The Internet firewall controls the outbound and inbound traffic of your web assets. You can create access control policies in the Cloud Firewall console to prevent unauthorized access between your web assets and the Internet.

Prerequisites

Internet Firewall is enabled. If Internet Firewall is disabled, the access control policies that you create for the Internet firewall do not take effect. For more information, see Enable or disable the Internet firewall. Internet Firewall

Background information

The Internet firewall allows you to create both outbound policies and inbound policies. You can also export the policies that you created.

The Internet firewall supports both IPv4 and IPv6 access control policies. In an IPv4 access control policy, both the source and destination IP addresses are in the IPv4 format. Whether the Internet firewall of your Cloud Firewall supports IPv4 and IPv6 access control policies depends on the edition of your Cloud Firewall. For more information about the differences in different Cloud Firewall editions, see Features.

Create outbound access control policies

  1. Log on to the Cloud Firewall console.
  2. In the left-side navigation pane, choose Access Control > Access Control.
  3. On the Access Control page, click the Internet Firewall tab. In the lower part of the tab that appears, click the Outbound Policies tab.
  4. On the Outbound Policies tab, click Create Policy.
    Create a policy
  5. In the Create Outbound Policy dialog box, perform the following operations to create outbound access control policies:
    1. Create the first outbound policy to allow traffic from trusted IP addresses.
      1. Configure the parameters. The following table describes the parameters. For more information, see Parameters of an access control policy.
        Parameter Description
        Source Type Select IP or Address Book.
        • IP: If you select this option, specify a CIDR block for Source. You can specify only one CIDR block.
        • Address Book: If you select this option, select a preconfigured IP address book for Source. An IP address book contains multiple CIDR blocks. This allows you to configure access control for multiple IP addresses in an efficient manner.
        Source Specify the sources that are allowed. In this case, use public IP addresses.
        • If you set Source Type to IP, specify a CIDR block for Source, such as 192.0.2.0/32. You can specify only one CIDR block for each policy.
        • If you set Source Type to Address Book, find the IP address book that you want to use and click Select in the Actions column to specify the address book for Source.
          Note You can select only one address book at a time. If you want to use multiple address books, click Create Policy.
        Destination Type
        Select IP, Address Book, Domain Name, or Region.
        Note All locations are supported for Region.
        Destination Specify the destinations that can be accessed.
        • If you set Destination Type to IP, specify a CIDR block for Destination, such as 192.0.2.0/32. You can specify only one CIDR block for each policy.
        • If you set Destination Type to Address Book, find the address book that you want to use and click Select in the Actions column to specify the address book for Destination.
          Note You can select only one address book at a time. If you want to use multiple address books, click Create Policy.
        • If you set Destination Type to Domain Name, enter a domain name for Destination. Cloud Firewall automatically resolves the domain name and performs access control. For more information, see Configure access control policies for domain names.
        • If you set Destination Type to Region, select one or more locations that can be accessed for Destination.
        Protocol Select the protocol for the policy. Valid values: TCP, UDP, ICMP, and ANY. If you do not know the protocol for the policy, select ANY. The value ANY specifies that all protocols are matched.
        Port Type Select Ports or Address Book.
        • Ports: If you select this option, enter a port range for Ports. You can enter only one port range.
        • Address Book: If you select this option, select a preconfigured port address book for Ports. A port address book contains multiple ports. This allows you to configure access control for multiple ports in an efficient manner.
        Ports Specify the ports on which you want to control traffic. If you set Port Type to Ports, enter a port range. If you set Port Type to Address Book, find the port address book that you want to use and click Select in the Actions column.
        Note You can select only one address book at a time. If you want to use multiple address books, click Create Policy.
        Application Select the application on which you want the policy to take effect.

        Valid values: ANY, HTTP, HTTPS, Memcache, MongoDB, MQTT, MySQL, RDP, Redis, SMTP, SMTPS, SSH, and VNC.

        If you set Protocol to TCP, all the preceding applications are supported. If you set Protocol to another value, you can select only ANY for this parameter.

        Policy Action Select the action on the traffic. In this step, select Allow.
        Description Enter a description that can help you identify the policy.
        Priority Select the priority of the policy. Default value: Lowest, which specifies the lowest priority.
      2. Click Submit.
        Note The newly created policy is displayed in the last row on the last page of the policy list.
    2. Create the second outbound policy to deny traffic from all sources to the Internet.

      Set Source to 0.0.0.0/0 and set Policy Action to Deny to prevent all unauthorized access. Configure other parameters based on the descriptions in the preceding table.

    3. Make sure that the priority of the first policy that allows access from trusted sources is higher than the priority of the second policy that denies access from all sources.
      Note By default, Cloud Firewall specifies priorities for access control policies based on the order in which the policies are created. If you set Priority to Highest when you create a policy, the policy has the highest priority among all policies. For more information about policy priorities, see Change the priority of an access control policy.
      Create an outbound access control policy

Create inbound access control policies

  1. Log on to the Cloud Firewall console.
  2. In the left-side navigation pane, choose Access Control > Access Control.
  3. On the Access Control page, click the Internet Firewall tab. In the lower part of the tab that appears, click the Inbound Policies tab.
  4. On the Inbound Policies tab, click Create Policy.
    Inbound policies
  5. In the Create Inbound Policy dialog box, create the first inbound policy to allow traffic from trusted IP addresses.

    Set Source to a trusted CIDR block or a preconfigured address book. Set Policy Action to Allow. Configure other parameters based on the descriptions in Create outbound access control policies.

    Note If you set Source Type to Address Book, you can select an IP address book or a cloud address book for Source. If you set Destination Type to Address Book, you can select only an IP address book for Destination.
  6. Create the second inbound policy to deny traffic from all sources to the internal network.

    Set Source to 0.0.0.0/0 and set Policy Action to Deny to prevent all unauthorized access.

  7. Make sure that the priority of the first policy that allows access from trusted sources is higher than the priority of the second policy that denies access from all sources.

Export policies

You can export inbound or outbound access control policies for the Internet firewall based on your business requirements. Export policies

Search for a policy by using the policy ID

Each access control policy for the Internet firewall has a policy ID. You can use a policy ID to identify an access control policy. This way, you can view the status of the policy and adjust the policy based on your business requirements.

If you want to view the ID of a policy, find the policy on the Internet Firewall tab and move the pointer over the Policy display icon icon in the Description/Policy ID column. View the ID of a policy

Check whether access traffic hits an access control policy

By default, an access control policy immediately takes effect after it is created. However, if you specify invalid values for the policy parameters or disable the Internet firewall, the policy may not take effect.

In the access control policy list, if the number in the Hits column is greater than 0 for an access control policy, access traffic hits the policy. The number in the Hits column indicates the number of times that access traffic hits the policy. Hits
You can click the number to go to the Traffic Logs tab. On the Traffic Logs tab, the name of an access control policy that the access traffic hits is displayed in the Policy Name column.
Note This tab displays information about the traffic that is generated in the last seven days. If the last hit of the access control policy was more than seven days ago, the information about the traffic is not displayed on the Traffic Logs tab.

Parameters of an access control policy

Parameter Description
Source Type The type of the source address. Valid values:
  • IP: If you select this option, specify a CIDR block for Source.
  • Address Book: If you select this option, select a preconfigured address book for Source
    Note You can add multiple CIDR blocks to an address book. This way, you can configure access control for multiple IP addresses in an efficient manner.
Source The source IP address or CIDR block of the access traffic.
Note You can specify only one CIDR block, such as 192.0.2.0/32.
If you set Source Type to Address Book, select a preconfigured address book for Source.
Note You can select only one address book for a policy. If you want to use multiple address books, click Create Policy.
Destination Type The type of the destination address. Valid values:
  • IP: If you select this option, specify a CIDR block for Destination.
  • Address Book: If you select this option, select an IP address book, domain address book, or cloud address book for Destination.
  • Domain Name: If you select this option, enter a domain name for Destination. You can enter a wildcard domain name, such as *.aliyun.com.
    Note By default, if an HTTP header does not contain the host field or an HTTPS request does not contain the Server Name Indication (SNI), Cloud Firewall allows the traffic.
  • Region: If you select this option, select one or more locations for Destination. You can select one or more locations in or outside China.
Destination The destination of the traffic. If you set Destination Type to IP, specify a CIDR block. You can specify only one CIDR block.

If you set Destination Type to Domain Name, enter a domain name. You can enter a wildcard domain name.

Note
  • In an outbound access control policy, if you set Source Type to Address Book, you can select only an IP address book for Source. If you set Destination Type to Address Book, you can select an IP address book, domain address book, or cloud address book for Destination.
  • In an inbound access control policy, if you set Source Type to Address Book, you can select an IP address book or cloud address book for Source. If you set Destination Type to Address Book, you can select only an IP address book for Destination.
  • You can select only one address book at a time. If you want to use multiple address books, click Create Policy.
Protocol Valid values:
  • ANY: any protocol type
  • TCP
  • UDP
  • ICMP
Port Type The type of the port. Valid values:
  • Ports: If you select this option, enter a port range for Ports. You can enter only one port range.
  • Address Book: If you select this option, select a preconfigured port address book for Ports. A port address book contains multiple ports. This way, you can configure access control for multiple ports in an efficient manner.
Ports The ports on which you want to control traffic. If you set Port Type to Ports, enter a port range. If you set Port Type to Address Book, find the port address book that you want to use and click Select in the Actions column.
Note
  • You can select only one address book at a time. If you want to use multiple address books, click Create Policy.
  • If you set Protocol to ICMP, you do not need to specify the destination ports. If you set Protocol to ANY, the destination ports that you specify do not take effect in ICMP traffic control.
Application The application on which you want the policy to take effect. Valid values: ANY, HTTP, HTTPS, Memcache, MongoDB, MQTT, MySQL, RDP, Redis, SMTP, SMTPS, SSH, and VNC.

If you set Protocol to TCP, all the preceding applications are supported. If you set Protocol to another value, you can select only ANY for this parameter.

Note Cloud Firewall identifies applications based on packet characteristics instead of port numbers. If Cloud Firewall fails to identify an application in a packet, Cloud Firewall allows the packet. If you want to block traffic from unknown applications, we recommend that you enable the strict mode for the Internet firewall. For more information, see Strict mode of the Internet firewall.
Policy Action Specifies whether the Internet firewall allows or denies the traffic. Valid values:
  • Allow: If traffic meets the preceding conditions that you specify for the policy, the traffic is allowed.
  • Deny: If traffic meets the preceding conditions that you specify for the policy, the traffic is denied, and no notifications are sent.
  • Monitor: If traffic meets the preceding conditions that you specify for the policy, the traffic is recorded and allowed. You can observe the traffic for a period of time and change the policy action to Allow or Deny based on your business requirements.
Description The description of the policy. Enter a description that can help you identify the policy.
Priority The priority of the policy. Valid values:
  • Lowest: The policy has the lowest priority.
  • Highest: The policy has the highest priority.

Default value: Lowest.

Related operations

After an access control policy is created, you can click Modify, Delete, or Copy in the Actions column of the policy. You can also click Move to change the priority of the policy.
Warning After you delete an access control policy, Cloud Firewall does not control the traffic to which the policy applies. Delete a policy with caution.