Help Center> Cloud Firewall> User Guide> Managing ACL Rules> Adding a Protection Rule
Updated on 2024-01-12 GMT+08:00
View PDF

Adding a Protection Rule

Access control policies can help you manage and control the traffic between servers and external networks in a refined manner, prevent the spread of internal threats, and enhance the depth of security strategies.

After EIP protection is enabled, the default status of the access control policy is Allow. If you want to allow only several EIPs, you are advised to add a protection rule with the lowest priority to block all traffic.

If your IP address is a back-to-source WAF IP address, you are advised to configure a protection rule or the whitelist to allow its access. Exercise caution when configuring a protection rule to block access, which may affect your services.

Prerequisites

You have synchronized assets and enabled EIP protection. See Enabling EIP Protection.

Specification Limitations

To enable VPC border protection, NAT protection, and private IP address protection, use the professional edition of CFW and enable the VPC firewall protection.

Constraints

  • Up to 20,000 protection rules can be added.
  • A single protection rule can be associated with a maximum of five service groups.
  • Each protection rule can be associated with up to two IP address groups.
  • Domain names in Chinese are not supported.
  • Predefined address groups can be configured only for the source addresses in inbound rules (whose Direction is set to Inbound).
  • If NAT 64 protection is enabled and IPv6 access is used, allow traffic from the 192.19.0.0/16 CIDR block to pass through. NAT64 will translate source IP addresses into the CIDR block 198.19.0.0/16 for ACL access control.

Adding an Internet Boundary Protection Rule

  1. Log in to the management console.
  2. Click in the upper left corner of the management console and select a region or project.
  3. In the navigation pane, click and choose Security & Compliance > Cloud Firewall. The Dashboard page will be displayed, as shown in Figure 1.

    Figure 1 CFW Dashboard

  4. (Optional) If the current account has only one firewall instance, the firewall details page is displayed. If there are multiple firewall instances, click View in the Operation column to go to the details page.
  5. In the navigation pane, choose Access Control > Access Policies.
  6. Add a protection rule.

    Click Add Rule. In the displayed page, enter new protection information. For details, see Table 1.
    Table 1 Internet boundary rule parameters

    Parameter

    Description

    Example Value

    Name

    Rule name.

    test

    Direction
    Select a traffic direction if the protection rule is set to EIP.
    • Inbound: Traffic from external networks to the internal server.
    • Outbound: Traffic from internal servers to external networks.

    Inbound

    Source
    Source address of access traffic.
    • IP address can be configured in the following formats:
      • A single IP address, for example, 192.168.10.5
      • Consecutive IP addresses, for example, 192.168.0.2-192.168.0.10
      • Address segment, for example, 192.168.2.0/24
    • IP address group: A collection of IP addresses. For details about how to add custom IP address groups, see Adding an IP Address Group. For details about a pre-defined address group, see Viewing a Predefined Address Group.
      NOTE:

      If Direction is set to Inbound, a predefined address group can be configured for the source address.

    • Countries and regions: If Direction is set to Inbound, you can control access based on continents, countries, and regions.
    • Any: any source address

    IP address, 192.168.10.5

    Destination
    Destination address of access traffic.
    • IP address: You can set a single IP address, consecutive IP addresses, or an IP address segment.
      • A single IP address, for example, 192.168.10.5
      • Consecutive IP addresses, for example, 192.168.0.2-192.168.0.10
      • Address segment, for example, 192.168.2.0/24
    • IP address group: A collection of IP addresses. For details about how to add custom IP address groups, see Adding an IP Address Group.
    • Countries and regions: If Direction is set to Outbound, you can control access based on continents, countries, and regions.
    • Domain name: If Direction is set to Outbound, you can enter a multi-level single domain name (for example, top-level domain name example.com and level-2 domain name www.example.com) or a wildcard domain name (*.example.com).
      NOTE:
      • Mandatory for a single domain name. Click Test to check the validity of the domain name and perform DNS resolution. For details, see Configuring DNS Resolution. (Currently, up to 600 IP addresses can be resolved from a domain name.)
      • If the domain name is a wildcard domain name, DNS resolution is not required. Only HTTP/HTTPS applications can be added.
    • Domain name group: If Direction is set to Outbound, a collection of multiple domain names is supported.
      NOTE:

      To protect a domain name, you are advised to configure a domain name group.

    • Any: any destination address

    Any

    Service
    Set the protocol type and port number of the access traffic.
    • Service: Set Protocol Type, Source Port, and Destination Port.
      • Protocol Type: The value can be TCP, UDP, or ICMP.
      • Source/Destination Port: If Protocol Type is set to TCP or UDP, you need to set the port number.
      NOTE:
      • To specify all the ports of an IP address, set Port to 1-65535.
      • You can specify a single port. For example, to manage access on port 22, set Port to 22.
      • To set a port range, use a hyphen (-) between the starting and ending ports. For example, to manage access on ports 80 to 443, set Port to 80-443.
    • Service group: A collection of services (protocols, source ports, and destination ports) are supported. For details about how to add a custom service group, see Adding a Service Group. For details about a pre-defined service group, see Viewing a Predefined Service Group.
    • Any: any protocol type or port number

    Service

    Protocol Type: TCP

    Source Port: 80

    Destination Port: 80-443

    Action

    Set the action to be taken when traffic passes through the firewall.

    • Allow: Traffic is forwarded.
    • Block: Traffic is not forwarded.

    Allow

    Allow Long Connection
    If only one service is configured in the current protection rule and Protocol Type is set to TCP or UDP, you can configure the service session aging time.
    • Yes: Configure the long connection duration.
    • No: Retain the default durations. The default connection durations for different protocols are as follows:
      • TCP: 1800s
      • UDP: 60s
    NOTE:

    Up to 100 rules can be configured with long connections.

    Yes

    Long Connection Duration

    This parameter is mandatory if Allow Long Connection is set to Yes.

    Configure the long connection duration. Configure the hour, minute, and second.

    NOTE:

    The duration range is 1 second to 1000 days.

    60 hours 60 minutes 60 seconds

    Tags

    (Optional) Tags are used to identify rules. You can use tags to classify and search for security policies.

    -

    Priority

    Priority of the rule. Its value can be:

    • Pin on top: indicates that the priority of the policy is set to the highest.
    • Lower than the selected rule: indicates that the policy priority is lower than a specified rule.
    NOTE:

    A smaller value indicates a higher priority.

    Pin on top

    Status

    Whether a policy is enabled.

    : enabled

    : disabled

    Description

    (Optional) Usage and application scenario

    -

  7. Click OK.

    After EIP protection is enabled, the default status of the access control policy is Allow. If you want to allow only several EIPs, you are advised to add a protection rule with the lowest priority to block all traffic.

Adding a VPC Border Protection Rule

  1. Log in to the management console.
  2. Click in the upper left corner of the management console and select a region or project.
  3. In the navigation pane, click and choose Security & Compliance > Cloud Firewall. The Dashboard page will be displayed, as shown in Figure 2.

    Figure 2 CFW Dashboard

  4. (Optional) If the current account has only one firewall instance, the firewall details page is displayed. If there are multiple firewall instances, click View in the Operation column to go to the details page.
  5. In the navigation pane, choose Access Control > Access Policies. Click the Inter-VPC Borders tab.
  1. Add a protection rule.

    Click Add Rule. In the displayed dialog box, enter new protection information. For details, see Table 2.
    Table 2 Adding a protection rule

    Parameter

    Description

    Example Value

    Name

    Name of the custom security policy.

    test

    Source
    Source of data packets in the access traffic.
    • IP address: You can set a single IP address, consecutive IP addresses, or an IP address segment.
      • A single IP address, for example, 192.168.10.5
      • Consecutive IP addresses, for example, 192.168.0.2-192.168.0.10
      • Address segment, for example, 192.168.2.0/24
    • IP address group: A collection of IP addresses. For details, see Adding an IP Address Group.
    • Any: any source address

    IP address, 192.168.10.5

    Destination
    Destination address of access traffic.
    • IP address: You can set a single IP address, consecutive IP addresses, or an IP address segment.
      • A single IP address, for example, 192.168.10.5
      • Consecutive IP addresses, for example, 192.168.0.2-192.168.0.10
      • Address segment, for example, 192.168.2.0/24

    Any

    Service
    Set the protocol type and port number of the access traffic.
    • Service: Set Protocol Type, Source Port, and Destination Port.
      • Protocol Type: The value can be TCP, UDP, or ICMP.
      • Source/Destination Port: If Protocol Type is set to TCP or UDP, you need to set the port number.
      NOTE:
      • To specify all the ports of an IP address, set Port to 1-65535.
      • You can specify a single port. For example, to manage access on port 22, set Port to 22.
      • To set a port range, use a hyphen (-) between the starting and ending ports. For example, to manage access on ports 80 to 443, set Port to 80-443.
    • Service group: A collection of services (protocols, source ports, and destination ports) is supported. For details about how to add a custom service group, see Adding a Custom Service Group.For details about predefined service groups, see Viewing a Predefined Service Group.
    • Any: any protocol type or port number

    Service

    Protocol Type: TCP

    Source Port: 80

    Destination Port: 80-443

    Action

    Set the action to be taken when traffic passes through the firewall.

    • Allow: Traffic is forwarded.
    • Block: Traffic is not forwarded.

    Allow

    Allow Long Connection
    If only one service is configured in the current protection rule and Protocol Type is set to TCP or UDP, you can configure the service session aging time.
    • Yes: Configure the long connection duration.
    • No: Retain the default durations. The default connection durations for different protocols are as follows:
      • TCP: 1800s
      • UDP: 60s
    NOTE:

    Up to 100 rules can be configured with long connections.

    Yes

    Long Connection Duration

    This parameter is mandatory if Allow Long Connection is set to Yes.

    Configure the long connection duration. Configure the hour, minute, and second.

    NOTE:

    The duration range is 1 second to 1000 days.

    60 hours 60 minutes 60 seconds

    Tag

    (Optional) Tags are used to identify rules. You can use tags to classify and search for security policies.

    -

    Priority

    Priority of the rule. Its value can be:

    • Pin on top: indicates that the priority of the policy is set to the highest.
    • Lower than the selected rule: indicates that the policy priority is lower than a specified rule.
      NOTE:

      A smaller value indicates a higher priority.

    Pin on top

    Status

    Whether a policy is enabled.

    : enabled

    : disabled

    Description

    (Optional) Usage and application scenario

    -

  2. Click OK.

    After EIP protection is enabled, the default status of the access control policy is Allow. If you want to allow only several EIPs, you are advised to add a protection rule with the lowest priority to block all traffic.

Configuration Example - Allowing the Inbound Traffic from a Specified IP Address

Configure two protection rules. One of them blocks all traffic, as shown in Figure 3. Its priority is the lowest. The other allows the traffic of a specified IP address, as shown in Figure 4. Its priority is the highest.
Figure 3 Blocking all traffic
Figure 4 Allowing a specified IP address

Configuration Example - Blocking Access from a Region

The following figure shows a rule that blocks all access traffic from Ireland.
Figure 5 Intercepting the access traffic from Ireland

Configuration Example - NAT Protection

Assume your private IP address is 10.1.1.2 and the external domain name accessed through the NAT gateway is www.example.com. Configure NAT protection as follows and set other parameters based on your deployment:

Figure 6 Configuring a NAT protection rule
Parent topic: Managing ACL Rules