Rule fields
All fields in a single rule are AND’d together. Within a list (e.g.
src: [a, b]) the elements are OR’d.
| Field | Type | Notes |
|---|---|---|
comment | string | Shown in the live-logs viewer for matched packets. Always set this. |
src | string | string[] | CIDR / IP range / object-group name / any. |
dst | string | string[] | Same format as src. |
protocol | tcp | udp | icmp | Required if a port is set. Forbidden for ICMP + port. |
port | int | range | int[] | group | Destination port. "800-8000" for ranges. Group name to reuse. |
sni_hostname | string | string[] | group | L7 match on TLS SNI / HTTP Host. |
action | accept | drop | Required. The verdict when the rule matches. |
log | boolean | Per-packet log to the live-logs viewer. Default: false. |
snat | boolean | Source-NAT this flow (through-firewall only). |
rules: - name: through-firewall default_action: drop rules: # Source list — VPN users OR DC subnet - comment: Internal services to S3 src: - corp-vpn # object group - 10.30.0.0/16 # plus this CIDR dst: any protocol: tcp port: 443 sni_hostname: "**.amazonaws.com" action: accept log: true
# Port list - comment: Web app inbound src: any dst: 10.40.0.0/24 protocol: tcp port: - 80 - 443 - 8443 action: accept
# ICMP — no port allowed - comment: Allow inbound pings src: any dst: any protocol: icmp action: acceptSee also: SNI / hostname matching for the sni_hostname
wildcard grammar, and Per-rule SNAT for the snat field.