NetworkConfig / CentralNetworkServicesConfig / NfwConfig / NfwRuleGroupConfig / NfwRuleGroupRuleConfig / NfwRuleSourceConfig

Network Firewall rule source configuration. Use this configuration to define stateful and/or stateless rules for your Network Firewall. The following rules sources are supported:

  • File with list of Suricata-compatible rules
  • Domain list
  • Single Suricata-compatible rule
  • Stateful rule in IP header format
  • Stateless rules and custom actions

See

Example

File with list of Suricata rules:

rulesFile: path/to/rules.txt

Domain list:

rulesSourceList:
generatedRulesType: DENYLIST
targets:
- .example.com
targetTypes: ['TLS_SNI', 'HTTP_HOST']

Single Suricata rule:

rulesString: 'pass ip 10.1.0.0/16 any -> 10.0.0.0/16 any (sid:100;)'

Stateful rule in IP header format:

statefulRules:
- action: PASS
header:
source: 10.1.0.0/16
sourcePort: ANY
destination: 10.0.0.0/16
destinationPort: ANY
direction: FORWARD
protocol: IP
ruleOptions:
- keyword: sid
settings: ['100']

Stateless rules:

statelessRulesAndCustomActions:
statelessRules:
- priority: 100
ruleDefinition:
actions: ['aws:pass']
matchAttributes:
sources:
- 10.1.0.0/16
sourcePorts:
- fromPort: 1024
toPort: 65535
destinations:
- 10.0.0.0/16
destinationPorts:
- fromPort: 22
toPort: 22

Hierarchy

  • NfwRuleSourceConfig

Implements

Constructors

Properties

rulesFile: undefined | string = undefined

(OPTIONAL) Suricata rules file. Use this property to define a Suricata-compatible rules file for Network Firewall.

Remarks

The path must exist in your accelerator configuration repository. The file must be formatted with Suricata-compatible rules separated by newlines.

See

https://suricata.readthedocs.io/en/suricata-6.0.2/rules/intro.html

rulesSourceList: undefined | NfwRuleSourceListConfig = undefined

(OPTIONAL) A Network Firewall rule source list configuration. Use this property to define a domain list for Network Firewall.

See

NfwRuleSourceListConfig

rulesString: undefined | string = undefined

(OPTIONAL) A Suricata-compatible stateful rule string. Use this property to define a single Suricata-compatible rule for Network Firewall.

See

https://docs.aws.amazon.com/network-firewall/latest/developerguide/suricata-examples.html#suricata-example-rule-with-variables

statefulRules: undefined | NfwRuleSourceStatefulRuleConfig[] = undefined

(OPTIONAL) An array of Network Firewall stateful rule IP header configurations. Use this property to define a stateful rule in IP header format for Network Firewall.

See

NfwRuleSourceStatefulRuleConfig

statelessRulesAndCustomActions: undefined | NfwStatelessRulesAndCustomActionsConfig = undefined

(OPTIONAL) A Network Firewall stateless rules and custom action configuration. Use this property to define stateless rules and custom actions for Network Firewall.

See

NfwStatelessRulesAndCustomActionsConfig

Generated using TypeDoc