Creating Firewall Groups and Inbound Rules

Firewall groups allow you to define reusable sets of inbound rules and apply them when provisioning devices. You can control which ports are exposed on devices and which other devices or networks can reach them, ensuring that only authorised traffic is permitted.

Firewall groups: a named group of inbound rules that can be attached to one or more devices during provisioning. Each device is provisioned with at least one device group; devices with no explicit selection fall back to the default group.

Inbound rules: allow-only rules that define which traffic can reach a device. All inbound traffic is blocked unless it matches a rule. Each rule is evaluated as:

port AND protocol AND (host OR device group OR device groups OR cidr)

Creating a Firewall Group

1. Navigate to the Firewall Groups page in the dashboard.
2. Click Create Firewall Group.
3. Enter a Group name (e.g. web-access).
4. Add one or more inbound rules.
5. Click Create group.

Inbound Rule Fields

Each inbound rule has the following fields:

• Port: 0, any, a single value (80), a range (200-901), or fragment.
• Protocol: TCP, UDP, ICMP, or ANY. Port is ignored for ICMP.
• Host: any or a specific device name.
• Device Group: a single required device group that the connecting device must belong to.
• Device Groups (comma separated): an AND match — the connecting device must have all listed groups.
• CIDR: remote network range. Use 0.0.0.0/0 for any IPv4, ::/0 for any IPv6, or any for both families.

Each rule must include at least one selector: host, device group, device groups, or CIDR.

Rules can be reordered using the up/down controls and removed with the delete button.