{"data":[{"created":"2018-01-01T00:01:01","id":123,"label":"firewall123","rules":{"inbound":[{"action":"ACCEPT","addresses":{"ipv4":["192.0.2.0/24","198.51.100.2/32"],"ipv6":["2001:DB8::/128"]},"description":"An example firewall rule description.","label":"firewallrule123","ports":"22-24, 80, 443","protocol":"TCP"}],"inbound_policy":"DROP","outbound":[{"action":"ACCEPT","addresses":{"ipv4":["192.0.2.0/24","198.51.100.2/32"],"ipv6":["2001:DB8::/128"]},"description":"An example firewall rule description.","label":"firewallrule123","ports":"22-24, 80, 443","protocol":"TCP"}],"outbound_policy":"DROP"},"status":"enabled","tags":["example tag","another example"],"updated":"2018-01-02T00:01:01"}],"page":1,"pages":1,"results":1}
{"errors":[{"field":"fieldname","reason":"fieldname must be a valid value"}]}
Responses
Returns an array of Firewalls.
data
array
of objects
created
string<date-time>
When this Firewall was created.
id
integer
The Firewall’s unique ID.
label
string
3..32
characters
The Firewall’s label, for display purposes only.
Firewall labels have the following constraints:
Must begin and end with an alphanumeric character.
May only consist of alphanumeric characters, hyphens (-), underscores (_) or periods (.).
Cannot have two hyphens (--), underscores (__) or periods (..) in a row.
Must be between 3 and 32 characters.
Must be unique.
rules
object
The inbound and outbound access rules to apply to the Firewall.
A Firewall may have up to 25 rules across its inbound and outbound rulesets.
Multiple rules are applied in order. If two rules conflict, the first rule takes precedence. For example, if the first rule accepts inbound traffic from an address, and the second rule drops inbound traffic the same address, the first rule applies and inbound traffic from that address is accepted.
inbound
array
of objects
The inbound rules for the firewall, as a JSON array.
action
string
Enum:
ACCEPTDROP
Controls whether traffic is accepted or dropped by this rule. Overrides the Firewall’s inbound_policy if this is an inbound rule, or the outbound_policy if this is an outbound rule.
addresses
object
The IPv4 and/or IPv6 addresses affected by this rule. A Rule can have up to 255 total addresses or networks listed across its IPv4 and IPv6 arrays. A network and a single IP are treated as equivalent when accounting for this limit.
Must contain ipv4, ipv6, or both.
ipv4
array
of strings
A list of IPv4 addresses or networks. Addresses must be in IP/mask format. Must not be an empty list.
If “0.0.0.0/0” is included in this list, all IPv4 addresses are affected by this rule.
ipv6
array
of strings
A list of IPv6 addresses or networks. Addresses must be in IP/mask format and must not include zone_id notation as described in RFC 4007
. Must not be an empty list.
If “::/0” is included in this list, all IPv6 addresses are affected by this rule.
description
string
1..100
characters
Used to describe this rule. For display purposes only.
label
string
3..32
characters
Used to identify this rule. For display purposes only.
ports
Nullable
string
A string representing the port or ports affected by this rule:
The string may be a single port, a range of ports, or a comma-separated list of single ports and port ranges. A space is permitted following each comma.
A range of ports is inclusive of the start and end values for the range. The end value of the range must be greater than the start value.
Ports must be within 1 and 65535, and may not contain any leading zeroes. For example, port “080” is not allowed.
The ports string can have up to 15 pieces, where a single port is treated as one piece, and a port range is treated as two pieces. For example, the string “22-24, 80, 443” has four pieces.
If no ports are configured, all ports are affected.
Only allowed for the TCP and UDP protocols. Ports are not allowed for the ICMP and IPENCAP protocols.
protocol
string
Enum:
TCPUDPICMPIPENCAP
The type of network traffic affected by this rule.
inbound_policy
string
Enum:
ACCEPTDROP
The default behavior for inbound traffic. This setting can be overridden by
updating
the inbound.action property of the Firewall Rule.
outbound
array
of objects
The outbound rules for the firewall, as a JSON array.
action
string
Enum:
ACCEPTDROP
Controls whether traffic is accepted or dropped by this rule. Overrides the Firewall’s inbound_policy if this is an inbound rule, or the outbound_policy if this is an outbound rule.
addresses
object
The IPv4 and/or IPv6 addresses affected by this rule. A Rule can have up to 255 total addresses or networks listed across its IPv4 and IPv6 arrays. A network and a single IP are treated as equivalent when accounting for this limit.
Must contain ipv4, ipv6, or both.
ipv4
array
of strings
A list of IPv4 addresses or networks. Addresses must be in IP/mask format. Must not be an empty list.
If “0.0.0.0/0” is included in this list, all IPv4 addresses are affected by this rule.
ipv6
array
of strings
A list of IPv6 addresses or networks. Addresses must be in IP/mask format and must not include zone_id notation as described in RFC 4007
. Must not be an empty list.
If “::/0” is included in this list, all IPv6 addresses are affected by this rule.
description
string
1..100
characters
Used to describe this rule. For display purposes only.
label
string
3..32
characters
Used to identify this rule. For display purposes only.
ports
Nullable
string
A string representing the port or ports affected by this rule:
The string may be a single port, a range of ports, or a comma-separated list of single ports and port ranges. A space is permitted following each comma.
A range of ports is inclusive of the start and end values for the range. The end value of the range must be greater than the start value.
Ports must be within 1 and 65535, and may not contain any leading zeroes. For example, port “080” is not allowed.
The ports string can have up to 15 pieces, where a single port is treated as one piece, and a port range is treated as two pieces. For example, the string “22-24, 80, 443” has four pieces.
If no ports are configured, all ports are affected.
Only allowed for the TCP and UDP protocols. Ports are not allowed for the ICMP and IPENCAP protocols.
protocol
string
Enum:
TCPUDPICMPIPENCAP
The type of network traffic affected by this rule.
outbound_policy
string
Enum:
ACCEPTDROP
The default behavior for outbound traffic. This setting can be overridden by
updating
the outbound.action property of the Firewall Rule.
status
string
Enum:
enableddisableddeleted
The status of this Firewall.
When a Firewall is first created its status is enabled.
Use the
Update Firewall
endpoint to set a Firewall’s status to enabled or disabled.
The field in the request that caused this error. This may be a path, separated by periods in the case of nested fields. In some cases this may come back as “null” if the error is not specific to any single element of the request.
reason
string
What happened to cause this error. In most cases, this can be fixed immediately by changing the data you sent in the request, but in some cases you will be instructed to
open a Support Ticket
or perform some other action before you can complete the request successfully.
Firewall Create
POST
https://api.linode.com/v4/networking/firewalls
Creates a Firewall to filter network traffic.
Use the rules property to create inbound and outbound access rules.
Use the devices property to assign the Firewall to a service and apply its Rules to the device. Requires read_writeUser’s Grants
to the device.
Currently, Firewalls can be assigned to Linode compute instances and NodeBalancers.
A Firewall can be assigned to multiple services at a time.
A Firewall can be assigned during Linode creation by utilizing the firewall_idLinode Create Request
property.
A service can have one active, assigned Firewall at a time.
Additional disabled Firewalls can be assigned to a service, but they cannot be enabled if another active Firewall is already assigned to the same service.
Firewalls apply to all of a Linode’s non-vlan purpose Configuration Profile Interfaces.
Assigned Linodes must not have any ongoing live migrations.
A firewall_create Event is generated when this endpoint returns successfully.
Devices to create for this Firewall.
When a Device is created, the Firewall is assigned to its associated service.
Currently, Devices can be created for Linode compute instances and NodeBalancers.
Additional devices can be assigned after Firewall creation by using the Firewall Device Create
command.
linodes
array
of integers
An array of Linode IDs. A Firewall Device is created for each ID.
nodebalancers
array
of integers
An array containing a NodeBalancer ID. A Firewall Device is created for the ID.
Only one NodeBalancer can be assigned to a Firewall at a time.
Firewalls only apply to inbound TCP traffic to NodeBalancers.
label
Required
string
3..32
characters
The Firewall’s label, for display purposes only.
Firewall labels have the following constraints:
Must begin and end with an alphanumeric character.
May only consist of alphanumeric characters, hyphens (-), underscores (_) or periods (.).
Cannot have two hyphens (--), underscores (__) or periods (..) in a row.
Must be between 3 and 32 characters.
Must be unique.
rules
Required
object
The inbound and outbound access rules to apply to the Firewall.
A Firewall may have up to 25 rules across its inbound and outbound rulesets.
Multiple rules are applied in order. If two rules conflict, the first rule takes precedence. For example, if the first rule accepts inbound traffic from an address, and the second rule drops inbound traffic the same address, the first rule applies and inbound traffic from that address is accepted.
inbound
array
of objects
The inbound rules for the firewall, as a JSON array.
action
Required
string
Enum:
ACCEPTDROP
Controls whether traffic is accepted or dropped by this rule. Overrides the Firewall’s inbound_policy if this is an inbound rule, or the outbound_policy if this is an outbound rule.
addresses
Required
object
The IPv4 and/or IPv6 addresses affected by this rule. A Rule can have up to 255 total addresses or networks listed across its IPv4 and IPv6 arrays. A network and a single IP are treated as equivalent when accounting for this limit.
Must contain ipv4, ipv6, or both.
ipv4
array
of strings
A list of IPv4 addresses or networks. Addresses must be in IP/mask format. Must not be an empty list.
If “0.0.0.0/0” is included in this list, all IPv4 addresses are affected by this rule.
ipv6
array
of strings
A list of IPv6 addresses or networks. Addresses must be in IP/mask format and must not include zone_id notation as described in RFC 4007
. Must not be an empty list.
If “::/0” is included in this list, all IPv6 addresses are affected by this rule.
description
string
1..100
characters
Used to describe this rule. For display purposes only.
label
string
3..32
characters
Used to identify this rule. For display purposes only.
ports
Nullable
string
A string representing the port or ports affected by this rule:
The string may be a single port, a range of ports, or a comma-separated list of single ports and port ranges. A space is permitted following each comma.
A range of ports is inclusive of the start and end values for the range. The end value of the range must be greater than the start value.
Ports must be within 1 and 65535, and may not contain any leading zeroes. For example, port “080” is not allowed.
The ports string can have up to 15 pieces, where a single port is treated as one piece, and a port range is treated as two pieces. For example, the string “22-24, 80, 443” has four pieces.
If no ports are configured, all ports are affected.
Only allowed for the TCP and UDP protocols. Ports are not allowed for the ICMP and IPENCAP protocols.
protocol
Required
string
Enum:
TCPUDPICMPIPENCAP
The type of network traffic affected by this rule.
inbound_policy
Required
string
Enum:
ACCEPTDROP
The default behavior for inbound traffic. This setting can be overridden by
updating
the inbound.action property of the Firewall Rule.
outbound
array
of objects
The outbound rules for the firewall, as a JSON array.
action
Required
string
Enum:
ACCEPTDROP
Controls whether traffic is accepted or dropped by this rule. Overrides the Firewall’s inbound_policy if this is an inbound rule, or the outbound_policy if this is an outbound rule.
addresses
Required
object
The IPv4 and/or IPv6 addresses affected by this rule. A Rule can have up to 255 total addresses or networks listed across its IPv4 and IPv6 arrays. A network and a single IP are treated as equivalent when accounting for this limit.
Must contain ipv4, ipv6, or both.
ipv4
array
of strings
A list of IPv4 addresses or networks. Addresses must be in IP/mask format. Must not be an empty list.
If “0.0.0.0/0” is included in this list, all IPv4 addresses are affected by this rule.
ipv6
array
of strings
A list of IPv6 addresses or networks. Addresses must be in IP/mask format and must not include zone_id notation as described in RFC 4007
. Must not be an empty list.
If “::/0” is included in this list, all IPv6 addresses are affected by this rule.
description
string
1..100
characters
Used to describe this rule. For display purposes only.
label
string
3..32
characters
Used to identify this rule. For display purposes only.
ports
Nullable
string
A string representing the port or ports affected by this rule:
The string may be a single port, a range of ports, or a comma-separated list of single ports and port ranges. A space is permitted following each comma.
A range of ports is inclusive of the start and end values for the range. The end value of the range must be greater than the start value.
Ports must be within 1 and 65535, and may not contain any leading zeroes. For example, port “080” is not allowed.
The ports string can have up to 15 pieces, where a single port is treated as one piece, and a port range is treated as two pieces. For example, the string “22-24, 80, 443” has four pieces.
If no ports are configured, all ports are affected.
Only allowed for the TCP and UDP protocols. Ports are not allowed for the ICMP and IPENCAP protocols.
protocol
Required
string
Enum:
TCPUDPICMPIPENCAP
The type of network traffic affected by this rule.
outbound_policy
Required
string
Enum:
ACCEPTDROP
The default behavior for outbound traffic. This setting can be overridden by
updating
the outbound.action property of the Firewall Rule.
tags
array
of strings
An array of tags applied to this object. Tags are for organizational purposes only.
Response Samples
{"created":"2018-01-01T00:01:01","id":123,"label":"firewall123","rules":{"inbound":[{"action":"ACCEPT","addresses":{"ipv4":["192.0.2.0/24","198.51.100.2/32"],"ipv6":["2001:DB8::/128"]},"description":"An example firewall rule description.","label":"firewallrule123","ports":"22-24, 80, 443","protocol":"TCP"}],"inbound_policy":"DROP","outbound":[{"action":"ACCEPT","addresses":{"ipv4":["192.0.2.0/24","198.51.100.2/32"],"ipv6":["2001:DB8::/128"]},"description":"An example firewall rule description.","label":"firewallrule123","ports":"22-24, 80, 443","protocol":"TCP"}],"outbound_policy":"DROP"},"status":"enabled","tags":["example tag","another example"],"updated":"2018-01-02T00:01:01"}
{"errors":[{"field":"fieldname","reason":"fieldname must be a valid value"}]}
Responses
Returns information about the created Firewall.
created
string<date-time>
When this Firewall was created.
id
integer
The Firewall’s unique ID.
label
string
3..32
characters
The Firewall’s label, for display purposes only.
Firewall labels have the following constraints:
Must begin and end with an alphanumeric character.
May only consist of alphanumeric characters, hyphens (-), underscores (_) or periods (.).
Cannot have two hyphens (--), underscores (__) or periods (..) in a row.
Must be between 3 and 32 characters.
Must be unique.
rules
object
The inbound and outbound access rules to apply to the Firewall.
A Firewall may have up to 25 rules across its inbound and outbound rulesets.
Multiple rules are applied in order. If two rules conflict, the first rule takes precedence. For example, if the first rule accepts inbound traffic from an address, and the second rule drops inbound traffic the same address, the first rule applies and inbound traffic from that address is accepted.
inbound
array
of objects
The inbound rules for the firewall, as a JSON array.
action
string
Enum:
ACCEPTDROP
Controls whether traffic is accepted or dropped by this rule. Overrides the Firewall’s inbound_policy if this is an inbound rule, or the outbound_policy if this is an outbound rule.
addresses
object
The IPv4 and/or IPv6 addresses affected by this rule. A Rule can have up to 255 total addresses or networks listed across its IPv4 and IPv6 arrays. A network and a single IP are treated as equivalent when accounting for this limit.
Must contain ipv4, ipv6, or both.
ipv4
array
of strings
A list of IPv4 addresses or networks. Addresses must be in IP/mask format. Must not be an empty list.
If “0.0.0.0/0” is included in this list, all IPv4 addresses are affected by this rule.
ipv6
array
of strings
A list of IPv6 addresses or networks. Addresses must be in IP/mask format and must not include zone_id notation as described in RFC 4007
. Must not be an empty list.
If “::/0” is included in this list, all IPv6 addresses are affected by this rule.
description
string
1..100
characters
Used to describe this rule. For display purposes only.
label
string
3..32
characters
Used to identify this rule. For display purposes only.
ports
Nullable
string
A string representing the port or ports affected by this rule:
The string may be a single port, a range of ports, or a comma-separated list of single ports and port ranges. A space is permitted following each comma.
A range of ports is inclusive of the start and end values for the range. The end value of the range must be greater than the start value.
Ports must be within 1 and 65535, and may not contain any leading zeroes. For example, port “080” is not allowed.
The ports string can have up to 15 pieces, where a single port is treated as one piece, and a port range is treated as two pieces. For example, the string “22-24, 80, 443” has four pieces.
If no ports are configured, all ports are affected.
Only allowed for the TCP and UDP protocols. Ports are not allowed for the ICMP and IPENCAP protocols.
protocol
string
Enum:
TCPUDPICMPIPENCAP
The type of network traffic affected by this rule.
inbound_policy
string
Enum:
ACCEPTDROP
The default behavior for inbound traffic. This setting can be overridden by
updating
the inbound.action property of the Firewall Rule.
outbound
array
of objects
The outbound rules for the firewall, as a JSON array.
action
string
Enum:
ACCEPTDROP
Controls whether traffic is accepted or dropped by this rule. Overrides the Firewall’s inbound_policy if this is an inbound rule, or the outbound_policy if this is an outbound rule.
addresses
object
The IPv4 and/or IPv6 addresses affected by this rule. A Rule can have up to 255 total addresses or networks listed across its IPv4 and IPv6 arrays. A network and a single IP are treated as equivalent when accounting for this limit.
Must contain ipv4, ipv6, or both.
ipv4
array
of strings
A list of IPv4 addresses or networks. Addresses must be in IP/mask format. Must not be an empty list.
If “0.0.0.0/0” is included in this list, all IPv4 addresses are affected by this rule.
ipv6
array
of strings
A list of IPv6 addresses or networks. Addresses must be in IP/mask format and must not include zone_id notation as described in RFC 4007
. Must not be an empty list.
If “::/0” is included in this list, all IPv6 addresses are affected by this rule.
description
string
1..100
characters
Used to describe this rule. For display purposes only.
label
string
3..32
characters
Used to identify this rule. For display purposes only.
ports
Nullable
string
A string representing the port or ports affected by this rule:
The string may be a single port, a range of ports, or a comma-separated list of single ports and port ranges. A space is permitted following each comma.
A range of ports is inclusive of the start and end values for the range. The end value of the range must be greater than the start value.
Ports must be within 1 and 65535, and may not contain any leading zeroes. For example, port “080” is not allowed.
The ports string can have up to 15 pieces, where a single port is treated as one piece, and a port range is treated as two pieces. For example, the string “22-24, 80, 443” has four pieces.
If no ports are configured, all ports are affected.
Only allowed for the TCP and UDP protocols. Ports are not allowed for the ICMP and IPENCAP protocols.
protocol
string
Enum:
TCPUDPICMPIPENCAP
The type of network traffic affected by this rule.
outbound_policy
string
Enum:
ACCEPTDROP
The default behavior for outbound traffic. This setting can be overridden by
updating
the outbound.action property of the Firewall Rule.
status
string
Enum:
enableddisableddeleted
The status of this Firewall.
When a Firewall is first created its status is enabled.
Use the
Update Firewall
endpoint to set a Firewall’s status to enabled or disabled.
An array of tags applied to this object. Tags are for organizational purposes only.
updated
string<date-time>
When this Firewall was last updated.
Error
errors
array
of objects
field
string
The field in the request that caused this error. This may be a path, separated by periods in the case of nested fields. In some cases this may come back as “null” if the error is not specific to any single element of the request.
reason
string
What happened to cause this error. In most cases, this can be fixed immediately by changing the data you sent in the request, but in some cases you will be instructed to
open a Support Ticket
or perform some other action before you can complete the request successfully.
{"errors":[{"field":"fieldname","reason":"fieldname must be a valid value"}]}
Responses
Delete Successful.
Error
errors
array
of objects
field
string
The field in the request that caused this error. This may be a path, separated by periods in the case of nested fields. In some cases this may come back as “null” if the error is not specific to any single element of the request.
reason
string
What happened to cause this error. In most cases, this can be fixed immediately by changing the data you sent in the request, but in some cases you will be instructed to
open a Support Ticket
or perform some other action before you can complete the request successfully.
Firewall View
GET
https://api.linode.com/v4/networking/firewalls/{firewallId}
Get a specific Firewall resource by its ID. The Firewall’s Devices will not be
returned in the response. Instead, use the
List Firewall Devices
endpoint to review them.
{"created":"2018-01-01T00:01:01","id":123,"label":"firewall123","rules":{"inbound":[{"action":"ACCEPT","addresses":{"ipv4":["192.0.2.0/24","198.51.100.2/32"],"ipv6":["2001:DB8::/128"]},"description":"An example firewall rule description.","label":"firewallrule123","ports":"22-24, 80, 443","protocol":"TCP"}],"inbound_policy":"DROP","outbound":[{"action":"ACCEPT","addresses":{"ipv4":["192.0.2.0/24","198.51.100.2/32"],"ipv6":["2001:DB8::/128"]},"description":"An example firewall rule description.","label":"firewallrule123","ports":"22-24, 80, 443","protocol":"TCP"}],"outbound_policy":"DROP"},"status":"enabled","tags":["example tag","another example"],"updated":"2018-01-02T00:01:01"}
{"errors":[{"field":"fieldname","reason":"fieldname must be a valid value"}]}
Responses
Returns information about this Firewall.
created
string<date-time>
When this Firewall was created.
id
integer
The Firewall’s unique ID.
label
string
3..32
characters
The Firewall’s label, for display purposes only.
Firewall labels have the following constraints:
Must begin and end with an alphanumeric character.
May only consist of alphanumeric characters, hyphens (-), underscores (_) or periods (.).
Cannot have two hyphens (--), underscores (__) or periods (..) in a row.
Must be between 3 and 32 characters.
Must be unique.
rules
object
The inbound and outbound access rules to apply to the Firewall.
A Firewall may have up to 25 rules across its inbound and outbound rulesets.
Multiple rules are applied in order. If two rules conflict, the first rule takes precedence. For example, if the first rule accepts inbound traffic from an address, and the second rule drops inbound traffic the same address, the first rule applies and inbound traffic from that address is accepted.
inbound
array
of objects
The inbound rules for the firewall, as a JSON array.
action
string
Enum:
ACCEPTDROP
Controls whether traffic is accepted or dropped by this rule. Overrides the Firewall’s inbound_policy if this is an inbound rule, or the outbound_policy if this is an outbound rule.
addresses
object
The IPv4 and/or IPv6 addresses affected by this rule. A Rule can have up to 255 total addresses or networks listed across its IPv4 and IPv6 arrays. A network and a single IP are treated as equivalent when accounting for this limit.
Must contain ipv4, ipv6, or both.
ipv4
array
of strings
A list of IPv4 addresses or networks. Addresses must be in IP/mask format. Must not be an empty list.
If “0.0.0.0/0” is included in this list, all IPv4 addresses are affected by this rule.
ipv6
array
of strings
A list of IPv6 addresses or networks. Addresses must be in IP/mask format and must not include zone_id notation as described in RFC 4007
. Must not be an empty list.
If “::/0” is included in this list, all IPv6 addresses are affected by this rule.
description
string
1..100
characters
Used to describe this rule. For display purposes only.
label
string
3..32
characters
Used to identify this rule. For display purposes only.
ports
Nullable
string
A string representing the port or ports affected by this rule:
The string may be a single port, a range of ports, or a comma-separated list of single ports and port ranges. A space is permitted following each comma.
A range of ports is inclusive of the start and end values for the range. The end value of the range must be greater than the start value.
Ports must be within 1 and 65535, and may not contain any leading zeroes. For example, port “080” is not allowed.
The ports string can have up to 15 pieces, where a single port is treated as one piece, and a port range is treated as two pieces. For example, the string “22-24, 80, 443” has four pieces.
If no ports are configured, all ports are affected.
Only allowed for the TCP and UDP protocols. Ports are not allowed for the ICMP and IPENCAP protocols.
protocol
string
Enum:
TCPUDPICMPIPENCAP
The type of network traffic affected by this rule.
inbound_policy
string
Enum:
ACCEPTDROP
The default behavior for inbound traffic. This setting can be overridden by
updating
the inbound.action property of the Firewall Rule.
outbound
array
of objects
The outbound rules for the firewall, as a JSON array.
action
string
Enum:
ACCEPTDROP
Controls whether traffic is accepted or dropped by this rule. Overrides the Firewall’s inbound_policy if this is an inbound rule, or the outbound_policy if this is an outbound rule.
addresses
object
The IPv4 and/or IPv6 addresses affected by this rule. A Rule can have up to 255 total addresses or networks listed across its IPv4 and IPv6 arrays. A network and a single IP are treated as equivalent when accounting for this limit.
Must contain ipv4, ipv6, or both.
ipv4
array
of strings
A list of IPv4 addresses or networks. Addresses must be in IP/mask format. Must not be an empty list.
If “0.0.0.0/0” is included in this list, all IPv4 addresses are affected by this rule.
ipv6
array
of strings
A list of IPv6 addresses or networks. Addresses must be in IP/mask format and must not include zone_id notation as described in RFC 4007
. Must not be an empty list.
If “::/0” is included in this list, all IPv6 addresses are affected by this rule.
description
string
1..100
characters
Used to describe this rule. For display purposes only.
label
string
3..32
characters
Used to identify this rule. For display purposes only.
ports
Nullable
string
A string representing the port or ports affected by this rule:
The string may be a single port, a range of ports, or a comma-separated list of single ports and port ranges. A space is permitted following each comma.
A range of ports is inclusive of the start and end values for the range. The end value of the range must be greater than the start value.
Ports must be within 1 and 65535, and may not contain any leading zeroes. For example, port “080” is not allowed.
The ports string can have up to 15 pieces, where a single port is treated as one piece, and a port range is treated as two pieces. For example, the string “22-24, 80, 443” has four pieces.
If no ports are configured, all ports are affected.
Only allowed for the TCP and UDP protocols. Ports are not allowed for the ICMP and IPENCAP protocols.
protocol
string
Enum:
TCPUDPICMPIPENCAP
The type of network traffic affected by this rule.
outbound_policy
string
Enum:
ACCEPTDROP
The default behavior for outbound traffic. This setting can be overridden by
updating
the outbound.action property of the Firewall Rule.
status
string
Enum:
enableddisableddeleted
The status of this Firewall.
When a Firewall is first created its status is enabled.
Use the
Update Firewall
endpoint to set a Firewall’s status to enabled or disabled.
An array of tags applied to this object. Tags are for organizational purposes only.
updated
string<date-time>
When this Firewall was last updated.
Error
errors
array
of objects
field
string
The field in the request that caused this error. This may be a path, separated by periods in the case of nested fields. In some cases this may come back as “null” if the error is not specific to any single element of the request.
reason
string
What happened to cause this error. In most cases, this can be fixed immediately by changing the data you sent in the request, but in some cases you will be instructed to
open a Support Ticket
or perform some other action before you can complete the request successfully.
Firewall Update
PUT
https://api.linode.com/v4/networking/firewalls/{firewallId}
Updates information for a Firewall.
Assigned Linodes must not have any ongoing live migrations.
If a Firewall’s status is changed with this endpoint, a corresponding firewall_enable or
firewall_disable Event will be generated.
Some parts of a Firewall’s configuration cannot
be manipulated by this endpoint:
A Firewall’s Devices cannot be set with this endpoint. Instead, use the
Create Firewall Device
and
Delete Firewall Device
endpoints to assign and remove this Firewall from services.
A Firewall’s Rules cannot be changed with this endpoint. Instead, use the
Update Firewall Rules
endpoint to update your Rules.
A Firewall’s status can be set to enabled or disabled by this endpoint, but it cannot be
set to deleted. Instead, use the
Delete Firewall
endpoint to delete a Firewall.
An array of tags applied to this object. Tags are for organizational purposes only.
Response Samples
{"created":"2018-01-01T00:01:01","id":123,"label":"firewall123","rules":{"inbound":[{"action":"ACCEPT","addresses":{"ipv4":["192.0.2.0/24","198.51.100.2/32"],"ipv6":["2001:DB8::/128"]},"description":"An example firewall rule description.","label":"firewallrule123","ports":"22-24, 80, 443","protocol":"TCP"}],"inbound_policy":"DROP","outbound":[{"action":"ACCEPT","addresses":{"ipv4":["192.0.2.0/24","198.51.100.2/32"],"ipv6":["2001:DB8::/128"]},"description":"An example firewall rule description.","label":"firewallrule123","ports":"22-24, 80, 443","protocol":"TCP"}],"outbound_policy":"DROP"},"status":"enabled","tags":["example tag","another example"],"updated":"2018-01-02T00:01:01"}
{"errors":[{"field":"fieldname","reason":"fieldname must be a valid value"}]}
Responses
Firewall updated successfully.
created
string<date-time>
When this Firewall was created.
id
integer
The Firewall’s unique ID.
label
string
3..32
characters
The Firewall’s label, for display purposes only.
Firewall labels have the following constraints:
Must begin and end with an alphanumeric character.
May only consist of alphanumeric characters, hyphens (-), underscores (_) or periods (.).
Cannot have two hyphens (--), underscores (__) or periods (..) in a row.
Must be between 3 and 32 characters.
Must be unique.
rules
object
The inbound and outbound access rules to apply to the Firewall.
A Firewall may have up to 25 rules across its inbound and outbound rulesets.
Multiple rules are applied in order. If two rules conflict, the first rule takes precedence. For example, if the first rule accepts inbound traffic from an address, and the second rule drops inbound traffic the same address, the first rule applies and inbound traffic from that address is accepted.
inbound
array
of objects
The inbound rules for the firewall, as a JSON array.
action
string
Enum:
ACCEPTDROP
Controls whether traffic is accepted or dropped by this rule. Overrides the Firewall’s inbound_policy if this is an inbound rule, or the outbound_policy if this is an outbound rule.
addresses
object
The IPv4 and/or IPv6 addresses affected by this rule. A Rule can have up to 255 total addresses or networks listed across its IPv4 and IPv6 arrays. A network and a single IP are treated as equivalent when accounting for this limit.
Must contain ipv4, ipv6, or both.
ipv4
array
of strings
A list of IPv4 addresses or networks. Addresses must be in IP/mask format. Must not be an empty list.
If “0.0.0.0/0” is included in this list, all IPv4 addresses are affected by this rule.
ipv6
array
of strings
A list of IPv6 addresses or networks. Addresses must be in IP/mask format and must not include zone_id notation as described in RFC 4007
. Must not be an empty list.
If “::/0” is included in this list, all IPv6 addresses are affected by this rule.
description
string
1..100
characters
Used to describe this rule. For display purposes only.
label
string
3..32
characters
Used to identify this rule. For display purposes only.
ports
Nullable
string
A string representing the port or ports affected by this rule:
The string may be a single port, a range of ports, or a comma-separated list of single ports and port ranges. A space is permitted following each comma.
A range of ports is inclusive of the start and end values for the range. The end value of the range must be greater than the start value.
Ports must be within 1 and 65535, and may not contain any leading zeroes. For example, port “080” is not allowed.
The ports string can have up to 15 pieces, where a single port is treated as one piece, and a port range is treated as two pieces. For example, the string “22-24, 80, 443” has four pieces.
If no ports are configured, all ports are affected.
Only allowed for the TCP and UDP protocols. Ports are not allowed for the ICMP and IPENCAP protocols.
protocol
string
Enum:
TCPUDPICMPIPENCAP
The type of network traffic affected by this rule.
inbound_policy
string
Enum:
ACCEPTDROP
The default behavior for inbound traffic. This setting can be overridden by
updating
the inbound.action property of the Firewall Rule.
outbound
array
of objects
The outbound rules for the firewall, as a JSON array.
action
string
Enum:
ACCEPTDROP
Controls whether traffic is accepted or dropped by this rule. Overrides the Firewall’s inbound_policy if this is an inbound rule, or the outbound_policy if this is an outbound rule.
addresses
object
The IPv4 and/or IPv6 addresses affected by this rule. A Rule can have up to 255 total addresses or networks listed across its IPv4 and IPv6 arrays. A network and a single IP are treated as equivalent when accounting for this limit.
Must contain ipv4, ipv6, or both.
ipv4
array
of strings
A list of IPv4 addresses or networks. Addresses must be in IP/mask format. Must not be an empty list.
If “0.0.0.0/0” is included in this list, all IPv4 addresses are affected by this rule.
ipv6
array
of strings
A list of IPv6 addresses or networks. Addresses must be in IP/mask format and must not include zone_id notation as described in RFC 4007
. Must not be an empty list.
If “::/0” is included in this list, all IPv6 addresses are affected by this rule.
description
string
1..100
characters
Used to describe this rule. For display purposes only.
label
string
3..32
characters
Used to identify this rule. For display purposes only.
ports
Nullable
string
A string representing the port or ports affected by this rule:
The string may be a single port, a range of ports, or a comma-separated list of single ports and port ranges. A space is permitted following each comma.
A range of ports is inclusive of the start and end values for the range. The end value of the range must be greater than the start value.
Ports must be within 1 and 65535, and may not contain any leading zeroes. For example, port “080” is not allowed.
The ports string can have up to 15 pieces, where a single port is treated as one piece, and a port range is treated as two pieces. For example, the string “22-24, 80, 443” has four pieces.
If no ports are configured, all ports are affected.
Only allowed for the TCP and UDP protocols. Ports are not allowed for the ICMP and IPENCAP protocols.
protocol
string
Enum:
TCPUDPICMPIPENCAP
The type of network traffic affected by this rule.
outbound_policy
string
Enum:
ACCEPTDROP
The default behavior for outbound traffic. This setting can be overridden by
updating
the outbound.action property of the Firewall Rule.
status
string
Enum:
enableddisableddeleted
The status of this Firewall.
When a Firewall is first created its status is enabled.
Use the
Update Firewall
endpoint to set a Firewall’s status to enabled or disabled.
An array of tags applied to this object. Tags are for organizational purposes only.
updated
string<date-time>
When this Firewall was last updated.
Error
errors
array
of objects
field
string
The field in the request that caused this error. This may be a path, separated by periods in the case of nested fields. In some cases this may come back as “null” if the error is not specific to any single element of the request.
reason
string
What happened to cause this error. In most cases, this can be fixed immediately by changing the data you sent in the request, but in some cases you will be instructed to
open a Support Ticket
or perform some other action before you can complete the request successfully.
Firewall Devices List
GET
https://api.linode.com/v4/networking/firewalls/{firewallId}/devices
Returns a paginated list of a Firewall’s Devices. A Firewall Device assigns a Firewall to a service (referred to as the Device’s entity).
The field in the request that caused this error. This may be a path, separated by periods in the case of nested fields. In some cases this may come back as “null” if the error is not specific to any single element of the request.
reason
string
What happened to cause this error. In most cases, this can be fixed immediately by changing the data you sent in the request, but in some cases you will be instructed to
open a Support Ticket
or perform some other action before you can complete the request successfully.
Firewall Device Create
POST
https://api.linode.com/v4/networking/firewalls/{firewallId}/devices
Creates a Firewall Device, which assigns a Firewall to a service (referred to
as the Device’s entity) and applies the Firewall’s Rules to the device.
Currently, Devices with linode and nodebalancer entity types are accepted.
Firewalls only apply to inbound TCP traffic to NodeBalancers.
A Firewall can be assigned to multiple services at a time.
A service can have one active, assigned Firewall at a time.
Additional disabled Firewalls can be assigned to a service, but they cannot be enabled if another active Firewall is already assigned to the same service.
Assigned Linodes must not have any ongoing live migrations.
A firewall_device_add Event is generated when the Firewall Device is added successfully.
{"errors":[{"field":"fieldname","reason":"fieldname must be a valid value"}]}
Responses
Returns information about the created Firewall Device.
created
string<date-time>
When this Device was created.
entity
object
The compute service that this Firewall has been applied to.
id
integer
The entity’s ID
label
string
The entity’s label.
type
string
Enum:
linodenodebalancer
The entity’s type.
url
string<url>
The API URL path you can use to access this entity.
id
integer
The Device’s unique ID
updated
string<date-time>
When this Device was last updated.
Error
errors
array
of objects
field
string
The field in the request that caused this error. This may be a path, separated by periods in the case of nested fields. In some cases this may come back as “null” if the error is not specific to any single element of the request.
reason
string
What happened to cause this error. In most cases, this can be fixed immediately by changing the data you sent in the request, but in some cases you will be instructed to
open a Support Ticket
or perform some other action before you can complete the request successfully.
Removes a Firewall Device, which removes a Firewall from the service it was
assigned to by the Device. This removes all of the Firewall’s Rules from the
service. If any other Firewalls have been assigned to the service, then those Rules
remain in effect.
Assigned Linodes must not have any ongoing live migrations.
A firewall_device_remove Event is generated when the Firewall Device is removed successfully.
{"errors":[{"field":"fieldname","reason":"fieldname must be a valid value"}]}
Responses
Delete Successful.
Error
errors
array
of objects
field
string
The field in the request that caused this error. This may be a path, separated by periods in the case of nested fields. In some cases this may come back as “null” if the error is not specific to any single element of the request.
reason
string
What happened to cause this error. In most cases, this can be fixed immediately by changing the data you sent in the request, but in some cases you will be instructed to
open a Support Ticket
or perform some other action before you can complete the request successfully.
Firewall Device View
GET
https://api.linode.com/v4/networking/firewalls/{firewallId}/devices/{deviceId}
Returns information for a Firewall Device, which assigns a Firewall
to a service (referred to as the Device’s entity).
{"errors":[{"field":"fieldname","reason":"fieldname must be a valid value"}]}
Responses
The requested Firewall Device.
created
string<date-time>
When this Device was created.
entity
object
The compute service that this Firewall has been applied to.
id
integer
The entity’s ID
label
string
The entity’s label.
type
string
Enum:
linodenodebalancer
The entity’s type.
url
string<url>
The API URL path you can use to access this entity.
id
integer
The Device’s unique ID
updated
string<date-time>
When this Device was last updated.
Error
errors
array
of objects
field
string
The field in the request that caused this error. This may be a path, separated by periods in the case of nested fields. In some cases this may come back as “null” if the error is not specific to any single element of the request.
reason
string
What happened to cause this error. In most cases, this can be fixed immediately by changing the data you sent in the request, but in some cases you will be instructed to
open a Support Ticket
or perform some other action before you can complete the request successfully.
Firewall Rules List
GET
https://api.linode.com/v4/networking/firewalls/{firewallId}/rules
Returns the inbound and outbound Rules for a Firewall.
{"inbound":[{"action":"ACCEPT","addresses":{"ipv4":["192.0.2.0/24","198.51.100.2/32"],"ipv6":["2001:DB8::/128"]},"description":"An example firewall rule description.","label":"firewallrule123","ports":"22-24, 80, 443","protocol":"TCP"}],"inbound_policy":"DROP","outbound":[{"action":"ACCEPT","addresses":{"ipv4":["192.0.2.0/24","198.51.100.2/32"],"ipv6":["2001:DB8::/128"]},"description":"An example firewall rule description.","label":"firewallrule123","ports":"22-24, 80, 443","protocol":"TCP"}],"outbound_policy":"DROP"}
{"errors":[{"field":"fieldname","reason":"fieldname must be a valid value"}]}
Responses
The requested Firewall Rules.
inbound
array
of objects
The inbound rules for the firewall, as a JSON array.
action
string
Enum:
ACCEPTDROP
Controls whether traffic is accepted or dropped by this rule. Overrides the Firewall’s inbound_policy if this is an inbound rule, or the outbound_policy if this is an outbound rule.
addresses
object
The IPv4 and/or IPv6 addresses affected by this rule. A Rule can have up to 255 total addresses or networks listed across its IPv4 and IPv6 arrays. A network and a single IP are treated as equivalent when accounting for this limit.
Must contain ipv4, ipv6, or both.
ipv4
array
of strings
A list of IPv4 addresses or networks. Addresses must be in IP/mask format. Must not be an empty list.
If “0.0.0.0/0” is included in this list, all IPv4 addresses are affected by this rule.
ipv6
array
of strings
A list of IPv6 addresses or networks. Addresses must be in IP/mask format and must not include zone_id notation as described in RFC 4007
. Must not be an empty list.
If “::/0” is included in this list, all IPv6 addresses are affected by this rule.
description
string
1..100
characters
Used to describe this rule. For display purposes only.
label
string
3..32
characters
Used to identify this rule. For display purposes only.
ports
Nullable
string
A string representing the port or ports affected by this rule:
The string may be a single port, a range of ports, or a comma-separated list of single ports and port ranges. A space is permitted following each comma.
A range of ports is inclusive of the start and end values for the range. The end value of the range must be greater than the start value.
Ports must be within 1 and 65535, and may not contain any leading zeroes. For example, port “080” is not allowed.
The ports string can have up to 15 pieces, where a single port is treated as one piece, and a port range is treated as two pieces. For example, the string “22-24, 80, 443” has four pieces.
If no ports are configured, all ports are affected.
Only allowed for the TCP and UDP protocols. Ports are not allowed for the ICMP and IPENCAP protocols.
protocol
string
Enum:
TCPUDPICMPIPENCAP
The type of network traffic affected by this rule.
inbound_policy
string
Enum:
ACCEPTDROP
The default behavior for inbound traffic. This setting can be overridden by
updating
the inbound.action property of the Firewall Rule.
outbound
array
of objects
The outbound rules for the firewall, as a JSON array.
action
string
Enum:
ACCEPTDROP
Controls whether traffic is accepted or dropped by this rule. Overrides the Firewall’s inbound_policy if this is an inbound rule, or the outbound_policy if this is an outbound rule.
addresses
object
The IPv4 and/or IPv6 addresses affected by this rule. A Rule can have up to 255 total addresses or networks listed across its IPv4 and IPv6 arrays. A network and a single IP are treated as equivalent when accounting for this limit.
Must contain ipv4, ipv6, or both.
ipv4
array
of strings
A list of IPv4 addresses or networks. Addresses must be in IP/mask format. Must not be an empty list.
If “0.0.0.0/0” is included in this list, all IPv4 addresses are affected by this rule.
ipv6
array
of strings
A list of IPv6 addresses or networks. Addresses must be in IP/mask format and must not include zone_id notation as described in RFC 4007
. Must not be an empty list.
If “::/0” is included in this list, all IPv6 addresses are affected by this rule.
description
string
1..100
characters
Used to describe this rule. For display purposes only.
label
string
3..32
characters
Used to identify this rule. For display purposes only.
ports
Nullable
string
A string representing the port or ports affected by this rule:
The string may be a single port, a range of ports, or a comma-separated list of single ports and port ranges. A space is permitted following each comma.
A range of ports is inclusive of the start and end values for the range. The end value of the range must be greater than the start value.
Ports must be within 1 and 65535, and may not contain any leading zeroes. For example, port “080” is not allowed.
The ports string can have up to 15 pieces, where a single port is treated as one piece, and a port range is treated as two pieces. For example, the string “22-24, 80, 443” has four pieces.
If no ports are configured, all ports are affected.
Only allowed for the TCP and UDP protocols. Ports are not allowed for the ICMP and IPENCAP protocols.
protocol
string
Enum:
TCPUDPICMPIPENCAP
The type of network traffic affected by this rule.
outbound_policy
string
Enum:
ACCEPTDROP
The default behavior for outbound traffic. This setting can be overridden by
updating
the outbound.action property of the Firewall Rule.
Error
errors
array
of objects
field
string
The field in the request that caused this error. This may be a path, separated by periods in the case of nested fields. In some cases this may come back as “null” if the error is not specific to any single element of the request.
reason
string
What happened to cause this error. In most cases, this can be fixed immediately by changing the data you sent in the request, but in some cases you will be instructed to
open a Support Ticket
or perform some other action before you can complete the request successfully.
Firewall Rules Update
PUT
https://api.linode.com/v4/networking/firewalls/{firewallId}/rules
Updates the inbound and outbound Rules for a Firewall.
Assigned Linodes must not have any ongoing live migrations.
Note: This command replaces all of a Firewall’s inbound and outbound rulesets with the values specified in your request.
The inbound rules for the firewall, as a JSON array.
action
Required
string
Enum:
ACCEPTDROP
Controls whether traffic is accepted or dropped by this rule. Overrides the Firewall’s inbound_policy if this is an inbound rule, or the outbound_policy if this is an outbound rule.
addresses
Required
object
The IPv4 and/or IPv6 addresses affected by this rule. A Rule can have up to 255 total addresses or networks listed across its IPv4 and IPv6 arrays. A network and a single IP are treated as equivalent when accounting for this limit.
Must contain ipv4, ipv6, or both.
ipv4
array
of strings
A list of IPv4 addresses or networks. Addresses must be in IP/mask format. Must not be an empty list.
If “0.0.0.0/0” is included in this list, all IPv4 addresses are affected by this rule.
ipv6
array
of strings
A list of IPv6 addresses or networks. Addresses must be in IP/mask format and must not include zone_id notation as described in RFC 4007
. Must not be an empty list.
If “::/0” is included in this list, all IPv6 addresses are affected by this rule.
description
string
1..100
characters
Used to describe this rule. For display purposes only.
label
string
3..32
characters
Used to identify this rule. For display purposes only.
ports
Nullable
string
A string representing the port or ports affected by this rule:
The string may be a single port, a range of ports, or a comma-separated list of single ports and port ranges. A space is permitted following each comma.
A range of ports is inclusive of the start and end values for the range. The end value of the range must be greater than the start value.
Ports must be within 1 and 65535, and may not contain any leading zeroes. For example, port “080” is not allowed.
The ports string can have up to 15 pieces, where a single port is treated as one piece, and a port range is treated as two pieces. For example, the string “22-24, 80, 443” has four pieces.
If no ports are configured, all ports are affected.
Only allowed for the TCP and UDP protocols. Ports are not allowed for the ICMP and IPENCAP protocols.
protocol
Required
string
Enum:
TCPUDPICMPIPENCAP
The type of network traffic affected by this rule.
inbound_policy
string
Enum:
ACCEPTDROP
The default behavior for inbound traffic. This setting can be overridden by
updating
the inbound.action property of the Firewall Rule.
outbound
array
of objects
The outbound rules for the firewall, as a JSON array.
action
Required
string
Enum:
ACCEPTDROP
Controls whether traffic is accepted or dropped by this rule. Overrides the Firewall’s inbound_policy if this is an inbound rule, or the outbound_policy if this is an outbound rule.
addresses
Required
object
The IPv4 and/or IPv6 addresses affected by this rule. A Rule can have up to 255 total addresses or networks listed across its IPv4 and IPv6 arrays. A network and a single IP are treated as equivalent when accounting for this limit.
Must contain ipv4, ipv6, or both.
ipv4
array
of strings
A list of IPv4 addresses or networks. Addresses must be in IP/mask format. Must not be an empty list.
If “0.0.0.0/0” is included in this list, all IPv4 addresses are affected by this rule.
ipv6
array
of strings
A list of IPv6 addresses or networks. Addresses must be in IP/mask format and must not include zone_id notation as described in RFC 4007
. Must not be an empty list.
If “::/0” is included in this list, all IPv6 addresses are affected by this rule.
description
string
1..100
characters
Used to describe this rule. For display purposes only.
label
string
3..32
characters
Used to identify this rule. For display purposes only.
ports
Nullable
string
A string representing the port or ports affected by this rule:
The string may be a single port, a range of ports, or a comma-separated list of single ports and port ranges. A space is permitted following each comma.
A range of ports is inclusive of the start and end values for the range. The end value of the range must be greater than the start value.
Ports must be within 1 and 65535, and may not contain any leading zeroes. For example, port “080” is not allowed.
The ports string can have up to 15 pieces, where a single port is treated as one piece, and a port range is treated as two pieces. For example, the string “22-24, 80, 443” has four pieces.
If no ports are configured, all ports are affected.
Only allowed for the TCP and UDP protocols. Ports are not allowed for the ICMP and IPENCAP protocols.
protocol
Required
string
Enum:
TCPUDPICMPIPENCAP
The type of network traffic affected by this rule.
outbound_policy
string
Enum:
ACCEPTDROP
The default behavior for outbound traffic. This setting can be overridden by
updating
the outbound.action property of the Firewall Rule.
Response Samples
{"inbound":[{"action":"ACCEPT","addresses":{"ipv4":["192.0.2.0/24","198.51.100.2/32"],"ipv6":["2001:DB8::/128"]},"description":"An example firewall rule description.","label":"firewallrule123","ports":"22-24, 80, 443","protocol":"TCP"}],"inbound_policy":"DROP","outbound":[{"action":"ACCEPT","addresses":{"ipv4":["192.0.2.0/24","198.51.100.2/32"],"ipv6":["2001:DB8::/128"]},"description":"An example firewall rule description.","label":"firewallrule123","ports":"22-24, 80, 443","protocol":"TCP"}],"outbound_policy":"DROP"}
{"errors":[{"field":"fieldname","reason":"fieldname must be a valid value"}]}
Responses
Firewall Rules updated successfully.
inbound
array
of objects
The inbound rules for the firewall, as a JSON array.
action
string
Enum:
ACCEPTDROP
Controls whether traffic is accepted or dropped by this rule. Overrides the Firewall’s inbound_policy if this is an inbound rule, or the outbound_policy if this is an outbound rule.
addresses
object
The IPv4 and/or IPv6 addresses affected by this rule. A Rule can have up to 255 total addresses or networks listed across its IPv4 and IPv6 arrays. A network and a single IP are treated as equivalent when accounting for this limit.
Must contain ipv4, ipv6, or both.
ipv4
array
of strings
A list of IPv4 addresses or networks. Addresses must be in IP/mask format. Must not be an empty list.
If “0.0.0.0/0” is included in this list, all IPv4 addresses are affected by this rule.
ipv6
array
of strings
A list of IPv6 addresses or networks. Addresses must be in IP/mask format and must not include zone_id notation as described in RFC 4007
. Must not be an empty list.
If “::/0” is included in this list, all IPv6 addresses are affected by this rule.
description
string
1..100
characters
Used to describe this rule. For display purposes only.
label
string
3..32
characters
Used to identify this rule. For display purposes only.
ports
Nullable
string
A string representing the port or ports affected by this rule:
The string may be a single port, a range of ports, or a comma-separated list of single ports and port ranges. A space is permitted following each comma.
A range of ports is inclusive of the start and end values for the range. The end value of the range must be greater than the start value.
Ports must be within 1 and 65535, and may not contain any leading zeroes. For example, port “080” is not allowed.
The ports string can have up to 15 pieces, where a single port is treated as one piece, and a port range is treated as two pieces. For example, the string “22-24, 80, 443” has four pieces.
If no ports are configured, all ports are affected.
Only allowed for the TCP and UDP protocols. Ports are not allowed for the ICMP and IPENCAP protocols.
protocol
string
Enum:
TCPUDPICMPIPENCAP
The type of network traffic affected by this rule.
inbound_policy
string
Enum:
ACCEPTDROP
The default behavior for inbound traffic. This setting can be overridden by
updating
the inbound.action property of the Firewall Rule.
outbound
array
of objects
The outbound rules for the firewall, as a JSON array.
action
string
Enum:
ACCEPTDROP
Controls whether traffic is accepted or dropped by this rule. Overrides the Firewall’s inbound_policy if this is an inbound rule, or the outbound_policy if this is an outbound rule.
addresses
object
The IPv4 and/or IPv6 addresses affected by this rule. A Rule can have up to 255 total addresses or networks listed across its IPv4 and IPv6 arrays. A network and a single IP are treated as equivalent when accounting for this limit.
Must contain ipv4, ipv6, or both.
ipv4
array
of strings
A list of IPv4 addresses or networks. Addresses must be in IP/mask format. Must not be an empty list.
If “0.0.0.0/0” is included in this list, all IPv4 addresses are affected by this rule.
ipv6
array
of strings
A list of IPv6 addresses or networks. Addresses must be in IP/mask format and must not include zone_id notation as described in RFC 4007
. Must not be an empty list.
If “::/0” is included in this list, all IPv6 addresses are affected by this rule.
description
string
1..100
characters
Used to describe this rule. For display purposes only.
label
string
3..32
characters
Used to identify this rule. For display purposes only.
ports
Nullable
string
A string representing the port or ports affected by this rule:
The string may be a single port, a range of ports, or a comma-separated list of single ports and port ranges. A space is permitted following each comma.
A range of ports is inclusive of the start and end values for the range. The end value of the range must be greater than the start value.
Ports must be within 1 and 65535, and may not contain any leading zeroes. For example, port “080” is not allowed.
The ports string can have up to 15 pieces, where a single port is treated as one piece, and a port range is treated as two pieces. For example, the string “22-24, 80, 443” has four pieces.
If no ports are configured, all ports are affected.
Only allowed for the TCP and UDP protocols. Ports are not allowed for the ICMP and IPENCAP protocols.
protocol
string
Enum:
TCPUDPICMPIPENCAP
The type of network traffic affected by this rule.
outbound_policy
string
Enum:
ACCEPTDROP
The default behavior for outbound traffic. This setting can be overridden by
updating
the outbound.action property of the Firewall Rule.
Error
errors
array
of objects
field
string
The field in the request that caused this error. This may be a path, separated by periods in the case of nested fields. In some cases this may come back as “null” if the error is not specific to any single element of the request.
reason
string
What happened to cause this error. In most cases, this can be fixed immediately by changing the data you sent in the request, but in some cases you will be instructed to
open a Support Ticket
or perform some other action before you can complete the request successfully.
IP Addresses List
GET
https://api.linode.com/v4/networking/ips
Returns a paginated list of IP addresses on your account, excluding private addresses.
Note: Use the skip_ipv6_rdns query string to improve performance if your application frequently accesses this command and doesn’t require IPv6 RDNS data.
Authorizations
personalAccessToken
oauth
ips:read_only
Query Parameters
skip_ipv6_rdns
Type:
boolean
Default:
false
Default:
false
When true, the rdns property for any ipv6 type addresses always returns null regardless of whether RDNS data exists for the address.
{"errors":[{"field":"fieldname","reason":"fieldname must be a valid value"}]}
Responses
A paginated list of IP Addresses.
data
array
of objects
address
string<ip>
The IP address.
gateway
Nullable
string<ip>
The default gateway for this address.
linode_id
integer
The ID of the Linode this address currently belongs to. For IPv4 addresses, this defaults to the Linode that this address was assigned to on creation. IPv4 addresses may be moved using the
/networking/ipv4/assign
endpoint. For SLAAC and link-local addresses, this value may not be changed.
prefix
integer
The number of bits set in the subnet mask.
public
boolean
Whether this is a public or private IP address.
rdns
Nullable
string
The reverse DNS assigned to this address. For public IPv4 addresses, this will be set to a default value provided by Linode if not explicitly set.
region
string
The Region this IP address resides in.
subnet_mask
string<ip>
The mask that separates host bits from network bits for this address.
type
string
Enum:
ipv4ipv6ipv6/poolipv6/range
The type of address this is.
vpc_nat_1_1
object
IPv4 address configured as a 1:1 NAT for this Interface. Empty if no address is configured as a 1:1 NAT.
Note: Only allowed for vpc type Interfaces.
address
string<ipv4>
The IPv4 address that is configured as a 1:1 NAT for this VPC interface.
The field in the request that caused this error. This may be a path, separated by periods in the case of nested fields. In some cases this may come back as “null” if the error is not specific to any single element of the request.
reason
string
What happened to cause this error. In most cases, this can be fixed immediately by changing the data you sent in the request, but in some cases you will be instructed to
open a Support Ticket
or perform some other action before you can complete the request successfully.
IP Address Allocate
POST
https://api.linode.com/v4/networking/ips
Allocates a new IPv4 Address on your Account. The Linode must be configured to support additional addresses - please
open a support ticket
requesting additional addresses before attempting allocation.
{"errors":[{"field":"fieldname","reason":"fieldname must be a valid value"}]}
Responses
IP Address allocated successfully.
address
string<ip>
The IP address.
gateway
Nullable
string<ip>
The default gateway for this address.
linode_id
integer
The ID of the Linode this address currently belongs to. For IPv4 addresses, this is by default the Linode that this address was assigned to on creation, and these addresses my be moved using the
/networking/ipv4/assign
endpoint. For SLAAC and link-local addresses, this value may not be changed.
prefix
integer
The number of bits set in the subnet mask.
public
boolean
Whether this is a public or private IP address.
rdns
Nullable
string
The reverse DNS assigned to this address. For public IPv4 addresses, this will be set to a default value provided by Linode if not explicitly set.
region
string
The Region this IP address resides in.
subnet_mask
string<ip>
The mask that separates host bits from network bits for this address.
type
string
Enum:
ipv4ipv6ipv6/poolipv6/range
The type of address this is.
vpc_nat_1_1
object
IPv4 address configured as a 1:1 NAT for this Interface. If no address is configured as a 1:1 NAT, null is returned.
Note: Only allowed for vpc type Interfaces.
address
string<ipv4>
The IPv4 address that is configured as a 1:1 NAT for this VPC interface.
subnet_id
integer
The id of the VPC Subnet for this Interface.
vpc_id
integer
The id of the VPC configured for this Interface.
Error
errors
array
of objects
field
string
The field in the request that caused this error. This may be a path, separated by periods in the case of nested fields. In some cases this may come back as “null” if the error is not specific to any single element of the request.
reason
string
What happened to cause this error. In most cases, this can be fixed immediately by changing the data you sent in the request, but in some cases you will be instructed to
open a Support Ticket
or perform some other action before you can complete the request successfully.
IP Addresses Assign
POST
https://api.linode.com/v4/networking/ips/assign
Assign multiple IPv4 addresses and/or IPv6 ranges to multiple Linodes in one Region. This allows swapping, shuffling, or otherwise reorganizing IPs to your Linodes.
The following restrictions apply:
All Linodes involved must have at least one public IPv4 address after assignment.
Linodes may have no more than one assigned private IPv4 address.
Linodes may have no more than one assigned IPv6 range.
Shared IP addresses cannot be swapped between Linodes.
Open a Support Ticket
to request additional IPv4 addresses or IPv6 ranges beyond standard account limits.
Note: Removing an IP address that has been set as a Managed Linode’s ssh.ip causes the Managed Linode’s SSH access settings to reset to their default values. To view and configure Managed Linode SSH settings, use the following commands:
The list of assignments to make. You must have read_write access to all IPs being assigned and all Linodes being assigned to in order for the assignments to succeed.
address
Required
string<ipv4|ipv6/prefix_length>
The IPv4 address or IPv6 range for this assignment.
Must be an IPv4 address or an IPv6 range you can access in the Region specified.
IPv6 ranges must include a prefix length of /56 or /64, for example: 2001:db8:3c4d:15::/64.
Assignment of an IPv6 range to a Linode updates the route target of the range to the assigned Linode’s SLAAC address.
May be a public or private address.
linode_id
Required
integer
The ID of the Linode to assign this address to. The IP’s previous Linode will lose this address, and must end up with at least one public address and no more than one private address once all assignments have been made.
region
Required
string
The ID of the Region in which these assignments are to take place. All IPs and Linodes must exist in this Region.
Response Samples
{}
{"errors":[{"field":"fieldname","reason":"fieldname must be a valid value"}]}
Responses
All assignments completed successfully.
Error
errors
array
of objects
field
string
The field in the request that caused this error. This may be a path, separated by periods in the case of nested fields. In some cases this may come back as “null” if the error is not specific to any single element of the request.
reason
string
What happened to cause this error. In most cases, this can be fixed immediately by changing the data you sent in the request, but in some cases you will be instructed to
open a Support Ticket
or perform some other action before you can complete the request successfully.
IP Addresses Share
POST
https://api.linode.com/v4/networking/ips/share
Configure shared IPs.
IP sharing allows IP address reassignment (also referred to as IP failover) from one Linode to another if the primary Linode becomes unresponsive. This means that requests to the primary Linode’s IP address can be automatically rerouted to secondary Linodes at the configured shared IP addresses.
IP failover requires configuration of a failover service (such as
Keepalived
) within the internal system of the primary Linode.
Note: A public IPv4 address cannot be shared if it is configured for a 1:1 NAT on a vpc purpose Configuration Profile Interface.
A list of secondary Linode IPs to share with the primary Linode.
Can include both IPv4 addresses and IPv6 ranges (omit /56 and /64 prefix lengths)
Can include both private and public IPv4 addresses.
You must have access to all of these addresses and they must be in the same Region as the primary Linode.
Enter an empty array to remove all shared IP addresses.
linode_id
Required
integer
The ID of the primary Linode that the addresses will be shared with.
Response Samples
{}
{"errors":[{"field":"fieldname","reason":"fieldname must be a valid value"}]}
Responses
IP Address sharing successful.
Error
errors
array
of objects
field
string
The field in the request that caused this error. This may be a path, separated by periods in the case of nested fields. In some cases this may come back as “null” if the error is not specific to any single element of the request.
reason
string
What happened to cause this error. In most cases, this can be fixed immediately by changing the data you sent in the request, but in some cases you will be instructed to
open a Support Ticket
or perform some other action before you can complete the request successfully.
IP Address View
GET
https://api.linode.com/v4/networking/ips/{address}
Returns information about a single IP Address on your Account.
{"errors":[{"field":"fieldname","reason":"fieldname must be a valid value"}]}
Responses
The requested IP Address.
address
string<ip>
The IP address.
gateway
Nullable
string<ip>
The default gateway for this address.
linode_id
integer
The ID of the Linode this address currently belongs to. For IPv4 addresses, this is by default the Linode that this address was assigned to on creation, and these addresses my be moved using the
/networking/ipv4/assign
endpoint. For SLAAC and link-local addresses, this value may not be changed.
prefix
integer
The number of bits set in the subnet mask.
public
boolean
Whether this is a public or private IP address.
rdns
Nullable
string
The reverse DNS assigned to this address. For public IPv4 addresses, this will be set to a default value provided by Linode if not explicitly set.
region
string
The Region this IP address resides in.
subnet_mask
string<ip>
The mask that separates host bits from network bits for this address.
type
string
Enum:
ipv4ipv6ipv6/poolipv6/range
The type of address this is.
vpc_nat_1_1
object
IPv4 address configured as a 1:1 NAT for this Interface. If no address is configured as a 1:1 NAT, null is returned.
Note: Only allowed for vpc type Interfaces.
address
string<ipv4>
The IPv4 address that is configured as a 1:1 NAT for this VPC interface.
subnet_id
integer
The id of the VPC Subnet for this Interface.
vpc_id
integer
The id of the VPC configured for this Interface.
Error
errors
array
of objects
field
string
The field in the request that caused this error. This may be a path, separated by periods in the case of nested fields. In some cases this may come back as “null” if the error is not specific to any single element of the request.
reason
string
What happened to cause this error. In most cases, this can be fixed immediately by changing the data you sent in the request, but in some cases you will be instructed to
open a Support Ticket
or perform some other action before you can complete the request successfully.
IP Address RDNS Update
PUT
https://api.linode.com/v4/networking/ips/{address}
Sets RDNS on an IP Address. Forward DNS must already be set up for reverse DNS to be applied. If you set the RDNS to null for public IPv4 addresses, it will be reset to the default ip.linodeusercontent.com RDNS value.
{"errors":[{"field":"fieldname","reason":"fieldname must be a valid value"}]}
Responses
RDNS set successfully
address
string<ip>
The IP address.
gateway
Nullable
string<ip>
The default gateway for this address.
linode_id
integer
The ID of the Linode this address currently belongs to. For IPv4 addresses, this is by default the Linode that this address was assigned to on creation, and these addresses my be moved using the
/networking/ipv4/assign
endpoint. For SLAAC and link-local addresses, this value may not be changed.
prefix
integer
The number of bits set in the subnet mask.
public
boolean
Whether this is a public or private IP address.
rdns
Nullable
string
The reverse DNS assigned to this address. For public IPv4 addresses, this will be set to a default value provided by Linode if not explicitly set.
region
string
The Region this IP address resides in.
subnet_mask
string<ip>
The mask that separates host bits from network bits for this address.
type
string
Enum:
ipv4ipv6ipv6/poolipv6/range
The type of address this is.
vpc_nat_1_1
object
IPv4 address configured as a 1:1 NAT for this Interface. If no address is configured as a 1:1 NAT, null is returned.
Note: Only allowed for vpc type Interfaces.
address
string<ipv4>
The IPv4 address that is configured as a 1:1 NAT for this VPC interface.
subnet_id
integer
The id of the VPC Subnet for this Interface.
vpc_id
integer
The id of the VPC configured for this Interface.
Error
errors
array
of objects
field
string
The field in the request that caused this error. This may be a path, separated by periods in the case of nested fields. In some cases this may come back as “null” if the error is not specific to any single element of the request.
reason
string
What happened to cause this error. In most cases, this can be fixed immediately by changing the data you sent in the request, but in some cases you will be instructed to
open a Support Ticket
or perform some other action before you can complete the request successfully.
Linodes Assign IPv4s
POST
https://api.linode.com/v4/networking/ipv4/assign
Assign multiple IPv4 addresses and/or IPv6 ranges to multiple Linodes in one Region. This allows swapping, shuffling, or otherwise reorganizing IPs to your Linodes.
The following restrictions apply:
All Linodes involved must have at least one public IPv4 address after assignment.
Linodes may have no more than one assigned private IPv4 address.
Linodes may have no more than one assigned IPv6 range.
Open a Support Ticket
to request additional IPv4 addresses or IPv6 ranges beyond standard account limits.
Note: Removing an IP address that has been set as a Managed Linode’s ssh.ip causes the Managed Linode’s SSH access settings to reset to their default values. To view and configure Managed Linode SSH settings, use the following commands:
The list of assignments to make. You must have read_write access to all IPs being assigned and all Linodes being assigned to in order for the assignments to succeed.
address
Required
string<ipv4|ipv6/prefix_length>
The IPv4 address or IPv6 range for this assignment.
Must be an IPv4 address or an IPv6 range you can access in the Region specified.
IPv6 ranges must include a prefix length of /56 or /64, for example: 2001:db8:3c4d:15::/64.
Assignment of an IPv6 range to a Linode updates the route target of the range to the assigned Linode’s SLAAC address.
May be a public or private address.
linode_id
Required
integer
The ID of the Linode to assign this address to. The IP’s previous Linode will lose this address, and must end up with at least one public address and no more than one private address once all assignments have been made.
region
Required
string
The ID of the Region in which these assignments are to take place. All IPs and Linodes must exist in this Region.
Response Samples
{}
{"errors":[{"field":"fieldname","reason":"fieldname must be a valid value"}]}
Responses
All assignments completed successfully.
Error
errors
array
of objects
field
string
The field in the request that caused this error. This may be a path, separated by periods in the case of nested fields. In some cases this may come back as “null” if the error is not specific to any single element of the request.
reason
string
What happened to cause this error. In most cases, this can be fixed immediately by changing the data you sent in the request, but in some cases you will be instructed to
open a Support Ticket
or perform some other action before you can complete the request successfully.
IPv4 Sharing Configure
POST
https://api.linode.com/v4/networking/ipv4/share
IP sharing allows IP address reassignment (also referred to as IP failover) from one Linode to another if the primary Linode becomes unresponsive. This means that requests to the primary Linode’s IP address can be automatically rerouted to secondary Linodes at the configured shared IP addresses.
IP failover requires configuration of a failover service (such as
Keepalived
) within the internal system of the primary Linode.
A list of secondary Linode IPs to share with the primary Linode.
Can include both IPv4 addresses and IPv6 ranges (omit /56 and /64 prefix lengths)
Can include both private and public IPv4 addresses.
You must have access to all of these addresses and they must be in the same Region as the primary Linode.
Enter an empty array to remove all shared IP addresses.
linode_id
Required
integer
The ID of the primary Linode that the addresses will be shared with.
Response Samples
{}
{"errors":[{"field":"fieldname","reason":"fieldname must be a valid value"}]}
Responses
Sharing configured successfully.
Error
errors
array
of objects
field
string
The field in the request that caused this error. This may be a path, separated by periods in the case of nested fields. In some cases this may come back as “null” if the error is not specific to any single element of the request.
reason
string
What happened to cause this error. In most cases, this can be fixed immediately by changing the data you sent in the request, but in some cases you will be instructed to
open a Support Ticket
or perform some other action before you can complete the request successfully.
IPv6 Pools List
GET
https://api.linode.com/v4/networking/ipv6/pools
Displays the IPv6 pools on your Account. A pool of IPv6 addresses are routed to all of your Linodes in a single
Region
. Any Linode on your Account may bring up any address in this pool at any time, with no external configuration required.
The field in the request that caused this error. This may be a path, separated by periods in the case of nested fields. In some cases this may come back as “null” if the error is not specific to any single element of the request.
reason
string
What happened to cause this error. In most cases, this can be fixed immediately by changing the data you sent in the request, but in some cases you will be instructed to
open a Support Ticket
or perform some other action before you can complete the request successfully.
IPv6 Ranges List
GET
https://api.linode.com/v4/networking/ipv6/ranges
Displays the IPv6 ranges on your Account.
An IPv6 range is a /64 or /54 block of IPv6 addresses routed to a single Linode in a given
Region
.
Your Linode is responsible for routing individual addresses in the range, or handling traffic for all the addresses in the range.
Access the IPv6 Range Create (
POST /networking/ipv6/ranges
) endpoint to add a /64 or /56 block of IPv6 addresses to your account.
The field in the request that caused this error. This may be a path, separated by periods in the case of nested fields. In some cases this may come back as “null” if the error is not specific to any single element of the request.
reason
string
What happened to cause this error. In most cases, this can be fixed immediately by changing the data you sent in the request, but in some cases you will be instructed to
open a Support Ticket
or perform some other action before you can complete the request successfully.
IPv6 Range Create
POST
https://api.linode.com/v4/networking/ipv6/ranges
Creates an IPv6 Range and assigns it based on the provided Linode or route target IPv6 SLAAC address. See the ipv6 property when accessing the Linode View (
GET /linode/instances/{linodeId}
) endpoint to view a Linode’s IPv6 SLAAC address.
Either linode_id or route_target is required in a request.
linode_id and route_target are mutually exclusive. Submitting values for both properties in a request results in an error.
Upon a successful request, an IPv6 range is created in the
Region
that corresponds to the provided linode_id or route_target.
Your Linode is responsible for routing individual addresses in the range, or handling traffic for all the addresses in the range.
Access the IP Addresses Assign (
POST /networking/ips/assign
) endpoint to re-assign IPv6 Ranges to your Linodes.
Note: The following restrictions apply:
A Linode can only have one IPv6 range targeting its SLAAC address.
An account can only have one IPv6 range in each
Region
.
{"errors":[{"field":"fieldname","reason":"fieldname must be a valid value"}]}
Responses
IPv6 range created successfully.
range
string<ipv6/prefix_length>
The IPv6 network range, including subnet and prefix length.
route_target
string<ipv6>
The route target IPV6 SLAAC address for this range. Does not include the prefix length.
Error
errors
array
of objects
field
string
The field in the request that caused this error. This may be a path, separated by periods in the case of nested fields. In some cases this may come back as “null” if the error is not specific to any single element of the request.
reason
string
What happened to cause this error. In most cases, this can be fixed immediately by changing the data you sent in the request, but in some cases you will be instructed to
open a Support Ticket
or perform some other action before you can complete the request successfully.
{"errors":[{"field":"fieldname","reason":"fieldname must be a valid value"}]}
Responses
IPv6 Range deleted.
Error
errors
array
of objects
field
string
The field in the request that caused this error. This may be a path, separated by periods in the case of nested fields. In some cases this may come back as “null” if the error is not specific to any single element of the request.
reason
string
What happened to cause this error. In most cases, this can be fixed immediately by changing the data you sent in the request, but in some cases you will be instructed to
open a Support Ticket
or perform some other action before you can complete the request successfully.
IPv6 Range View
GET
https://api.linode.com/v4/networking/ipv6/ranges/{range}
View IPv6 range information.
Authorizations
personalAccessToken
oauth
ips:read
Path Parameters
range
string<ipv6>Required
The IPv6 range to access. Corresponds to the range property of objects returned from the IPv6 Ranges List (
GET /networking/ipv6/ranges
) command.
{"errors":[{"field":"fieldname","reason":"fieldname must be a valid value"}]}
Responses
Returns IPv6 range information.
is_bgp
boolean
Whether this IPv6 range is shared.
linodes
array
of integers
A list of Linodes targeted by this IPv6 range. Includes Linodes with IP sharing.
prefix
integer
The prefix length of the address. The total number of addresses that can be assigned from this range is calculated as 2(128 - prefix length).
range
string
The IPv6 address of this range.
region
string
The region for this range of IPv6 addresses.
Error
errors
array
of objects
field
string
The field in the request that caused this error. This may be a path, separated by periods in the case of nested fields. In some cases this may come back as “null” if the error is not specific to any single element of the request.
reason
string
What happened to cause this error. In most cases, this can be fixed immediately by changing the data you sent in the request, but in some cases you will be instructed to
open a Support Ticket
or perform some other action before you can complete the request successfully.
VLANs List
GET
https://api.linode.com/v4/networking/vlans
Returns a list of all Virtual Local Area Networks (VLANs) on your Account. VLANs provide
a mechanism for secure communication between two or more Linodes that are assigned to the
same VLAN and are both within the same Layer 2 broadcast domain.
VLANs are created and attached to Linodes by using the interfaces property for the following endpoints:
Note: Only Next Generation Network (NGN) data centers support VLANs. Use the Regions (
/regions
) endpoint to view the capabilities of data center regions. If a VLAN is attached to your Linode and you attempt to migrate or clone it to a non-NGN data center, the migration or cloning will not initiate. If a Linode cannot be migrated because of an incompatibility, you will be prompted to select a different data center or contact support.
Note: See the
VLANs Overview
to view additional specifications and limitations.
The field in the request that caused this error. This may be a path, separated by periods in the case of nested fields. In some cases this may come back as “null” if the error is not specific to any single element of the request.
reason
string
What happened to cause this error. In most cases, this can be fixed immediately by changing the data you sent in the request, but in some cases you will be instructed to
open a Support Ticket
or perform some other action before you can complete the request successfully.