🔗 Supported Cloud Objects🔗 Portal🔗 REST API🔗 tuono.com

Protocols and Firewalls

Protocols

Network firewalls require specific protocols for their rules. You can define lists of port numbers and ip protocol types using the protocol definition. Here is an example of a CIFS protocol description:

networking:
  protocol:
    cifs:
      description: CIFS Support
      ports:
        - port: 53
          proto: ip
          name: DNS
        - port: 88
          proto: ip
          name: Kerberos
        - port: 464
          proto: ip
          name: Kerberos
        - port: 139
          name: NetBIOS
        - port: 445
          proto: ip
          name: SMB, NetLogon
        - port: 636
          name: LDAP SSL
        - port: 3268-3269
          name: LDAP GC with SSL
        - port: 4379
          name: CTDB

Firewalls

A firewall defines rules that will either allow or deny traffic from passing through the resource it is applied to. A firewall can be applied to a subnet or to a nic. When inbound traffic arrives at a subnet and is destined to go to a nic, the rules are applied as follows:

  1. Packets entering the subnet (from anywhere) are analyzed for inbound rule application.

  2. Packets leaving the subnet (to the nic) are analyzed for outbound rule application.

  3. Packets entering the nic (from the subnet) are analyzed for inbound rule application.

For outbound data, the rules are:

  1. Packets leaving the nic (from the vm) are analyzed for outbound rule application.

  2. Packets entering the subnet (from the nic) are analyzed for inbound rule application.

  3. Packets leaving the subnet (to anywhere) are analyzed for outbound rule application.

When two nics are in the same subnet:

  1. Packets leaving nic 1 (from vm 1) are analyzed for outbound rule application.

  2. Packets entering the subnet (from nic 1) are analyzed for inbound rule application.

  3. Packets leaving the subnet (to nic 2) are analyzed for outbound rule application.

  4. Packets entering nic 2 (from the subnet) are analyzed for inbound rule application.

The rules are evaluated in a priority order for firewalls. The disposition of a packet is determined by the first rule that matches that packet. So, a packet that matches a high priority (indicated by a low integer value) deny rule, will be dropped even if it also matches a lower priority (indicated by a higher integer value) allow rule.

Caveats

Not all venues support deny actions for firewall rules. If you use deny rules, you may receive an error depending on the venue you apply to. We recommend you use a zero trust networking approach of disabling all traffic by policy, then allowing exactly what you need with allow actions. This will ensure maximum blueprint portability.

PreviousNetwork ScopeNextSecrets

Last updated

Was this helpful?