Create a firewall

post

https://api.linode.com/{apiVersion}/networking/firewalls

Creates a Firewall to filter network traffic.

Use rules to create inbound and outbound access rules. Rule versions increment from 1 whenever the firewall's rules change.
Use devices to assign a firewall to a service such as a Linode that is using legacy config profiles, a Linode interface or a NodeBalancer. The firewall’s rules are then applied to that service.
- For Linodes using Linode interfaces, firewalls need to be assigned to interfaces and not the linodes. Firewall templates are available for both VPC Linode interfaces and public Linode interfaces, and come with pre-configured protection rules.
- For Linodes using legacy configuration profiles, firewalls are applied through the Linode. Public and VPC interfaces are subject to the firewall rules, while VLAN interfaces are not.
Currently, firewalls can be assigned to Linodes with legacy configuration profiles, Linode interfaces, and NodeBalancers.
- The same firewall can be assigned to multiple services at a time.
Use firewall_id to assign a firewall when creating a Linode or when adding a Linode interface.
A service can have one assigned firewall enabled at a time.
Assigned Linodes must not have any ongoing live migrations.
A firewall_create event is generated when this operation succeeds.

Permissions and scopes

To call this operation, you need permissions, based on the model you're using:

Identity and access permissions. Your user needs a role with these permissions. Learn more.
- Permissions: create_firewall
OAuth scopes. Your user needs these scopes assigned. Learn more.
- Scopes: firewall:read_write

CLI

linode-cli firewalls create \
  --label example-firewall \
  --rules.outbound_policy ACCEPT \
  --rules.inbound_policy DROP \
  --rules.inbound '[{"protocol": "TCP", "ports": "22, 80, 8080, 443", "addresses": {"ipv4": ["192.0.2.0/24", "198.51.100.2/32"], "ipv6": ["2001:DB8::/128"]}, "action": "ACCEPT"}]' \
  --rules.outbound '[{"protocol": "TCP", "ports": "49152-65535", "addresses": {"ipv4": ["192.0.2.0/24", "198.51.100.2/32"],"ipv6": ["2001:DB8::/128"]}, "action": "DROP", "label": "outbound-rule123", "description": "An example outbound rule description."}]'

Learn more

Path Params

apiVersion

string

enum

required

Enum Call either the v4 URL, or v4beta for operations still in Beta.

Allowed:

Body Params

Creates a firewall object that can be applied to a service to filter the service's network traffic.

devices

object

Devices to create for this firewall. When a device is created, the firewall is assigned to its associated service. Currently, devices can be created for Linodes using legacy configuration profiles, Linode interfaces, and NodeBalancers. Firewall devices can't be created for individual legacy configuration profile interfaces.

Additional devices can be assigned after Firewall creation by using the Create a firewall device operation.

rules

object

required

The inbound and outbound access rules to apply to the Firewall.

A Firewall may have up to 25 rules across its inbound and outbound rulesets.

Multiple rules are applied in order. If two rules conflict, the first rule takes precedence. For example, if the first rule accepts inbound traffic from an address, and the second rule drops inbound traffic the same address, the first rule applies and inbound traffic from that address is accepted.

label

string

required

length between 3 and 32

Filterable The Firewall's label, for display purposes only.

Firewall labels have the following constraints:

Must begin and end with an alphanumeric character.
May only consist of alphanumeric characters, hyphens (-), underscores (_) or periods (.).
Cannot have two hyphens (--), underscores (__) or periods (..) in a row.
Must be between 3 and 32 characters.
Must be unique.

200Returns information about the created Firewall.

defaultSee Errors for the range of possible error response codes.