gcloud alpha compute firewall-rules update - update a firewall rule

gcloud alpha compute firewall-rules updateNAME[--allow=[PROTOCOL[:PORT[-PORT]],…]][--description=DESCRIPTION][--destination-ranges=[CIDR_RANGE,…]][--disabled][--[no-]enable-logging][--logging-metadata=LOGGING_METADATA][--priority=PRIORITY][--rules=[PROTOCOL[:PORT[-PORT]],…]][--source-ranges=[CIDR_RANGE,…]][--source-service-accounts=[EMAIL,…]][--source-tags=[TAG,…]][--target-service-accounts=[EMAIL,…]][--target-tags=[TAG,…]][GCLOUD_WIDE_FLAG …]

NAME

Name of the firewall rule to update.

--allow=[PROTOCOL[:PORT[-PORT]],…]

A list of protocols and ports whose traffic will be allowed.

The protocols allowed over this connection. This can be the (case-sensitive)string valuestcp,udp,icmp,esp,ah,sctp, or any IP protocol number.An IP-based protocol must be specified for each rule. The rule applies only tospecified protocol.

For port-based protocols -tcp,udp, andsctp - a list of destination ports or port ranges to which the ruleapplies may optionally be specified. If no port or port range is specified, therule applies to all destination ports.

The ICMP protocol is supported, but there is no support for configuring ICMPpacket filtering by ICMP code.

For example, to create a rule that allows TCP traffic through port 80 and ICMPtraffic:

gcloudalphacomputefirewall-rulesupdateMY-RULE--allowtcp:80,icmp

To create a rule that allows TCP traffic from port 20000 to 25000:

gcloudalphacomputefirewall-rulesupdateMY-RULE--allowtcp:20000-25000

To create a rule that allows all TCP traffic:

gcloudalphacomputefirewall-rulesupdateMY-RULE--allowtcp

Setting this will override the current values.

--description=DESCRIPTION

A textual description for the firewall rule. Set to an empty string to clearexisting.

--destination-ranges=[CIDR_RANGE,…]

The firewall rule will apply to traffic that has destination IP address in theseIP address block list. The IP address blocks must be specified in CIDR format:http://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing.

Setting this will override the existing destination ranges for the firewall. Thefollowing will clear the existing destination ranges:

gcloudalphacomputefirewall-rulesupdateMY-RULE--destination-ranges

--disabled

Disable a firewall rule and stop it from being enforced in the network. If afirewall rule is disabled, the associated network behaves as if the rule did notexist. To enable a disabled rule, use:

gcloudalphacomputefirewall-rulesupdateMY-RULE--no-disabled

--[no-]enable-logging

Enable logging for the firewall rule. Logs will be exported to StackDriver.Firewall logging is disabled by default. To enable logging for an existing rule,run:

gcloudalphacomputefirewall-rulesupdateMY-RULE--enable-logging

To disable logging on an existing rule, run:

gcloudalphacomputefirewall-rulesupdateMY-RULE--no-enable-logging

Use--enable-logging to enable and--no-enable-loggingto disable.

--logging-metadata=LOGGING_METADATA

Adds or removes metadata fields to or from the reported firewall logs. Can onlybe specified if --enable-logging is true.LOGGING_METADATA must be one of:exclude-all,include-all.

--priority=PRIORITY

This is an integer between 0 and 65535, both inclusive. When NOT specified, thevalue assumed is 1000. Relative priority determines precedence of conflictingrules: lower priority values imply higher precedence. DENY rules take precedenceover ALLOW rules having equal priority.

--rules=[PROTOCOL[:PORT[-PORT]],…]

A list of protocols and ports to which the firewall rule will apply.

PROTOCOL is the IP protocol whose traffic will be checked. PROTOCOL can beeither the name of a well-known protocol (e.g., tcp or icmp) or the IP protocolnumber. A list of IP protocols can be found athttp://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml

A port or port range can be specified after PROTOCOL to which the firewall ruleapply on traffic through specific ports. If no port or port range is specified,connections through all ranges are applied. TCP and UDP rules must include aport or port range.

Setting this will override the current values.

--source-ranges=[CIDR_RANGE,…]

A list of IP address blocks that are allowed to make inbound connections thatmatch the firewall rule to the instances on the network. The IP address blocksmust be specified in CIDR format:http://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing.

If neither --source-ranges nor --source-tags are specified, --source-rangesdefaults to0.0.0.0/0, which means that the rule applies to allincoming IPv4 connections from inside or outside the network. If both--source-ranges and --source-tags are specified, the rule matches if either therange of the source matches --source-ranges or the tag of the source matches--source-tags.

Setting this will override the existing source ranges for the firewall. Thefollowing will clear the existing source ranges:

gcloudalphacomputefirewall-rulesupdateMY-RULE--source-ranges

--source-service-accounts=[EMAIL,…]

The email of a service account indicating the set of instances on the networkwhich match a traffic source in the firewall rule.

If a source service account is specified then neither source tags nor targettags can also be specified.

Setting this will override the existing source service accounts for thefirewall. The following will clear the existing source service accounts:

gcloudalphacomputefirewall-rulesupdateMY-RULE--source-service-accounts

--source-tags=[TAG,…]

A list of instance tags indicating the set of instances on the network to whichthe rule applies if all other fields match. If neither --source-ranges nor--source-tags are specified, --source-ranges defaults to0.0.0.0/0,which means that the rule applies to all incoming IPv4 connections from insideor outside the network.

If both --source-ranges and --source-tags are specified, an inbound connectionis allowed if either the range of the source matches --source-ranges or the tagof the source matches --source-tags.

Tags can be assigned to instances during instance creation.

If source tags are specified then neither a source nor target service accountcan also be specified.

Setting this will override the existing source tags for the firewall. Thefollowing will clear the existing source tags:

gcloudalphacomputefirewall-rulesupdateMY-RULE--source-tags

--target-service-accounts=[EMAIL,…]

The email of a service account indicating the set of instances to which firewallrules apply. If both target tags and target service account are omitted, thefirewall rule is applied to all instances on the network.

If a target service account is specified then neither source tag nor target tagscan also be specified.

Setting this will override the existing target service accounts for thefirewall. The following will clear the existing target service accounts:

gcloudalphacomputefirewall-rulesupdateMY-RULE--target-service-accounts

--target-tags=[TAG,…]

List of instance tags indicating the set of instances on the network which mayaccept connections that match the firewall rule. Note that tags can be assignedto instances during instance creation.

If target tags are specified, then neither a source nor target service accountcan also be specified.

If both target tags and target service account are omitted, all instances on thenetwork can receive connections that match the rule.

Setting this will override the existing target tags for the firewall. Thefollowing will clear the existing target tags:

gcloudalphacomputefirewall-rulesupdateMY-RULE--target-tags

Run$gcloud help for details.