Manage firewall rules

Cloud Firewalls can be configured with both _Inbound and _Outbound rules.

  • Inbound rules limit incoming network connections to a Linode service based on the port(s) and sources you configure.

  • Outbound rules limit the outgoing network connections coming from a Linode service based on the port(s) and destinations you configure.

📘

Inbound and outbound rules are applied to Compute Instances. Only inbound rules are applied to NodeBalancers.

Predefined rules

Cloud Manager provides a list of predefined rules that you can add to your firewall. The predefined rules support common networking use cases and provide an easy foundation to get started with Cloud Firewalls. Since you can edit any rule applied to a firewall, you can modify a predefined rule to accommodate your own applications and requirements.

View rules

  1. Log in to Cloud Manager and select Firewalls from the navigation menu.

  2. From the Firewalls listing page, click on the Cloud Firewall that you would like to view or modify.

Rules are separated into Inbound and Outbound rule sections.

Add rules

  1. Log in to Cloud Manager and select Firewalls from the navigation menu.

  2. From the Firewalls listing page, click on the firewall that you would like to add new rules to. This takes you to the firewall's Rules page.

  3. On the Rules page, select the default behavior for both inbound and outbound traffic using the Inbound Policy and Outbound Policy dropdown menus. Accept allows all traffic except for those defined in the listed rules, and Drop denies all traffic except for those defined in the rules.

🚧

Inbound Policy

A default inbound policy of Accept is generally not recommended.

Default policy selection.

  1. Click on the Add an Inbound/Outbound Rule link (click on the appropriate link for the type of Rule you would like to add). The Add an Inbound/Outbound Rule drawer appears.

Click on the Add an Inbound/Outbound Rule link.


  1. Provide the following Rule configurations:
ConfigurationDescription
PresetSelect from a list of optional predefined Firewall rules. Selecting a predefined rule fills in the remaining rule configuration values, however, they can all be edited. Optional.
LabelA label for the rule being created. This is used only as an identifier for the account holder and does not have any impact on firewall performance. Required.
DescriptionA description of the rule being created. This is used only as an identifier for the account holder, and does not have any impact on firewall performance. Optional.
ProtocolSelect the Transport Layer protocol to use for this Firewall rule. Required.
PortsSelect from a list of common port numbers, or select Custom to open the Custom Port Range configuration option. Up to 15 ports (and port ranges) can be added to a single firewall rule. Port ranges are considered to be 2 total ports towards the total of 15 maximum ports. Port numbers must be within 1 and 65535, and they cannot contain leading zeroes. Required for TCP and UDP protocols. Not allowed for ICMP and IPENCAP protocols.
Custom Port RangeProvide a port number or a range of ports on which to take action. Multiple ports or ranges can be added by separating each port or range with a comma (,). To configure a Port Range, enter the starting port and ending port numbers separated by a dash (-). The port range string can contain up to 15 pieces, where a single port is treated as one piece, and a port range is treated as two pieces. For example, here is an example value that applies the rule to ports 21, 993, 995, and 2000-3000, considered a total of 5 pieces: 21,993,995,2000-3000.
SourcesRequired for Inbound rules only. Choose from a list of Sources that limit incoming connections to the chosen internet protocol, netmask, or specific IP address(es) and ranges. Select IP/Netmask to specify specific IP addresses. When defining IP/Netmask sources, a /32 mask is assumed for individual IPv4 addresses and a /128 mask is assumed for IPv6 addresses if unspecified. Each rule can include 255 total IPv4 and IPv6 addresses/ranges.
DestinationsRequired for Outbound rules only. Select from a list of Destinations that limit the outgoing connections to the chosen internet protocol, netmask, or specific IP address(es) and ranges. When defining IP/Netmask destinations, a /32 mask is assumed for IPv4 addresses and a /128 mask is assumed for IPv6 addresses if unspecified. Each rule can include 255 total IPv4 and IPv6 addresses/ranges.
ActionChoose whether this rule allows or drops traffic. The action defined in specific rules takes precedence over the default inbound and outbound traffic policy. Required.

📘

When applying individual IP addresses or IP ranges to either the source or destination field, the addresses must always be valid and formatted correctly using CIDR notation. IP address ranges are formatted differently than port number ranges. Instead of using a hyphenated range of numbers, CIDR notation is used to designate the network prefix and the number of bits in the prefix. The following are examples of valid IPv4 and IPv6 ranges:

  • 192.0.2.0/24
  • 198.51.0.0/16
  • 2001:db8:1234::/48

In the first example above, using a range of 192.0.2.0/24 applies the rule to all IP addresses from 192.0.2.1 through 192.0.2.254.

If you need to specify a single IP address, use /32 when specifying your IP range. For example, 192.0.2.1/32 denotes a single IP address.

  1. Click on Add Rule to add the new rule to this Firewall. If you would like to add any additional rules, repeat the process outlined in this section.

Click on Add Rule to add the new rule to this Firewall.

  1. When you are done adding new Firewall rules, review them on the Rules page you are redirected to by default. Firewall rules are applied in order from top to bottom as they appear on this page. If you would like to re-order these rules, drag and drop any row into their desired position.
  2. When you are done reviewing the new Firewall rules, click on the Save Changes button on the Rules page.

📘

Any newly added rules do not take effect until you Save Changes to the Firewall.


Apply your changes to the Firewall.

Edit a rule

Follow the steps in this section to edit predefined and custom Firewall Rules.

  1. Log into Cloud Manager and select Firewalls from the navigation menu.

  2. From the Firewalls listing page, click on the Firewall whose rules you'd like to edit. This takes you to the Firewall's Rules page.

  3. Click on the Edit button corresponding to the rule you'd like to edit.

    Select edit from the dropdown menu.

  4. From the Edit Rule drawer, update the rule's configurations as needed.

  5. Click on the Add Changes button to save your changes and apply them to the rule. If you would like to edit any additional rules, repeat the process outlined in this section.

    Save your Firewall rule edits.

  6. When you are done editing your Firewall rules, click on the Save Changes button on the Rules page for those changes to take effect.

Delete a rule

  1. Log into your Cloud Manager and select Firewalls from the navigation menu.

  2. From the Firewalls listing page, click on the Firewall whose rule(s) you'd like to delete. This takes you to the Firewall's Rules page.

  3. Click on the Delete corresponding to the rule that you would like to delete. If you would like to delete any additional rules, repeat the process outlined in this section.

  4. When you are done, click on the Save Changes button on the Rules page.

    📘

    Any rule deletion(s) does not take effect until you Save Changes to the Firewall.