The default FirewallService in an EdgeGatewayServiceConfiguration is enabled and configured to block all incoming traffic. You can modify that FirewallService to allow incoming traffic, block outgoing traffic, or both.
Each firewall rule specifies a protocol, IP address, and port. Packets that match the criteria in the rule are subject to an action defined in the Policy element of the rule. The action can forward the packet to the destination IP address and port, or drop it and optionally log a message describing the packet that was dropped. Packets that do not match any rule are subject to the policy contained in the DefaultAction element of the FirewallService.
Firewall rule actions can be logged to the system syslog server, and optionally to a syslog server you create and manage. When you specify a value of true in the EnableLogging element of a FirewallRule, all packets that trigger the rule are logged to the system syslog server. Logging for all rules is controlled by the value of the LogDefaultAction element of the FirewallService.
To log firewall rule messages from this Edge Gateway to your own syslog server in addition to the system syslog server, add a SyslogServerSettings element to its Configuration element and specify your syslog server's IP address in the SyslogServerIp element of its TenantSyslogServerSettings.
These elements in a FirewallRule specify source and destination IP ports and addresses to which the rule applies.
This fragment of an EdgeGatewayServiceConfiguration defines a firewall service with two rules: one that allows incoming SSH connection, and one that denies incoming Telnet connections. These rules apply to any virtual machine that connects to a network backed by this Edge Gateway. Each rule is defined in a FirewallRule element, and can include the following specifications:
Specify a source IP address, or use one of these strings. | |
Specify a source IP address, or use one of the strings shown in SourceIp and DestinationIp Values. | |
Set to true to log all packets that trigger this rule. See Firewall Rule Logging. |
Rules are applied to packets in the order in which the FirewallRule elements appear in the FirewallService definition.
<FirewallService> <IsEnabled>true</IsEnabled> <DefaultAction>allow</DefaultAction> <LogDefaultAction>false</LogDefaultAction> <FirewallRule> <IsEnabled>true</IsEnabled> <Description>allow incoming ssh</Description> <Policy>allow</Policy> <Protocols> <Tcp>true</Tcp> </Protocols> <DestinationPortRange>22</DestinationPortRange> <DestinationIp>Internal</DestinationIp> <SourcePortRange>Any</SourcePortRange> <SourceIp>External</SourceIp> <EnableLogging>false</EnableLogging> </FirewallRule> <FirewallRule> <IsEnabled>true</IsEnabled> <Description>deny incoming telnet</Description> <Policy>drop</Policy> <Protocols> <Tcp>true</Tcp> </Protocols> <DestinationPortRange>23</DestinationPortRange> <DestinationIp>Internal</DestinationIp> <SourcePortRange>Any</SourcePortRange> <SourceIp>External</SourceIp> <EnableLogging>false</EnableLogging> </FirewallRule> </FirewallService>
You can see this fragment in the context of an Edge Gateway configuration in Example: Configure Services on an Edge Gateway.