From 0d8d5ba9477eb713d7d620bc8cd6c9a3dd8c4423 Mon Sep 17 00:00:00 2001 From: bbiggerr Date: Thu, 31 Aug 2023 10:13:19 -0400 Subject: [PATCH 1/4] Fixed inaccuracies regarding FirewallRulesConfig --- openapi.yaml | 53 ++++++++++++++++++++++++++++------------------------ 1 file changed, 29 insertions(+), 24 deletions(-) diff --git a/openapi.yaml b/openapi.yaml index ade39c3ed..38ae64ee6 100644 --- a/openapi.yaml +++ b/openapi.yaml @@ -13062,10 +13062,10 @@ paths: "ports": "22, 80, 443", "addresses": { "ipv4": [ - "192.0.2.0/24" + "192.0.2.2/32" ], "ipv6": [ - "2001:DB8::/32" + "2001:DB8::/128" ] }, "action": "ACCEPT", @@ -13080,10 +13080,10 @@ paths: "ports": "49152-65535", "addresses": { "ipv4": [ - "192.0.2.0/24" + "192.0.2.2/32" ], "ipv6": [ - "2001:DB8::/32" + "2001:DB8::/128" ] }, "action": "ACCEPT", @@ -13109,8 +13109,8 @@ paths: --label example-firewall \ --rules.outbound_policy ACCEPT \ --rules.inbound_policy DROP \ - --rules.inbound '[{"protocol": "TCP", "ports": "22, 80, 8080, 443", "addresses": {"ipv4": ["192.0.2.1", "192.0.2.0/24"], "ipv6": ["2001:DB8::/32"]}, "action": "ACCEPT"}]' \ - --rules.outbound '[{"protocol": "TCP", "ports": "49152-65535", "addresses": {"ipv4": ["192.0.2.0/24"],"ipv6": ["2001:DB8::/32"]}, "action": "DROP", "label": "outbound-rule123", "description": "An example outbound rule description."}]' + --rules.inbound '[{"protocol": "TCP", "ports": "22, 80, 8080, 443", "addresses": {"ipv4": ["192.0.2.1/32", "192.0.2.2/32"], "ipv6": ["2001:DB8::/128"]}, "action": "ACCEPT"}]' \ + --rules.outbound '[{"protocol": "TCP", "ports": "49152-65535", "addresses": {"ipv4": ["192.0.2.2/32"],"ipv6": ["2001:DB8::/128"]}, "action": "DROP", "label": "outbound-rule123", "description": "An example outbound rule description."}]' /networking/firewalls/{firewallId}: parameters: - name: firewallId @@ -13581,10 +13581,10 @@ paths: "ports": "22, 80, 443", "addresses": { "ipv4": [ - "192.0.2.0/24" + "192.0.2.2/32" ], "ipv6": [ - "2001:DB8::/32" + "2001:DB8::/128" ] }, "action": "ACCEPT", @@ -13599,10 +13599,10 @@ paths: "ports": "49152-65535", "addresses": { "ipv4": [ - "192.0.2.0/24" + "192.0.2.2/32" ], "ipv6": [ - "2001:DB8::/32" + "2001:DB8::/128" ] }, "action": "ACCEPT", @@ -13615,8 +13615,8 @@ paths: - lang: CLI source: > linode-cli firewalls rules-update 123 \ - --inbound '[{"action":"ACCEPT", "protocol": "TCP", "ports": "22, 80, 8080, 443", "addresses": {"ipv4": ["192.0.2.1/32", "192.0.2.0/24"], "ipv6": ["2001:DB8::/32"]}}]' \ - --outbound '[{"action":"DROP","protocol": "TCP", "ports": "49152-65535", "addresses": {"ipv4": ["192.0.2.1/32", "192.0.2.0/24"], "ipv6": ["2001:DB8::/32"]}}]' + --inbound '[{"action":"ACCEPT", "protocol": "TCP", "ports": "22, 80, 8080, 443", "addresses": {"ipv4": ["192.0.2.1/32", "192.0.2.2/32"], "ipv6": ["2001:DB8::/128"]}}]' \ + --outbound '[{"action":"DROP","protocol": "TCP", "ports": "49152-65535", "addresses": {"ipv4": ["192.0.2.1/32", "192.0.2.2/32"], "ipv6": ["2001:DB8::/128`"]}}]' /networking/vlans: x-linode-cli-command: vlans get: @@ -20998,41 +20998,46 @@ components: - ICMP - IPENCAP description: > - The type of network traffic to allow. + The type of network traffic affected by this rule. example: TCP ports: type: string description: | - A string representing the port or ports on which traffic will be allowed: + A string representing the port or ports affected by this rule: - The string may be a single port, a range of ports, or a comma-separated list of single ports and port ranges. A space is permitted following each comma. - A range of ports is inclusive of the start and end values for the range. The end value of the range must be greater than the start value. - Ports must be within 1 and 65535, and may not contain any leading zeroes. For example, port "080" is not allowed. - - Ports may not be specified if a rule's protocol is `ICMP` or `IPENCAP`. - - At least one port must be specified if a rule's protocol is `TCP` or `UDP`. - The ports string can have up to 15 *pieces*, where a single port is treated as one piece, and a port range is treated as two pieces. For example, the string "22-24, 80, 443" has four pieces. + - If no ports are configured, all ports are affected. example: '22-24, 80, 443' addresses: type: object - description: > - Allowed IPv4 or IPv6 addresses. A Rule can have up to 255 addresses - or networks listed across its IPv4 and IPv6 arrays. A network and a single IP - are treated as equivalent when accounting for this limit. + description: | + The IPv4 and/or IPv6 addresses affected by this rule. A Rule can have up to 255 total addresses or networks listed across its IPv4 and IPv6 arrays. A network and a single IP are treated as equivalent when accounting for this limit. + + Must contain `ipv4`, `ipv6`, or both. properties: ipv4: - description: A list of IPv4 addresses or networks. Must be in IP/mask format. + description: | + A list of IPv4 addresses or networks. Must be in IP/mask format. + + If "0.0.0.0/0" is included in this list, all IPv4 addresses are affected by this rule. type: array items: type: string example: - - 192.0.2.0/24 + - 192.0.2.2/32 ipv6: - description: A list of IPv6 addresses or networks. Must be in IP/mask format. + description: | + A list of IPv6 addresses or networks. Must be in IP/mask format. + + If "::/0" is included in this list, all IPv6 addresses are affected by this rule. type: array items: type: string example: - - 2001:DB8::/32 + - 2001:DB8::/128 action: type: string enum: From 4f6c899e5a2c7c6b2227aae777c3b80852375ac2 Mon Sep 17 00:00:00 2001 From: bbiggerr Date: Thu, 31 Aug 2023 10:49:15 -0400 Subject: [PATCH 2/4] Updated FirewallRuleConfig ip address examples --- openapi.yaml | 23 ++++++++++++++--------- 1 file changed, 14 insertions(+), 9 deletions(-) diff --git a/openapi.yaml b/openapi.yaml index 38ae64ee6..5be700052 100644 --- a/openapi.yaml +++ b/openapi.yaml @@ -13062,7 +13062,8 @@ paths: "ports": "22, 80, 443", "addresses": { "ipv4": [ - "192.0.2.2/32" + "192.0.2.0/24", + "198.51.100.2/32" ], "ipv6": [ "2001:DB8::/128" @@ -13080,7 +13081,8 @@ paths: "ports": "49152-65535", "addresses": { "ipv4": [ - "192.0.2.2/32" + "192.0.2.0/24", + "198.51.100.2/32" ], "ipv6": [ "2001:DB8::/128" @@ -13109,8 +13111,8 @@ paths: --label example-firewall \ --rules.outbound_policy ACCEPT \ --rules.inbound_policy DROP \ - --rules.inbound '[{"protocol": "TCP", "ports": "22, 80, 8080, 443", "addresses": {"ipv4": ["192.0.2.1/32", "192.0.2.2/32"], "ipv6": ["2001:DB8::/128"]}, "action": "ACCEPT"}]' \ - --rules.outbound '[{"protocol": "TCP", "ports": "49152-65535", "addresses": {"ipv4": ["192.0.2.2/32"],"ipv6": ["2001:DB8::/128"]}, "action": "DROP", "label": "outbound-rule123", "description": "An example outbound rule description."}]' + --rules.inbound '[{"protocol": "TCP", "ports": "22, 80, 8080, 443", "addresses": {"ipv4": ["192.0.2.0/24", "198.51.100.2/32"], "ipv6": ["2001:DB8::/128"]}, "action": "ACCEPT"}]' \ + --rules.outbound '[{"protocol": "TCP", "ports": "49152-65535", "addresses": {"ipv4": ["192.0.2.0/24", "198.51.100.2/32"],"ipv6": ["2001:DB8::/128"]}, "action": "DROP", "label": "outbound-rule123", "description": "An example outbound rule description."}]' /networking/firewalls/{firewallId}: parameters: - name: firewallId @@ -13581,7 +13583,8 @@ paths: "ports": "22, 80, 443", "addresses": { "ipv4": [ - "192.0.2.2/32" + "192.0.2.0/24", + "198.51.100.2/32" ], "ipv6": [ "2001:DB8::/128" @@ -13599,7 +13602,8 @@ paths: "ports": "49152-65535", "addresses": { "ipv4": [ - "192.0.2.2/32" + "192.0.2.0/24", + "198.51.100.2/32" ], "ipv6": [ "2001:DB8::/128" @@ -13615,8 +13619,8 @@ paths: - lang: CLI source: > linode-cli firewalls rules-update 123 \ - --inbound '[{"action":"ACCEPT", "protocol": "TCP", "ports": "22, 80, 8080, 443", "addresses": {"ipv4": ["192.0.2.1/32", "192.0.2.2/32"], "ipv6": ["2001:DB8::/128"]}}]' \ - --outbound '[{"action":"DROP","protocol": "TCP", "ports": "49152-65535", "addresses": {"ipv4": ["192.0.2.1/32", "192.0.2.2/32"], "ipv6": ["2001:DB8::/128`"]}}]' + --inbound '[{"action":"ACCEPT", "protocol": "TCP", "ports": "22, 80, 8080, 443", "addresses": {"ipv4": ["192.0.2.0/24", "198.51.100.2/32"], "ipv6": ["2001:DB8::/128"]}}]' \ + --outbound '[{"action":"DROP","protocol": "TCP", "ports": "49152-65535", "addresses": {"ipv4": ["192.0.2.0/24", "198.51.100.2/32"], "ipv6": ["2001:DB8::/128`"]}}]' /networking/vlans: x-linode-cli-command: vlans get: @@ -21027,7 +21031,8 @@ components: items: type: string example: - - 192.0.2.2/32 + - 192.0.2.0/24 + - 198.51.100.2/32 ipv6: description: | A list of IPv6 addresses or networks. Must be in IP/mask format. From b866492964b1e63c4c390450e0c8407d619be630 Mon Sep 17 00:00:00 2001 From: bbiggerr Date: Thu, 31 Aug 2023 11:57:38 -0400 Subject: [PATCH 3/4] Added ports ICMP and IPENCAP restriction --- openapi.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/openapi.yaml b/openapi.yaml index 5be700052..6870fc6d9 100644 --- a/openapi.yaml +++ b/openapi.yaml @@ -20946,6 +20946,8 @@ components: The inbound and outbound access rules to apply to the Firewall. A Firewall may have up to 25 rules across its inbound and outbound rulesets. + + Multiple rules are applied in order. If two rules conflict, the first rule takes precedence. For example, if the first rule accepts inbound traffic from an address, and the second rule drops inbound traffic the same address, the first rule applies and inbound traffic from that address is accepted. properties: inbound: type: array @@ -21014,6 +21016,7 @@ components: - Ports must be within 1 and 65535, and may not contain any leading zeroes. For example, port "080" is not allowed. - The ports string can have up to 15 *pieces*, where a single port is treated as one piece, and a port range is treated as two pieces. For example, the string "22-24, 80, 443" has four pieces. - If no ports are configured, all ports are affected. + - Only allowed for the TCP and UDP protocols. Ports are not allowed for the ICMP and IPENCAP protocols. example: '22-24, 80, 443' addresses: type: object From 23261b62775616f6c2301e1d19b3a4714f2ba3ad Mon Sep 17 00:00:00 2001 From: bbiggerr Date: Fri, 1 Sep 2023 10:28:41 -0400 Subject: [PATCH 4/4] Added more instructions for updating Firewall rules --- openapi.yaml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/openapi.yaml b/openapi.yaml index 6870fc6d9..f3ddc5ade 100644 --- a/openapi.yaml +++ b/openapi.yaml @@ -13536,7 +13536,7 @@ paths: description: | Updates the inbound and outbound Rules for a Firewall. - **Note:** This command replaces all of a Firewall's `inbound` and/or `outbound` rulesets with the values specified in your request. + **Note:** This command replaces all of a Firewall's `inbound` and `outbound` rulesets with the values specified in your request. operationId: updateFirewallRules x-linode-cli-action: rules-update security: @@ -21008,6 +21008,7 @@ components: example: TCP ports: type: string + nullable: true description: | A string representing the port or ports affected by this rule: @@ -21027,7 +21028,7 @@ components: properties: ipv4: description: | - A list of IPv4 addresses or networks. Must be in IP/mask format. + A list of IPv4 addresses or networks. Addresses must be in IP/mask format. Must not be an empty list. If "0.0.0.0/0" is included in this list, all IPv4 addresses are affected by this rule. type: array @@ -21038,7 +21039,7 @@ components: - 198.51.100.2/32 ipv6: description: | - A list of IPv6 addresses or networks. Must be in IP/mask format. + A list of IPv6 addresses or networks. Addresses must be in IP/mask format. Must not be an empty list. If "::/0" is included in this list, all IPv6 addresses are affected by this rule. type: array