database servers.

The web servers need HTTP and HTTPS ports accessible from the Internet, and the database servers need MySQL ports accessible from only the web servers.

All the servers need to be accessible via ssh from our home Internet connection.

You’ll need the Brightbox CLI installed to follow this guide.

Grouping the Servers

First off, we need to create two Server Groups, one for the web servers and one for the database servers. Managing Server Groups is explained in more detail in the Server Groups Guide.

$ brightbox groups create -n "web servers"

$ brightbox groups create -n "db servers"

$ brightbox groups list

 id         server_count  name                    
---------------------------------------------------
 grp-98v4n  4             default                 
 grp-f4rpy  0             web servers             
 grp-ncapg  0             db servers              
---------------------------------------------------

So now we have two new groups, in addition to the default group. If we moved the servers into these groups now, they’d be cut off completely because we’ve not defined any rules for them yet. So let’s setup the rules first.

Creating Firewall Policies

Firewall Rules are added to a Firewall Policy, rather than directly onto a Server Group. The Firewall Policy is then applied to the Server Group.

So let’s create two new firewall policies and map them to the new groups:

$ brightbox firewall-policies create -n "web access"

 id         server_group  name      
-------------------------------------
 fwp-emldu                web access
-------------------------------------

$ brightbox firewall-policies apply fwp-emldu grp-f4rpy

 id         server_group  name      
-------------------------------------
 fwp-emldu  grp-f4rpy     web access
-------------------------------------

$ brightbox firewall-policies create -n "db access"

 id         server_group  name     
------------------------------------
 fwp-7d4mt                db access
------------------------------------

$ brightbox firewall-policies apply fwp-7d4mt grp-ncapg

 id         server_group  name     
------------------------------------
 fwp-7d4mt  grp-ncapg     db access
------------------------------------

$ brightbox firewall-policies list

 id         server_group  name                     
----------------------------------------------------
 fwp-hvik9  grp-98v4n     default                  
 fwp-emldu  grp-f4rpy     web access               
 fwp-7d4mt  grp-ncapg     db access                
----------------------------------------------------

Creating the web server rules

So now we can define the allowed traffic. Let’s add the incoming HTTP rule:

$ brightbox firewall-rules create --source=any --protocol=tcp --dport=80,443 fwp-emldu

 id         protocol  source  sport  destination  dport   icmp_type
--------------------------------------------------------------------
 fwr-44bgd  tcp       any     -      -            80,443  -        
--------------------------------------------------------------------

Firewall rules are written from the perspective of the group that the policy is applied to.

So, firewall rules don’t have an explicit direction - you don’t say this rule is inbound or outbound. Instead, the direction of a rule depends on whether you set the source address or the destination address (you cannot set both).

If you set the source address for a rule, then the destination is the group that this policy is applied to. If you set the destination address, then the source becomes the group.

So don’t think in terms of inbound or outbound, think: is this rule matching traffic destined somewhere (outgoing) or is it matching traffic from somewhere (incoming).

So in this case, we set the source to any, which means any ipv4 or ipv6 address, so it’s matching traffic from anywhere in to servers in the web servers group.

For high security configurations, we could define the outgoing access very specifically, perhaps allowing them access to external APIs and SMTP relays or whatever. But for simplicitly here, we’ll just add a rule allowing all access:

$ brightbox firewall-rules create --destination=any fwp-emldu

 id         protocol  source  sport  destination  dport  icmp_type
-------------------------------------------------------------------
 fwr-chy4h  -         -       -      any          -      -        
-------------------------------------------------------------------

So now we can see the two rules:

$ brightbox firewall-rules list fwp-emldu

 id         protocol  source  sport  destination  dport   icmp_type
--------------------------------------------------------------------
 fwr-44bgd  tcp       any     -      -            80,443  -        
 fwr-chy4h  -         -       -      any          -       -        
--------------------------------------------------------------------

Creating the database server rules

Let’s add the same outgoing rule for the database servers:

$ brightbox firewall-rules create --destination=any fwp-7d4mt

 id         protocol  source  sport  destination  dport  icmp_type
-------------------------------------------------------------------
 fwr-kohyq  -         -       -      any          -      -        
-------------------------------------------------------------------

And now we’ll add the rule to allow the web servers to access MySQL. We just need to specify the web servers group id as the source, protocol tcp and destination port 3306. We of course need to add this rule to the db access policy that we applied to the db servers group:

$ brightbox firewall-rules create --source=grp-ncapg --protocol=tcp --dport=3306 fwp-7d4mt

 id         protocol  source     sport  destination  dport  icmp_type
----------------------------------------------------------------------
 fwr-v66e4  tcp       grp-ncapg  -      -            3306   -        
----------------------------------------------------------------------

Moving the servers

Right, now let’s get the firewall rules active for our servers. We have two web servers and two database servers:

$ brightbox servers list

 id         status    type    zone   created_on  image_id   cloud_ip_ids  name       
-------------------------------------------------------------------------------------
 srv-13y2j  active    mini    gb1-a  2011-09-27  img-4gqhs                web1       
 srv-25adm  active    mini    gb1-b  2011-09-28  img-4gqhs                web2       
 srv-uj1wm  active    large   gb1-a  2011-09-25  img-4gqhs                db-a  
 srv-5x0ct  active    large   gb1-b  2011-09-26  img-4gqhs                db-b
-------------------------------------------------------------------------------------

And they’re all currently in the default server group:

$ brightbox groups list

 id         server_count  name                    
---------------------------------------------------
 grp-98v4n  4             default                 
 grp-f4rpy  0             web servers             
 grp-ncapg  0             db servers              
---------------------------------------------------

So we move them into the appropriate groups:

$ brightbox groups move_servers -f grp-98v4n -t grp-f4rpy srv-13y2j srv-25adm 
Moving 2 servers from server group grp-98v4n to server group grp-f4rpy

 id         server_count  name       
--------------------------------------
 grp-98v4n  2             default    
 grp-f4rpy  2             web servers
--------------------------------------

$ brightbox groups move_servers -f grp-98v4n -t grp-ncapg srv-uj1wm srv-5x0ct 
Moving 2 servers from server group grp-98v4n to server group grp-ncapg

 id         server_count  name      
-------------------------------------
 grp-98v4n  0             default   
 grp-ncapg  2             db servers
-------------------------------------

So now we have two servers in each group, and no servers in the default group. As soon as the move_servers command completes, the firewall rules take effect. At this point might notice that we did not enable ssh access as we agreed (though the firewall is stateful, so any currently connected ssh sessions will continue to work until they close normally).

Setting up SSH access

So we need to add a new rule allowing connections from our home Internet connection to all four servers. We could add the rule to both policies, but instead let’s create a new group and associated policy especially for remote admin access.

So we create a new group called ssh servers:

$ brightbox groups create -n "ssh servers"

Creating a new server group

 id         server_count  name               
----------------------------------------------
 grp-lqaky  0             ssh servers
----------------------------------------------

Then we create a new policy and apply it to the group:

$ brightbox firewall-policies create -n "remote admin access"

 id         server_group  name               
----------------------------------------------
 fwp-ekjbx                remote admin access
----------------------------------------------

$ brightbox firewall-policies apply fwp-ekjbx grp-lqaky

 id         server_group  name               
----------------------------------------------
 fwp-ekjbx  grp-lqaky     remote admin access
----------------------------------------------

Then we create a rule allowing ssh access from our trusty home AOL dialup, with IP address 172.191.5.18:

$ brightbox firewall-rules create --source=172.191.5.18 --protocol=tcp --dport=22 fwp-ekjbx

 id         protocol  source        sport  destination  dport  icmp_type
-------------------------------------------------------------------------
 fwr-4h891  tcp       172.191.5.18  -      -            22     -        
-------------------------------------------------------------------------

Now we need to add all the servers to this group, keeping them in their other group, so we use the add_servers command rather than move_servers:

$ brightbox groups add_servers grp-lqaky srv-13y2j srv-25adm srv-uj1wm srv-5x0ct

Adding 4 servers to server group grp-lqaky

 id         server_count  name               
----------------------------------------------
 grp-lqaky  4             remote admin access
----------------------------------------------

So now we can see there are two servers in the web and db groups, and all four servers are in the ssh servers group:

$ brightbox groups list

 id         server_count  name                    
---------------------------------------------------
 grp-98v4n  0             default                 
 grp-f4rpy  2             web servers             
 grp-ncapg  2             db servers              
 grp-lqaky  4             ssh servers     
---------------------------------------------------

When the add_servers command completed the new firewall rule came into effect, allowing ssh access to all four servers (in addition to the HTTP and MySQL access we already configured of course).

Summary

So here we created some groups, applied firewall polices to them and set up some firewall rules.

Remember that now we’ve set everything up, we can just put new servers in the appropriate groups to automatically give them the correct access. Whenever our home IP address changes we can easily update the ssh access policy for all servers at once.

For more detailed information about the different aspects of the Cloud Firewall, see the reference documentation.

Last updated: 25 Apr 2016 at 09:23 UTC

Try Brightbox risk-free with £20 free credit Sign up takes just two minutes...