Class NfwRuleSourceConfig

NetworkConfig / CentralNetworkServicesConfig / NfwConfig / NfwRuleGroupConfig / NfwRuleGroupRuleConfig / NfwRuleSourceConfig

Network Firewall rule source configuration. Use this configuration to define stateful and/or stateless rules for your Network Firewall. The following rules sources are supported:

  • File with list of Suricata-compatible rules
  • Domain list
  • Single Suricata-compatible rule
  • Stateful rule in IP header format
  • Stateless rules and custom actions

See

Example

File with list of Suricata rules:

rulesFile: path/to/rules.txt

Domain list:

rulesSourceList:
  generatedRulesType: DENYLIST
  targets:
    - .example.com
  targetTypes: ['TLS_SNI', 'HTTP_HOST']

Single Suricata rule:

rulesString: 'pass ip 10.1.0.0/16 any -> 10.0.0.0/16 any (sid:100;)'

Stateful rule in IP header format:

statefulRules:
  - action: PASS
    header:
      source: 10.1.0.0/16
      sourcePort: ANY
      destination: 10.0.0.0/16
      destinationPort: ANY
      direction: FORWARD
      protocol: IP
    ruleOptions:
      - keyword: sid
        settings: ['100']

Stateless rules:

statelessRulesAndCustomActions:
  statelessRules:
    - priority: 100
      ruleDefinition:
        actions: ['aws:pass']
        matchAttributes:
          sources:
            - 10.1.0.0/16
          sourcePorts:
            - fromPort: 1024
              toPort: 65535
          destinations:
            - 10.0.0.0/16
          destinationPorts:
            - fromPort: 22
              toPort: 22

Hierarchy

  • NfwRuleSourceConfig

Implements

Constructors

constructor

Properties

rulesFile rulesSourceList rulesString statefulRules statelessRulesAndCustomActions

Constructors

constructor

Properties

Readonly rulesFile

rulesFile: undefined | string = undefined

(OPTIONAL) Suricata rules file. Use this property to define a Suricata-compatible rules file for Network Firewall.

Remarks

The path must exist in your accelerator configuration repository. The file must be formatted with Suricata-compatible rules separated by newlines.

See

https://suricata.readthedocs.io/en/suricata-6.0.2/rules/intro.html

Readonly rulesSourceList

rulesSourceList: undefined | NfwRuleSourceListConfig = undefined

(OPTIONAL) A Network Firewall rule source list configuration. Use this property to define a domain list for Network Firewall.

See

NfwRuleSourceListConfig

Readonly rulesString

rulesString: undefined | string = undefined

(OPTIONAL) A Suricata-compatible stateful rule string. Use this property to define a single Suricata-compatible rule for Network Firewall.

See

https://docs.aws.amazon.com/network-firewall/latest/developerguide/suricata-examples.html#suricata-example-rule-with-variables

Readonly statefulRules

statefulRules: undefined | NfwRuleSourceStatefulRuleConfig[] = undefined

(OPTIONAL) An array of Network Firewall stateful rule IP header configurations. Use this property to define a stateful rule in IP header format for Network Firewall.

See

NfwRuleSourceStatefulRuleConfig

Readonly statelessRulesAndCustomActions

statelessRulesAndCustomActions: undefined | NfwStatelessRulesAndCustomActionsConfig = undefined

(OPTIONAL) A Network Firewall stateless rules and custom action configuration. Use this property to define stateless rules and custom actions for Network Firewall.

See

NfwStatelessRulesAndCustomActionsConfig

Settings

Member Visibility

Theme

Generated using TypeDoc