Once you have selected the rule group to edit you are taken to the editor page which will show you any existing rules, and give you the options to edit, clone or delete the current group.
After you click on the “Edit these rules” you will be taken the firewall editor. The editor allows old rules to be modified, new rules created and old rules deleted.
The following is the first rule from the above image in the editor:
The rules in the editor are divided horizontally and vertically. The horizontal bars (alternately coloured blue and white for easier differentiation) are the individual rules. The vertical columns are the configurable aspects of each rule.
The columns are as follows:
- IP Version – IPv4 of IPv6 or both (the “any” option) can be selected here and means both.
- Action - This indicates what action the firewall will take when an incoming packet matches this rule. The options are:
- Accept - The packet is allowed to progress to the server
- Drop - The packet is silently deleted
- Reject - The packet is returned to the sender
Drop is usually selected to deny packets because is does not provide any additional information to an attacker. A rejected packet indicates to the attacker that the IP address is in use and something is listening whereas when a packet is dropped it looks to the attacker like there is nothing there.
- Source IP - This is the IP address of the machine that sent the packet. IP ranges can be entered here, but only in CIDR notation.
- Destination IP - This is the IP or IPs of your server. This allows you to create different rules for your server's IPs if it has more than one. Any indicates all your server's IPs.
- Destination Ports - These are the port or ports that the packet is bound for on your server. For example, a request for a web page will be on port 80.
- Please refer to this documentation page for common ports and their uses.
- Please note that port ranges can be entered. They have the form first-port colon last-port e.g. 20:22 is the same as 20 21 22.
- There is a limit of 15 ports per firewall rule. A port range e.g. 22:22 counts as two ports towards this limit. If you have more than 15 ports, you can create an additional rule.
- Protocols - These are the packet types that can be filtered for. By far the most common are:
- TCP - The standard packet type that most data on the internet is exchanged with
- UDP - Another common protocol used most commonly with DNS requests (on port 53) and media streaming.
- ICMP - Otherwise known as a “ping packet”
- Ordering - This column determines the order that the rules are applied to the incoming packets with number 1 being the first. The rule order is very important, please see the Rule Ordering documentation page for more information.
- Comment - Space to leave a note regarding the rule. It can be left blank.
- Delete - Check this box and click “Update Firewall Rules” to remove a rule.
Finally hit the "Update Firewall Rules" button to save your changes and make them live.