Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.rafftechnologies.com/llms.txt

Use this file to discover all available pages before exploring further.

Updated May 8, 2026 Raff’s Firewall is a stateful, port-based filter that applies to a VM’s public network interface. It comes in two layers that always run together:
  1. Raff Default Firewall — system-managed, attached to every public interface automatically. Blocks five known dangerous ports (Windows file-sharing, MS-RPC, WinRM) and otherwise lets everything else inbound, all outbound. You don’t toggle it; it’s always on.
  2. Your Firewall Groups — custom rule sets you create and attach to specific VMs. Stack on top of the Default to allow or deny exactly the ports and source IPs you need.
Both layers evaluate every packet on a public interface. Traffic over a VPC’s private network is not filtered — a Firewall Group only affects packets entering or leaving via a public IP.
Stateful — what it means for you. Because the firewall tracks connections, you only write rules for the direction the connection is initiated. Reply traffic on the same connection is automatically allowed.
  • Allow inbound TCP/443 to your web server → return packets back to the client are handled automatically. You do not need an outbound rule for replies.
  • Allow outbound TCP/443 from your VM (e.g. to call an external API) → the response from that API is automatically allowed back in. You do not need an inbound rule for replies.
This is the same model AWS Security Groups, Cloudflare Magic Firewall, and most modern cloud firewalls use. If you’re coming from old-school static iptables or a stateless ACL, you can drop roughly half your rule count.
Networking page on the Firewall tab showing the Raff Default Firewall card with a System badge applied to all public network interfaces, and Your Firewall Groups section with a Web Server custom group (2 in / 1 out, 14 days ago)
The dashboard surfaces firewalls in the Networking → Firewall tab. Inside each VM’s detail page, the Network tab shows which Firewall Group (if any) is attached to that VM’s public IPs.

What you can do

TaskWhere
See which ports the Default blocksNetworking → Firewall → View Rules on the Default card
Build a custom rule setNetworking → Firewall → + Create Firewall Group
Start from a known-good templateCreate dialog → Start from template dropdown
Attach a group to a VMVM detail → Network tab → IP card → Attach (or) group row’s Assign to VM
Edit rules in a live groupGroup row’s Edit Rules (same dialog used for create — no separate view)
Delete a groupGroup row’s Delete (must detach VMs first)

Most viewed

Create a Firewall Group

Walk the create dialog with templates and rules.

Inbound vs outbound

The model — direction, protocols, port and IP formats.

Add rules

Port and source-IP formats explained.

Attach to a VM

Apply a group to one VM’s public IP.

Browse

Quickstart & guides

Create, add rules, attach, update, delete.

Concepts

Direction, stateful firewall, layers, templates.

Details

Limits, blocked ports, rule formats.

Troubleshooting

Common firewall issues.

API Reference

Firewall endpoints.

Changelog

All API updates and changes.
Last modified on May 8, 2026