mirror of
https://github.com/imjasonh/gcloud-help
synced 2026-07-08 18:45:13 +00:00
230 lines
9.9 KiB
Text
230 lines
9.9 KiB
Text
NAME
|
|
gcloud beta compute firewall-rules update - update a firewall rule
|
|
|
|
SYNOPSIS
|
|
gcloud beta compute firewall-rules update NAME
|
|
[--allow=[PROTOCOL[:PORT[-PORT]],...]] [--description=DESCRIPTION]
|
|
[--destination-ranges=[CIDR_RANGE,...]] [--disabled]
|
|
[--[no-]enable-logging] [--logging-metadata=LOGGING_METADATA]
|
|
[--priority=PRIORITY] [--rules=[PROTOCOL[:PORT[-PORT]],...]]
|
|
[--source-ranges=[CIDR_RANGE,...]]
|
|
[--source-service-accounts=[EMAIL,...]] [--source-tags=[TAG,...]]
|
|
[--target-service-accounts=[EMAIL,...]] [--target-tags=[TAG,...]]
|
|
[GCLOUD_WIDE_FLAG ...]
|
|
|
|
DESCRIPTION
|
|
(BETA) gcloud beta compute firewall-rules update is used to update firewall
|
|
rules that allow/deny incoming/outgoing traffic. The firewall rule will
|
|
only be updated for arguments that are specifically passed. Other
|
|
attributes will remain unaffected. The action flag (whether to allow or
|
|
deny matching traffic) cannot be defined when updating a firewall rule; use
|
|
gcloud compute firewall-rules delete to remove the rule instead.
|
|
|
|
EXAMPLES
|
|
To update the firewall rule RULE to enable logging, run:
|
|
|
|
$ gcloud beta compute firewall-rules update RULE --enable-logging
|
|
|
|
POSITIONAL ARGUMENTS
|
|
NAME
|
|
Name of the firewall rule to update.
|
|
|
|
FLAGS
|
|
--allow=[PROTOCOL[:PORT[-PORT]],...]
|
|
A list of protocols and ports whose traffic will be allowed.
|
|
|
|
The protocols allowed over this connection. This can be the
|
|
(case-sensitive) string values tcp, udp, icmp, esp, ah, sctp, or any IP
|
|
protocol number. An IP-based protocol must be specified for each rule.
|
|
The rule applies only to specified protocol.
|
|
|
|
For port-based protocols - tcp, udp, and sctp - a list of destination
|
|
ports or port ranges to which the rule applies may optionally be
|
|
specified. If no port or port range is specified, the rule applies to
|
|
all destination ports.
|
|
|
|
The ICMP protocol is supported, but there is no support for configuring
|
|
ICMP packet filtering by ICMP code.
|
|
|
|
For example, to create a rule that allows TCP traffic through port 80
|
|
and ICMP traffic:
|
|
|
|
$ gcloud beta compute firewall-rules update MY-RULE \
|
|
--allow tcp:80,icmp
|
|
|
|
To create a rule that allows TCP traffic from port 20000 to 25000:
|
|
|
|
$ gcloud beta compute firewall-rules update MY-RULE \
|
|
--allow tcp:20000-25000
|
|
|
|
To create a rule that allows all TCP traffic:
|
|
|
|
$ gcloud beta compute firewall-rules update MY-RULE --allow tcp
|
|
|
|
Setting this will override the current values.
|
|
|
|
--description=DESCRIPTION
|
|
A textual description for the firewall rule. Set to an empty string to
|
|
clear existing.
|
|
|
|
--destination-ranges=[CIDR_RANGE,...]
|
|
The firewall rule will apply to traffic that has destination IP address
|
|
in these IP address block list. The IP address blocks must be specified
|
|
in CIDR format:
|
|
http://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing.
|
|
|
|
Setting this will override the existing destination ranges for the
|
|
firewall. The following will clear the existing destination ranges:
|
|
|
|
$ gcloud beta compute firewall-rules update MY-RULE \
|
|
--destination-ranges
|
|
|
|
--disabled
|
|
Disable a firewall rule and stop it from being enforced in the network.
|
|
If a firewall rule is disabled, the associated network behaves as if
|
|
the rule did not exist. To enable a disabled rule, use:
|
|
|
|
$ gcloud beta compute firewall-rules update MY-RULE --no-disabled
|
|
|
|
--[no-]enable-logging
|
|
Enable logging for the firewall rule. Logs will be exported to
|
|
StackDriver. Firewall logging is disabled by default. To enable logging
|
|
for an existing rule, run:
|
|
|
|
$ gcloud beta compute firewall-rules update MY-RULE --enable-logging
|
|
|
|
To disable logging on an existing rule, run:
|
|
|
|
$ gcloud beta compute firewall-rules update MY-RULE \
|
|
--no-enable-logging
|
|
|
|
Use --enable-logging to enable and --no-enable-logging to disable.
|
|
|
|
--logging-metadata=LOGGING_METADATA
|
|
Adds or removes metadata fields to or from the reported firewall logs.
|
|
Can only be specified if --enable-logging is true. LOGGING_METADATA
|
|
must be one of: exclude-all, include-all.
|
|
|
|
--priority=PRIORITY
|
|
This is an integer between 0 and 65535, both inclusive. When NOT
|
|
specified, the value assumed is 1000. Relative priority determines
|
|
precedence of conflicting rules: lower priority values imply higher
|
|
precedence. DENY rules take precedence over ALLOW rules having equal
|
|
priority.
|
|
|
|
--rules=[PROTOCOL[:PORT[-PORT]],...]
|
|
A list of protocols and ports to which the firewall rule will apply.
|
|
|
|
PROTOCOL is the IP protocol whose traffic will be checked. PROTOCOL can
|
|
be either the name of a well-known protocol (e.g., tcp or icmp) or the
|
|
IP protocol number. A list of IP protocols can be found at
|
|
http://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml
|
|
|
|
A port or port range can be specified after PROTOCOL to which the
|
|
firewall rule apply on traffic through specific ports. If no port or
|
|
port range is specified, connections through all ranges are applied.
|
|
TCP and UDP rules must include a port or port range.
|
|
|
|
Setting this will override the current values.
|
|
|
|
--source-ranges=[CIDR_RANGE,...]
|
|
A list of IP address blocks that are allowed to make inbound
|
|
connections that match the firewall rule to the instances on the
|
|
network. The IP address blocks must be specified in CIDR format:
|
|
http://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing.
|
|
|
|
If neither --source-ranges nor --source-tags are specified,
|
|
--source-ranges defaults to 0.0.0.0/0, which means that the rule
|
|
applies to all incoming IPv4 connections from inside or outside the
|
|
network. If both --source-ranges and --source-tags are specified, the
|
|
rule matches if either the range of the source matches --source-ranges
|
|
or the tag of the source matches --source-tags.
|
|
|
|
Setting this will override the existing source ranges for the firewall.
|
|
The following will clear the existing source ranges:
|
|
|
|
$ gcloud beta compute firewall-rules update MY-RULE --source-ranges
|
|
|
|
--source-service-accounts=[EMAIL,...]
|
|
The email of a service account indicating the set of instances on the
|
|
network which match a traffic source in the firewall rule.
|
|
|
|
If a source service account is specified then neither source tags nor
|
|
target tags can also be specified.
|
|
|
|
Setting this will override the existing source service accounts for the
|
|
firewall. The following will clear the existing source service
|
|
accounts:
|
|
|
|
$ gcloud beta compute firewall-rules update MY-RULE \
|
|
--source-service-accounts
|
|
|
|
--source-tags=[TAG,...]
|
|
A list of instance tags indicating the set of instances on the network
|
|
to which the rule applies if all other fields match. If neither
|
|
--source-ranges nor --source-tags are specified, --source-ranges
|
|
defaults to 0.0.0.0/0, which means that the rule applies to all
|
|
incoming IPv4 connections from inside or outside the network.
|
|
|
|
If both --source-ranges and --source-tags are specified, an inbound
|
|
connection is allowed if either the range of the source matches
|
|
--source-ranges or the tag of the source matches --source-tags.
|
|
|
|
Tags can be assigned to instances during instance creation.
|
|
|
|
If source tags are specified then neither a source nor target service
|
|
account can also be specified.
|
|
|
|
Setting this will override the existing source tags for the firewall.
|
|
The following will clear the existing source tags:
|
|
|
|
$ gcloud beta compute firewall-rules update MY-RULE --source-tags
|
|
|
|
--target-service-accounts=[EMAIL,...]
|
|
The email of a service account indicating the set of instances to which
|
|
firewall rules apply. If both target tags and target service account
|
|
are omitted, the firewall rule is applied to all instances on the
|
|
network.
|
|
|
|
If a target service account is specified then neither source tag nor
|
|
target tags can also be specified.
|
|
|
|
Setting this will override the existing target service accounts for the
|
|
firewall. The following will clear the existing target service
|
|
accounts:
|
|
|
|
$ gcloud beta compute firewall-rules update MY-RULE \
|
|
--target-service-accounts
|
|
|
|
--target-tags=[TAG,...]
|
|
List of instance tags indicating the set of instances on the network
|
|
which may accept connections that match the firewall rule. Note that
|
|
tags can be assigned to instances during instance creation.
|
|
|
|
If target tags are specified, then neither a source nor target service
|
|
account can also be specified.
|
|
|
|
If both target tags and target service account are omitted, all
|
|
instances on the network can receive connections that match the rule.
|
|
|
|
Setting this will override the existing target tags for the firewall.
|
|
The following will clear the existing target tags:
|
|
|
|
$ gcloud beta compute firewall-rules update MY-RULE --target-tags
|
|
|
|
GCLOUD WIDE FLAGS
|
|
These flags are available to all commands: --access-token-file, --account,
|
|
--billing-project, --configuration, --flags-file, --flatten, --format,
|
|
--help, --impersonate-service-account, --log-http, --project, --quiet,
|
|
--trace-token, --user-output-enabled, --verbosity.
|
|
|
|
Run $ gcloud help for details.
|
|
|
|
NOTES
|
|
This command is currently in beta and might change without notice. These
|
|
variants are also available:
|
|
|
|
$ gcloud compute firewall-rules update
|
|
|
|
$ gcloud alpha compute firewall-rules update
|
|
|