Use this file to discover all available pages before exploring further.
Updated May 8, 2026This page is the format reference for the Ports and Source IP fields you fill on every rule row. The model itself — what inbound vs outbound means, how rules combine, what the system Default blocks — is on Inbound vs outbound, layers, and rule format. This page is the cheat sheet.
Mixing list and range is allowed: 80,443,3000:4000 is a valid single Ports value.A quick note on syntax: AWS Security Groups use a hyphen for ranges (3000-4000) — Raff uses a colon (3000:4000), matching OpenNebula’s underlying format. If you copy a rule spec from AWS docs, swap the hyphen for a colon.
TCP 135 / 139 / 445 / 5985–5986 and UDP 137–138 are always denied regardless of what you write — the system Default is layered on top of every public interface and Raff actively strips these ports out of any range you submit. Practical example: writing Range = 130:200 for inbound TCP saves as 130:134,136:138,140:200 (135 and 139 carved out).For the canonical table with per-port rationale and the dashboard screenshot, see Inbound vs outbound, layers, and rule format → What the Default Firewall blocks. If you genuinely need WinRM or SMB, run them inside a VPC and reach them via a Firewall Appliance (OPNsense) — not via a public-facing Firewall Group.
The third box on each rule row is CIDR. For inbound it’s “from where can traffic come”; for outbound it’s “to where can traffic go”.
Format
Allows
Use case
0.0.0.0/0(default, labeled Any)
Anywhere on the IPv4 internet
Public services
192.168.1.100/32
One specific IPv4 address
Whitelist your office IP for SSH
203.0.113.0/24
A whole /24 (256 addresses)
A partner’s egress range
10.0.0.0/8
A whole /8 (16M addresses)
RFC 1918 private space
2001:db8::/32
An IPv6 prefix
IPv6 allowlists
::/0
Any IPv6 address
IPv6 equivalent of 0.0.0.0/0
The /32 (single IPv4) and /128 (single IPv6) are how you allowlist exactly one address. The dialog accepts CIDR with or without explicit prefix on /32, but type the /32 for clarity.
If your VM has an IPv6 public IP attached (auto-assigned or reserved), the same rule rows apply — just use IPv6 CIDRs in the source field. Add a separate rule row for the IPv6 CIDR; one row carries one CIDR.
Goal
Source IP
Public service open to all of IPv6
::/0
One specific IPv6 host
2001:db8::1/128
A /48 customer prefix (a typical ISP-allocated block)
2001:db8:1234::/48
Documentation / example range
2001:db8::/32
Local-link / RFC 4193 ULA range
fd00::/8
IPv4-mapped (allows traffic from ::ffff:1.2.3.4)
::ffff:0:0/96
A “fully open to v4 + v6” inbound on TCP/443 is two rule rows — one with 0.0.0.0/0 and one with ::/0. Same for outbound.
Save creates the group as a unit — all rule rows submit together. Validation runs on the whole set; if one row is invalid (bad port format, invalid CIDR), the dialog shows the error inline and nothing saves.
Edits update the platform record immediately — but the guest VM does not pick up the new rules until you reboot it (see the warning below).
Default-block sanitization runs at save time — if you write 135, that exact rule is dropped from the saved set with no error. If you write 130:140, the saved rule excludes 135 and 139.
A VM reboot is required after any firewall change. Attaching a group, detaching a group, or editing rules in an attached group all need a reboot of every affected VM to take effect inside the guest. Until you reboot, the VM keeps running with its previous firewall state.
