# Firewall

## Firewall

MNX.io firewall rules enable you to secure instances by defining network traffic rules to control inbound and outbound connections.  You can enable, define, and edit firewall rules by using [Triton CLI](/network/firewall.md#creating-and-managing-firewall-rules-using-triton).

{% hint style="info" %}
By default, firewall rules are **not** automatically enabled on new instances provisioned with CloudAPI.
{% endhint %}

This page covers firewall rule basics. Read the [firewall rules reference document](https://docs.joyent.com/public-cloud/network/firewall/cloud-firewall-rules-reference#priority) for details on how to create rules and read the [firewall rule examples](https://docs.joyent.com/public-cloud/network/firewall/cloud-firewall-examples) for sample use cases.

**NOTE**: Firewall rules are automatically created and enabled for Docker containers based on the exposed port specifications in the Dockerfile. For more information, see the [Optimizing Docker operations for Triton blog post](https://www.joyent.com/blog/optimizing-docker-on-triton), [Docker API documentation](https://apidocs.joyent.com/docker/features/networks), and [networking FAQs](/network/frequently-asked-questions.md).

### [Default firewall policy](/network/firewall.md#default-firewall-policy) <a href="#default-firewall-policy" id="default-firewall-policy"></a>

Without a firewall enabled, each instance allows all inbound and all outbound traffic. When firewall rules are enabled, three default rules apply:

* **Block all inbound traffic**. This rule blocks traffic from any source to all instances.
* **Allow all outbound traffic**. This rule allows traffic from any instance through to any destination.
* **Allow ICMP type 8 code 0**. This rule enables you to ping an instance.

### [Rule syntax](/network/firewall.md#rule-syntax) <a href="#rule-syntax" id="rule-syntax"></a>

Getting familiar with the rule syntax ensures that you create rules that apply as you expect. Triton firewall rules have the following syntax:

```
FROM <target a> TO <target b> <action> <protocol> <port>
```

You can associate rules with instances (or instances with rules) using target criteria such as tags, instance IDs, or the `ALL VMS` keyword. Target criteria include:

* Instances
* IP addresses
* TCP, UDP, or ICMP, ESP, and AH ports
* [Tags](https://docs.joyent.com/public-cloud/tags-metadata/tags)
* Subnets
* All VMs in a data center

The [Firewall Rules Reference](https://docs.joyent.com/public-cloud/network/firewall/cloud-firewall-rules-reference#target_list) document describes firewall rule syntax in more detail.

The words `FROM`, `TO`, and the action name (such as `ALLOW` or `BLOCK`) do not have to be capitalized when creating a new rule. Triton will automatically normalize and update the syntax once created.=

#### [List instances command](/network/firewall.md#list-instances-command) <a href="#list-instances-command" id="list-instances-command"></a>

To see a list of triton instances, run `triton instance list`. The output lists the instances for your account and enables you to obtain the `SHORTID` and `NAME`.

```
$ triton instance list
SHORTID   NAME      IMG                    STATE    FLAGS  AGE
3a1f3346  3a1f3346  base-64@17.3.0         running  F      11w
1009d417  1009d417  standard@15.1.1        running  -      11w
c85da785  server2   ubuntu-14.04@20170403  running  -      11w
4f3a2681  server-1  ubuntu-14.04@20170403  running  -      6w
```

The `FLAGS` column indicates the firewall rule status. `F` indicates an enabled status. If there are no flags, the firewall rules for the instance are disabled.

#### [Instance details command](/network/firewall.md#instance-details-command) <a href="#instance-details-command" id="instance-details-command"></a>

To find the full `UUID` for an instance, run the command `triton instance get <instance>` where `<instance>` is the `SHORTID` or `NAME` of the instance. This example shows the JSON payload (output) for `server-1`, which contains the `UUID` as `"id"` and other details.

```
$ triton instance get server-1
{
    "id": "4f3a2681-a9e9-c2bc-e64f-da5c57950a8e",
    "name": "server-1",
    "type": "smartmachine",
    "brand": "lx",
    "state": "running",
    "image": "04179d8e-188a-11e7-af4a-1349e98cbd17",
    "ips": [
        "64.30.129.97",
        "192.168.27.167"
    ],
    [...]
}
```

#### [Create firewall rules command](/network/firewall.md#create-firewall-rules-command) <a href="#create-firewall-rules-command" id="create-firewall-rules-command"></a>

To create a firewall rule, run `triton fwrule create` with the appropriate rule syntax. For example:

```
$ triton fwrule create "FROM any TO tag www ALLOW tcp (port 80 and port 443)"
Created firewall rule f5653bef-2e91-4c07-a1a5-2f5fc81aeaf3
```

When you create a rule using `triton`, it is automatically granted an enabled status. You have the option to create rules in a disabled status and enable them at another time to better control when rules are put into effect.

To create rules in a disabled status, run `triton fwrule create` with the `-d` flag:

```
$ triton fwrule create -d "FROM any TO all vms ALLOW tcp PORT 22"
Created firewall rule 93cbb439-b539-4b4e-b809-966394630ff6 (disabled)
```

#### [Enable firewall rules command](/network/firewall.md#enable-firewall-rules-command) <a href="#enable-firewall-rules-command" id="enable-firewall-rules-command"></a>

The command to enable firewall rules for an instance is `triton instance enable-firewall <instance>` where `<instance>` is the `UUID`, `SHORTID`, or `NAME`.

For example:

```
$ triton instance enable-firewall server-1
Enabling firewall for instance "server-1"
```

If you run `triton instance list`, the output shows the `F` flag indicating that firewall rules are enabled for `server-1`.

```
$ triton instance list
SHORTID   NAME      IMG                    STATE    FLAGS  AGE
3a1f3346  3a1f3346  base-64@17.3.0         running  F      11w
1009d417  1009d417  standard@15.1.1        running  -      11w
c85da785  server2   ubuntu-14.04@20170403  running  -      11w
4f3a2681  server-1  ubuntu-14.04@20170403  running  F      6w
```

To create a rule that allows you to log into your machines using SSH, run:

```
$ triton fwrule create "FROM any TO all vms ALLOW tcp PORT 22"
Created firewall rule 3a1f3346-b700-4032-f86c-ea3173eedf8a
```

#### [Disable firewall command](/network/firewall.md#disable-firewall-command) <a href="#disable-firewall-command" id="disable-firewall-command"></a>

The command to disable firewall rules for an instance is `triton instance disable-firewall <instance>` where `<instance>` is the `UUID`, `SHORTID`, or `NAME`.

You can define a rule, disable it, and then enable it when you are ready to implement it. You can also disable active firewall rules.

To disable firewall rules using the instance name:

```
$ triton instance disable-firewall server-1
Disabling firewall for instance "server-1"
```

You can disable a specific rule using the firewall rule ID, which you can obtain with `triton fwrules -l`.

To disable a currently active rule, run `triton fwrule disable <FWRULE-ID>`.

```
$ triton fwrule disable 037740ed-fe54-4ff6-8507-a1896571415c
Created firewall rule 037740ed-fe54-4ff6-8507-a1896571415c (disabled)
```

#### [List all rules commands](/network/firewall.md#list-all-rules-commands) <a href="#list-all-rules-commands" id="list-all-rules-commands"></a>

You can list firewall rules to help manage what rules you have and how they apply. Firewall rules are assigned a unique ID on creation, `FWRULE-ID`, which you reference in the commands run to manage your firewall rules.

To list rules to obtain the `FWRULE-ID`, run:

```
$ triton fwrules -l
ID                                    ENABLED  GLOBAL  RULE
680a5224-fde8-4e08-b251-95d696dbc0f5  true     -       FROM any TO all vms ALLOW tcp PORT 22
b9c25d17-ecef-4ee1-8931-09c26e847606  true     -       FROM subnet 172.16.0.0/24 TO all vms ALLOW tcp PORT all
47e8a50b-1fb7-4147-a42a-3aa8768086a3  true     -       FROM tag "sdc_docker" TO tag "sdc_docker" ALLOW tcp PORT all
3535e168-5a34-406f-bce3-d39c59d9736c  true     -       FROM tag "sdc_docker" TO tag "sdc_docker" ALLOW udp PORT all
8197c46e-f731-4090-8543-c1584b64fd4b  false    -       FROM vm c85da785-6310-44a8-e95b-f0a97afa57be TO all vms ALLOW tcp PORT all
```

The `triton fwrule list` command lists also displays all of the rules associated with your account, organized by `SHORTID`.

#### [List all rules for an instance command](/network/firewall.md#list-all-rules-for-an-instance-command) <a href="#list-all-rules-for-an-instance-command" id="list-all-rules-for-an-instance-command"></a>

The `triton instance fwrules <instance>` command lists all rules that have been defined for a specific instance.

To list the firewall rules that apply to an instance:

```
$ triton instance fwrules 98338d48-d2a7-4e17-bbc7-b44054b04503
SHORTID                               ENABLED  GLOBAL  RULE
3473327e-6d0c-4747-97c5-ced1260a7e42  true     true    FROM any TO all vms ALLOW icmp TYPE 8 CODE 0
58dfcdf6-0a39-494a-8856-ff3169806954  true     -       FROM all vms TO all vms ALLOW tcp PORT all
4ecbc8ee-6621-4b68-b659-e9e631129480  true     -       FROM any TO vm 98338d48-d2a7-4e17-bbc7-b44054b04503 ALLOW tcp PORT 22
```

Refer to the [Firewall Rules Reference](https://docs.joyent.com/network/firewall/cloud-firewall-rules-reference#firewall-rule-commands) document for the complete list of firewall rule commands.

#### [Update rules command](/network/firewall.md#update-rules-command) <a href="#update-rules-command" id="update-rules-command"></a>

To edit a firewall rule, use the `triton fwrule update` command. Note that you must specify the entire rule, not just the part that you're changing.

```
$ triton fwrule update 037740ed-fe54-4ff6-8507-a1896571415c rule="FROM all vms TO tag db ALLOW tcp port 5432"
Updated firewall rule 037740ed-fe54-4ff6-8507-a1896571415c (fields: rule)
```

#### [Delete rules command](/network/firewall.md#delete-rules-command) <a href="#delete-rules-command" id="delete-rules-command"></a>

To delete a firewall rule, use the `triton fwrule delete` command. Note that this command does not produce any output if it is successful.

```
$ triton fwrule delete 037740ed-fe54-4ff6-8507-a1896571415c
Delete firewall rule "037740ed-fe54-4ff6-8507-a1896571415c"? [y/n] y
Deleted rule 037740ed-fe54-4ff6-8507-a1896571415c
$ triton fwrule delete 037740ed-fe54-4ff6-8507-a1896571415c
Delete firewall rule "037740ed-fe54-4ff6-8507-a1896571415c"? [y/n] y
triton fwrule delete: error: first of 1 error: Rule not found
```

### [Rule precedence](/network/firewall.md#rule-precedence) <a href="#rule-precedence" id="rule-precedence"></a>

The default firewall rules have a [priority level of 0](https://docs.joyent.com/public-cloud/network/firewall/cloud-firewall-rules-reference#priority), which means that the firewall rules you define always take precedence over the default rules. In general, rules are not evaluated in order but by how restrictive they are.

* **Inbound**: For incoming traffic, the *least* restrictive rule wins. The default rules for incoming traffic block everything, so any rule that allows incoming traffic is less restrictive.
* **Outbound**: For outgoing traffic, the *most* restrictive rule takes precedence. The default rules for outgoing traffic allow everything, so any rule that blocks outgoing traffic is more restrictive.

You can prioritize firewall rules to define the order in which rules should apply. The [Firewall Rules Reference document](https://docs.joyent.com/public-cloud/network/firewall/cloud-firewall-rules-reference#priority) describes how to set priority levels.

### [Frequently asked questions](/network/firewall.md#frequently-asked-questions) <a href="#frequently-asked-questions" id="frequently-asked-questions"></a>

This section answers some questions you may have about Triton firewall rules.

#### [What is the relationship between Triton's firewall rules and IPFilter?](/network/firewall.md#what-is-the-relationship-between-tritons-firewall-rules-and-ipfilter) <a href="#what-is-the-relationship-between-tritons-firewall-rules-and-ipfilter" id="what-is-the-relationship-between-tritons-firewall-rules-and-ipfilter"></a>

Triton's firewall rules apply to all the instances in the same data center that have the firewall feature enabled. IPFilter rules apply only to the instance in which they are defined.

For incoming traffic, the firewall rules set with Triton are applied first. If an instance has IPFilter rules, they are applied next.

```
                  +----------+         +----------+
                  | Cloud    |         | instance |
  Internet ------>| Firewall +-------->| IPFilter +------> instance
                  | Rules    |         | rules    |
                  +----------+         +----------+
```

For outgoing traffic, any IPFilter rules defined for the instance apply first and then the Triton firewall rules are applied.

```
                  +----------+         +----------+
                  | Cloud    |         | instance |
  Internet <------+ Firewall |<--------+ IPFilter |<------ instance
                  | Rules    |         | rules    |
                  +----------+         +----------+
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.mnx.io/network/firewall.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.