Skip to content

Firewall Rule Group

Create Firewall Rule Groups

To create firewall rule groups define the firewall_rule_groups variable. Both Stateful and Stateless types are supported.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
firewall_rule_groups = {
  allow-domains = {
    description = "Allow specific domains using rules_string"
    capacity    = 300
    type        = "STATEFUL"
    rule_group = {
      rules_source = {
        rules_string = <<-EOT
# Allow AWS domains
pass tls any any -> any any (msg:"Allow amazonaws.com"; tls.sni; content:"amazonaws.com"; nocase; endswith; sid:100001; rev:1;)
EOT
      }
      stateful_rule_options = {
        rule_order = "STRICT_ORDER"
      }
    }
  },
  forward-web = {
    description = "Forward web traffic to stateful rules"
    capacity    = 100
    type        = "STATELESS"
    rule_group = {
      rules_source = {
        stateless_rules_and_custom_actions = {
          stateless_rules = [{
            priority = 1
            rule_definition = {
              actions = ["aws:forward_to_sfe"]
              match_attributes = {
                protocols = [6] # TCP
                sources = [{
                  address_definition = "0.0.0.0/0"
                }]
                destinations = [{
                  address_definition = "0.0.0.0/0"
                }]
                destination_ports = [{
                  from_port = 80
                  to_port   = 80
                  }, {
                  from_port = 443
                  to_port   = 443
                }]
                source_ports = []
                tcp_flags    = []
              }
            }
          }]
        }
      }
    }
  },
}

Create Suricata rules for Stateful Firewall Rule Groups

To create Suricata rules define the rules_string in the firewall_rule_groups variable using the EOT heredoc. 

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
firewall_rule_groups = {
  allow-domains = {
    description = "Allow specific domains using rules_string"
    capacity    = 300
    type        = "STATEFUL"
    rule_group = {
      rules_source = {
        rules_string = <<-EOT
# Allow AWS domains
pass tls any any -> any any (msg:"Allow amazonaws.com"; tls.sni; content:"amazonaws.com"; nocase; endswith; sid:100001; rev:1;)
EOT
      }
      stateful_rule_options = {
        rule_order = "STRICT_ORDER"
      }
    }
  }
}

Set Stateful Rule Options for Stateful Firewall Rule Groups

Set the rule_order argument in the stateful_rule_options variable to "STRICT_ORDER" to override the default. Strict ordering evaluates rule groups by order of priority starting from lowest number value. To be used with policies that also have STRICT_ORDER set for the the stateful engine. 

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
firewall_rule_groups = {
  allow-domains = {
    description = "Allow specific domains using rules_string"
    capacity    = 300
    type        = "STATEFUL"
    rule_group = {
      rules_source = {
        rules_string = <<-EOT
# Allow AWS domains
pass tls any any -> any any (msg:"Allow amazonaws.com"; tls.sni; content:"amazonaws.com"; nocase; endswith; sid:100001; rev:1;)
EOT
      }
      stateful_rule_options = {
        rule_order = "STRICT_ORDER"
      }
    }
  }
}