How to Activate a Stateful Cloud Firewall

Firewall and Security Groups Overview

A firewall controls incoming and going traffic based on predefined security rules. Typically it establishes a barrier between a trusted (internal) network and untrusted external network, like the Internet.

At Scaleway, you have the possibility to use security groups. Security groups enable to create rules that either drop or allow incoming traffic from or to certain ports of your server.

It is possible to configure a security group using the following configuration utilities:

For more information, you can refer to our Network FAQ.

Requirements:
You have an account and are logged into console.scaleway.com
You have configured your SSH Key

Creating a Security Group via the Scaleway Console

1 . In the Compute section of the side menu, click Instances. The virtual instances list displays.

2 . Click the Security Group tab to enter the security group configuration:

3 . Hover over the + button and click Create a Security Group.

4 . The security group creation page displays.

Fill in the following information for your security group:

a Name of your choice
a Description of the security group
a Region in which the security group is available
The Security Group rules to be applied
One or multiple Instances to apply the security group on

5 . Click Create a new security group to add the newly created group to your security group configuration.

By default security groups are stateful. To configure a stateless security group, uncheck the corresponding box on the security groups overview page:

Configuring a Security Group via the Scaleway Console

The security group configuration is based on a set of inbound and outbound rules.
By default a new security group is empty, with an exception of rules for outbound SMTP connections. These connections are blocked by default for security reasons.
Tick the Enable SMTP box to disable these rules and to be able to send outgoing emails from your instance.

Click Add inbound rule to add inbound rules.
Click Add outbound rule to add outbound rules.

Add a new rule as follows:

Rule: The value can either be Drop to drop connections that match the rule or Accept to accept these connections.
Protocol: This field specifies the protocol on which the rule applies. The value can either be TCP, UDP or ICMP.
Port: This field specifies the [port](https://en.wikipedia.org/wiki/Port_(computer_networking) on which the rule applies. If the All Ports box is tickets, the rule applies to all ports.
IP Range: The IP range in CIDR notation on which the rule applies.

Note: Security Group rules are treated in their order. This means you must allow connections to certain ports before denying connections to any other port.

Editing a Security Group via the Scaleway Console

1 . In the Security Group tab, click on the security group you want to edit or use the dropdown menu on the right … > More info:

2 . The security group details displays:

In the Overview section, you can:

Add a description to the security group
Set the security group as organization default
Enable or disable the SMTP ports. We recommend blocking SMTP outbound traffic to avoid mail spamming.
Enable or disable stateful security group rules
Delete the security group

In the Instances section, you can:

Add a new virtual instance to the security group
Unlink a virtual instance from the security group

In the Rules section, you can:

Set the security groups default rules:
- Inbound default policy: whether you want to allow or not all incoming traffic to your server. We recommend blocking incoming traffic by default to prevent intrusions.
- Outbound default policy: whether you want to allow or not all outgoing traffic from your server.
Update the security groups inbound and outbound rules

Creating a Security Group via the Scaleway API

1 . Generate a token from your Scaleway console, if you do not have one yet.

2 . Define a SCW_TOKEN variable from your token id

export SCW_TOKEN='token_uuid'

3 . Retrieve your organization ID through the API. Replace the $ACCESS_KEY and $SECRET_KEY values respectively with your generated access key and secret key.

% curl https://account.scaleway.com/tokens/$ACCESS_KEY -H "X-Auth-Token: $SECRET_KEY"

{
  "token": {
->  "organization_id": "000a115d-2852-4b0a-9ce8-47f1134ba95a",
    ...
  }
}

In the above example, the organization ID is 000a115d-2852-4b0a-9ce8-47f1134ba95a.

4 . Depending on your instance location, you can use the base URL https://cp-par1.scaleway.com or https://cp-ams1.scaleway.com

5 . Retrieve your security group.

curl 'https://api.scaleway.com/instance/v1/zones/fr-par-1/security_groups' -H "x-auth-token: $SCW_TOKEN" | jq

6 . Create a new security group

curl 'https://api.scaleway.com/instance/v1/zones/fr-par-1/security_groups' -H "x-auth-token: $SCW_TOKEN" -H 'Content-Type: application/json;charset=utf-8' --data '{"organization":"717ff161-41a6-4458-b4f8-e6d07d7d9562","name":"New group","description":"new"}' | jq

7 . Set the stateful option on the security group

curl 'https://api.scaleway.com/instance/v1/zones/fr-par-1/security_groups/2d9674a0-15f2-496e-a296-b16c98ba88ee' -X PUT -H "x-auth-token: $SCW_TOKEN" -H 'Content-Type: application/json;charset=utf-8' --data '{"stateful":true}' | jq

8 . Set inbound default policy to drop

curl 'https://api.scaleway.com/instance/v1/zones/fr-par-1/security_groups/2d9674a0-15f2-496e-a296-b16c98ba88ee' -X PUT -H "x-auth-token: $SCW_TOKEN" -H 'Content-Type: application/json;charset=utf-8' --data '{"inbound_default_policy":"drop"}' | jq

9 . Set outbound default policy to drop

curl 'https://api.scaleway.com/instance/v1/zones/fr-par-1/security_groups/2d9674a0-15f2-496e-a296-b16c98ba88ee' -X PUT -H "x-auth-token: $SCW_TOKEN" -H 'Content-Type: application/json;charset=utf-8' --data '{"outbound_default_policy":"drop"}' | jq

10 . Set outbound default policy to accept

curl 'https://api.scaleway.com/instance/v1/zones/fr-par-1/security_groups/2d9674a0-15f2-496e-a296-b16c98ba88ee' -X PUT -H "x-auth-token: $SCW_TOKEN" -H 'Content-Type: application/json;charset=utf-8' --data '{"outbound_default_policy":"accept"}' | jq