Closed Sebbo94BY closed 1 month ago
Hey @Sebi94nbg,
thank you for your feedback! I passed the things to our team.
We decided to not implement two different fields for the ports because it doesn't felt right to have something like this:
from_port = 2223
to_port = 2223
We want to be simple and easy to use, therefore we decided to only have a port
. Within this field, you can use single ports or even port ranges (Sample: 1-65535
).
Would be cool to have a simple option to define a rule, which simply allows everything (eg. for outgoing traffic to be explicit; AWS does this for example with protocol = "-1", from_port = 0 and to_port = 0)
Personally, I think this is quite dangerous. When you define a firewall rule you should be explicit, having such indirect rules (one rule that allows everything) is fine as long as there are only a few supported protocols. With this "wildcard" you would directly allow new protocols we might add to the firewalls without knowing about it.
You're welcome! Thank you!
When you define a firewall rule you should be explicit
Currently, you allow any outgoing traffic, when there is no rule configured in any assigned firewall. With my approach this would be explicit then. You are explicitly allowing anything. :)
With this "wildcard" you would directly allow new protocols we might add to the firewalls without knowing about it.
When you add / support new things, then this rule shouldn't be your problem. That's something, about what the respective DevOps needs to think about. They also could be more explicit and only allow the protocols and ports, which they want to allow instead of allowing anything. I wouldn't see this as a problem from Hetzner side. A DevOps has the job to check the changes of new releases, Cloud features etc. and if required, the DevOps needs to react. But that's only my opinion. ;)
This issue has been marked as stale because it has not had recent activity. The bot will close the issue if no further action occurs.
There are still some open improvement requests.
Hello,
thanks for you suggestions. We do not plan on implementing anything in addition to what is already supported right now. I will close the issue. Feel free to open a new issue for any new suggestions :)
Rules Descriptions are supported since v1.28.0 of the provider.
We have decided to keep the single field. This is consistent with the current API. If we would add new fields from_port
and to_port
it would complicate the handling. On reading the resources we would need to parse the API response and decide if we need to fill port
or from_port
+to_port
.
I have added a +1 to a related request in our internal feature tracker. If this gets added to the API, we will also add this in the provider.
I've just tested the beta firewall feature using Terraform and also in the console and I really like it. This helps a lot to avoid eg. iptables firewall configurations on all the hosts. While testing and setting up a few firewalls and rules, I've noted some things, which would be cool to have:
# comments
, but this would not help someone, who is checking something through the Hetzner Cloud Console only)port
, I would implemtfrom_port
andto_port
. In the console, you're also able to fill out two fields. This would also allow you to change the value type fromstring
tonumber
to better check the given values. :)protocol = "-1"
,from_port = 0
andto_port = 0
)Outgoing firewall rules are currently not possible to manage as(#348)direction out
is not available in TerraformBelow some examples for these improvements: