Submitting firewall change proposals¶
This guide shows how to propose firewall rule changes using the DRE CLI. It reflects the exact behavior of the dre firewall
command as implemented in the source code, so the steps and flags below are guaranteed to work.
Prerequisites¶
- DRE CLI installed and on your PATH.
- A proposing neuron configured (HSM or private key).
- Access to the target network (e.g., mainnet).
Helpful globals you can pass to any command:
- --network <mainnet|staging|testnet>
- --private-key-pem <path>
or HSM flags
- --dry-run
to simulate first
- -y, --yes
to auto-confirm
- --forum-post-link <URL|discourse|ask|omit>
to control forum posting
See dre firewall --help
and the Authentication Options in the main README for details.
Scopes¶
Rules are stored per scope. The command accepts exactly these scope strings:
- global
- replica_nodes
- api_boundary_nodes
- subnet(<SUBNET_ID>)
e.g., subnet(pjljw-...)
- node(<NODE_ID>)
e.g., node(z6jp6-...)
Inspect current rules (recommended)¶
# Example: view current global rules
dre get firewall-rules global | jq
# Or for replica nodes
dre get firewall-rules replica_nodes | jq
Make a change via the interactive editor¶
Run:
# Minimal required flags
dre firewall \
--rules-scope global \
--summary "<what and why; include forum link if you have it>"
--title "Proposal to modify firewall rules"
(defaults to that value if omitted)
- --forum-post-link <URL|discourse|ask|omit>
- --dry-run
to simulate; rerun without it to submit
- --yes
to skip the confirmation prompt, if desired
What happens:
1. The tool fetches the current rules for the given scope and opens your $EDITOR
with a JSON document.
2. The JSON is a map of position -> rule
, where positions are integers starting at 0 (order matters). Example structure:
Important details based on the implementation: - The tool determines your intent by comparing the edited JSON to the original: - New key -> addition - Same key with different value -> update - Removed key -> removal - Only one type of change is submitted per run (add OR update OR remove). If you mix types, the tool will only submit one batch (the last-by-type after sorting). For multiple types, run the command multiple times. - Keep the rule object shape consistent with existing rules (field names and types). The safest approach is to copy an existing rule and adjust ports, prefixes, and comment. - To append to the end, use the next integer position. Do not renumber existing keys unless you intend to update or remove those rules.
Example: allow DFINITY observability to attest SEV-protected nodes (global)¶
Goal: open TCP port 19523 to a small set of IPv6 prefixes, at global scope.
1) Preview current rules to find a similar ALLOW rule to copy its field names and valid action
value:
dre firewall \
--rules-scope global \
--title "Allow the DFINITY observability stack to remotely attest SEV-protected nodes" \
--summary "We propose to allow the DFINITY observability stack to access the remote attestation endpoint on TCP port 19523. This access is essential for monitoring and attesting SEV-protected nodes. It allows the DFINITY observability stack to periodically fetch an attestation report and verify it. For details, see: <FORUM POST URL>" \
--forum-post-link <FORUM POST URL> \
--dry-run
Example using a local summary file and the --forum
alias:
dre firewall \
--summary "$(cat 2025-10-07-observability-remote-attestation-summary.md)" \
--rules-scope global \
--forum https://forum.dfinity.org/t/nns-proposal-enabling-remote-attestation-for-dfinity-observability/58611
{
"0": {
"ipv4_prefixes": [],
"ipv6_prefixes": [
"2602:fb2b:100:12::/64",
"2602:fb2b:120:12::/64",
"2602:fb2b:110:12::/64"
],
"ports": [
19523
],
"action": 1,
"comment": "remote attestation for DFINITY obs stack"
}
}
action
value as existing ALLOW rules in your environment.
Notes:
- Copy the action
value from an existing ALLOW rule in your current ruleset to ensure it matches the expected enum/representation.
- If your environment stores other required fields (e.g., protocol), keep them as in the copied template and adjust as needed.
- Some environments include extra fields such as user
and direction
. Preserve them as seen in your existing rules unless you intentionally need to change them.
4) Save and exit the editor. The tool prints a pretty diff and simulates the proposal, computing a content hash.
5) If the simulation looks correct, rerun without --dry-run
. Add --yes
to skip confirmation if desired:
dre firewall \
--rules-scope global \
--title "Allow the DFINITY observability stack to remotely attest SEV-protected nodes" \
--summary "We propose to allow the DFINITY observability stack to access the remote attestation endpoint on TCP port 19523. This access is essential for monitoring and attesting SEV-protected nodes. It allows the DFINITY observability stack to periodically fetch an attestation report and verify it. For details, see: <FORUM POST URL>" \
--forum <FORUM POST URL>
Tips¶
- Always dry-run first to review the diff and the generated
ic-admin propose-to-...
command. - Submit additions, updates, and removals in separate runs.
- Prefer appending new rules to the end unless you have a specific ordering requirement.
- Keep comments clear; include a forum link in the summary to aid reviewers.
Replica nodes rules: common workflow¶
Replica nodes (replica_nodes
) scope is the most commonly changed set of rules. The workflow is identical to the global example above, but you pass --rules-scope replica_nodes
and copy field shapes from the current replica ruleset.
1) Inspect current replica rules and note the action
value used for ALLOW and any extra fields:
2) Run the interactive editor in dry-run first:
dre firewall \
--rules-scope replica_nodes \
--title "Open TCP 19523 for SEV attestation to DFINITY observability" \
--summary "Allow DFINITY observability prefixes to access TCP 19523 for remote attestation on all replica nodes. See: <FORUM POST URL>" \
--forum-post-link <FORUM POST URL> \
--dry-run
3) Append a new entry at the next available integer key. Use the same action
value as other ALLOW rules in the replica ruleset, and preserve optional fields if present:
"<NEXT_INDEX>": {
"ipv4_prefixes": [],
"ipv6_prefixes": [
"2602:fb2b:100:12::/64",
"2602:fb2b:120:12::/64",
"2602:fb2b:110:12::/64"
],
"ports": [19523],
"action": <copy from an existing ALLOW rule>,
"comment": "remote attestation for DFINITY obs stack",
"user": null,
"direction": null
}
4) Save and exit to simulate. If correct, rerun without --dry-run
(optionally with --yes
). Submit additions, updates, and removals as separate runs if you need multiple kinds of changes.