Networking

Firewall Rules List

get
https://api.linode.com/v4/networking/firewalls/{firewallId}/rules

Returns the inbound and outbound Rules for a Firewall.

Path Parameters

firewallId
Required
integer

ID of the Firewall to access.

Request Samples

curl -H "Authorization: Bearer $TOKEN" \
    https://api.linode.com/v4/networking/firewalls/123/rules

Response Samples

{
  "inbound": [
    {
      "protocol": "TCP",
      "ports": "22-24, 80, 443",
      "addresses": {
        "ipv4": [
          "192.0.2.0/24",
          "198.51.100.2/32"
        ],
        "ipv6": [
          "2001:DB8::/128"
        ]
      },
      "action": "ACCEPT",
      "label": "firewallrule123",
      "description": "An example firewall rule description."
    }
  ],
  "outbound": [
    {
      "protocol": "TCP",
      "ports": "22-24, 80, 443",
      "addresses": {
        "ipv4": [
          "192.0.2.0/24",
          "198.51.100.2/32"
        ],
        "ipv6": [
          "2001:DB8::/128"
        ]
      },
      "action": "ACCEPT",
      "label": "firewallrule123",
      "description": "An example firewall rule description."
    }
  ],
  "inbound_policy": "DROP",
  "outbound_policy": "DROP"
}

Responses

200: The requested Firewall Rules.

inbound
array of objects

The inbound rules for the firewall, as a JSON array.

protocol
string
Enum: "TCP""UDP""ICMP""IPENCAP"

The type of network traffic affected by this rule.

ports
Nullable
string

A string representing the port or ports affected by this rule:

  • The string may be a single port, a range of ports, or a comma-separated list of single ports and port ranges. A space is permitted following each comma.
  • A range of ports is inclusive of the start and end values for the range. The end value of the range must be greater than the start value.
  • Ports must be within 1 and 65535, and may not contain any leading zeroes. For example, port "080" is not allowed.
  • The ports string can have up to 15 pieces, where a single port is treated as one piece, and a port range is treated as two pieces. For example, the string "22-24, 80, 443" has four pieces.
  • If no ports are configured, all ports are affected.
  • Only allowed for the TCP and UDP protocols. Ports are not allowed for the ICMP and IPENCAP protocols.
addresses
object

The IPv4 and/or IPv6 addresses affected by this rule. A Rule can have up to 255 total addresses or networks listed across its IPv4 and IPv6 arrays. A network and a single IP are treated as equivalent when accounting for this limit.

Must contain ipv4, ipv6, or both.

ipv4
array

A list of IPv4 addresses or networks. Addresses must be in IP/mask format. Must not be an empty list.

If "0.0.0.0/0" is included in this list, all IPv4 addresses are affected by this rule.

ipv6
array

A list of IPv6 addresses or networks. Addresses must be in IP/mask format. Must not be an empty list.

If "::/0" is included in this list, all IPv6 addresses are affected by this rule.

action
string
Enum: "ACCEPT""DROP"

Controls whether traffic is accepted or dropped by this rule. Overrides the Firewall's inbound_policy if this is an inbound rule, or the outbound_policy if this is an outbound rule.

label
string

Used to identify this rule. For display purposes only.

description
string

Used to describe this rule. For display purposes only.

outbound
array of objects

The outbound rules for the firewall, as a JSON array.

protocol
string
Enum: "TCP""UDP""ICMP""IPENCAP"

The type of network traffic affected by this rule.

ports
Nullable
string

A string representing the port or ports affected by this rule:

  • The string may be a single port, a range of ports, or a comma-separated list of single ports and port ranges. A space is permitted following each comma.
  • A range of ports is inclusive of the start and end values for the range. The end value of the range must be greater than the start value.
  • Ports must be within 1 and 65535, and may not contain any leading zeroes. For example, port "080" is not allowed.
  • The ports string can have up to 15 pieces, where a single port is treated as one piece, and a port range is treated as two pieces. For example, the string "22-24, 80, 443" has four pieces.
  • If no ports are configured, all ports are affected.
  • Only allowed for the TCP and UDP protocols. Ports are not allowed for the ICMP and IPENCAP protocols.
addresses
object

The IPv4 and/or IPv6 addresses affected by this rule. A Rule can have up to 255 total addresses or networks listed across its IPv4 and IPv6 arrays. A network and a single IP are treated as equivalent when accounting for this limit.

Must contain ipv4, ipv6, or both.

ipv4
array

A list of IPv4 addresses or networks. Addresses must be in IP/mask format. Must not be an empty list.

If "0.0.0.0/0" is included in this list, all IPv4 addresses are affected by this rule.

ipv6
array

A list of IPv6 addresses or networks. Addresses must be in IP/mask format. Must not be an empty list.

If "::/0" is included in this list, all IPv6 addresses are affected by this rule.

action
string
Enum: "ACCEPT""DROP"

Controls whether traffic is accepted or dropped by this rule. Overrides the Firewall's inbound_policy if this is an inbound rule, or the outbound_policy if this is an outbound rule.

label
string

Used to identify this rule. For display purposes only.

description
string

Used to describe this rule. For display purposes only.

inbound_policy
string
Enum: "ACCEPT""DROP"

The default behavior for inbound traffic. This setting can be overridden by updating the inbound.action property of the Firewall Rule.

outbound_policy
string
Enum: "ACCEPT""DROP"

The default behavior for outbound traffic. This setting can be overridden by updating the outbound.action property of the Firewall Rule.

default: Error

errors
array of objects
reason
string

What happened to cause this error. In most cases, this can be fixed immediately by changing the data you sent in the request, but in some cases you will be instructed to open a Support Ticket or perform some other action before you can complete the request successfully.

field
string

The field in the request that caused this error. This may be a path, separated by periods in the case of nested fields. In some cases this may come back as "null" if the error is not specific to any single element of the request.

Firewall Rules Update

put
https://api.linode.com/v4/networking/firewalls/{firewallId}/rules

Updates the inbound and outbound Rules for a Firewall.

Note: This command replaces all of a Firewall's inbound and outbound rulesets with the values specified in your request.

Path Parameters

firewallId
Required
integer

ID of the Firewall to access.

Request Body Schema

inbound
outbound
inbound
array

The inbound rules for the firewall, as a JSON array.

inbound_policy
string

The default behavior for inbound traffic. This setting can be overridden by updating the inbound.action property of the Firewall Rule.

outbound
array

The outbound rules for the firewall, as a JSON array.

outbound_policy
string

The default behavior for outbound traffic. This setting can be overridden by updating the outbound.action property of the Firewall Rule.

Request Samples

curl -H "Content-Type: application/json" \
    -H "Authorization: Bearer $TOKEN" \
    -X PUT -d '{
        "inbound_policy": "DROP",
        "inbound": [
          {
            "protocol": "TCP",
            "ports": "22, 80, 443",
            "addresses": {
              "ipv4": [
                "192.0.2.0/24",
                "198.51.100.2/32"
              ],
              "ipv6": [
                "2001:DB8::/128"
              ]
            },
          "action": "ACCEPT",
          "label": "inbound-rule123",
          "description": "An example inbound rule description."
          }
        ],
        "outbound_policy": "DROP",
        "outbound": [
          {
            "protocol": "TCP",
            "ports": "49152-65535",
            "addresses": {
              "ipv4": [
                "192.0.2.0/24",
                "198.51.100.2/32"
              ],
              "ipv6": [
                "2001:DB8::/128"
              ]
            },
            "action": "ACCEPT",
            "label": "outbound-rule123",
            "description": "An example outbound rule description."
          }
        ]
    }' \
    https://api.linode.com/v4/networking/firewalls/123/rules

Response Samples

{
  "inbound": [
    {
      "protocol": "TCP",
      "ports": "22-24, 80, 443",
      "addresses": {
        "ipv4": [
          "192.0.2.0/24",
          "198.51.100.2/32"
        ],
        "ipv6": [
          "2001:DB8::/128"
        ]
      },
      "action": "ACCEPT",
      "label": "firewallrule123",
      "description": "An example firewall rule description."
    }
  ],
  "outbound": [
    {
      "protocol": "TCP",
      "ports": "22-24, 80, 443",
      "addresses": {
        "ipv4": [
          "192.0.2.0/24",
          "198.51.100.2/32"
        ],
        "ipv6": [
          "2001:DB8::/128"
        ]
      },
      "action": "ACCEPT",
      "label": "firewallrule123",
      "description": "An example firewall rule description."
    }
  ],
  "inbound_policy": "DROP",
  "outbound_policy": "DROP"
}

Responses

200: Firewall Rules updated successfully.

inbound
outbound

default: Error

errors
array of objects
reason
string

What happened to cause this error. In most cases, this can be fixed immediately by changing the data you sent in the request, but in some cases you will be instructed to open a Support Ticket or perform some other action before you can complete the request successfully.

field
string

The field in the request that caused this error. This may be a path, separated by periods in the case of nested fields. In some cases this may come back as "null" if the error is not specific to any single element of the request.