Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.rafftechnologies.com/llms.txt

Use this file to discover all available pages before exploring further.

Updated May 8, 2026 The raff security-group command group manages Firewall Groups. The dashboard product is called Firewall; the underlying API path is security-groups, which is what the CLI command name reflects. Functionality is the same — see Firewall overview for the model. To attach a group to a VM, use raff vm sg add (see VM commands → sg add). The CLI doesn’t yet expose Update Rules — use the Update Firewall API directly for now.

Subcommand index

SubcommandWhat it does
listList Firewall Groups in the project
templatesList the 5 prebuilt templates
getShow one group’s full rule set
createCreate a new Firewall Group
deleteDelete a Firewall Group

list

raff security-group list [--output table|json]

templates

raff security-group templates [--output table|json]
Lists the 5 System templates: web-server, database-server, ssh-only, allow-all, deny-all. Use the id field as --template-id on create to start from a template.

get

raff security-group get <sg-id> [--output table|json]
Show a Firewall Group’s full inbound and outbound rule set, plus the VMs it’s attached to.

create

raff security-group create \
  --name <name> \
  [--description <text>] \
  [--template-id <template-id>] \
  [--rules-file <path-to-json>]
Create a Firewall Group. Either start from a template (--template-id web-server), pass rules as JSON via --rules-file, or both (rules merge with template). Rule format follows the Create Firewall API schema: 
[
  { "protocol": "TCP", "rule_type": "INBOUND", "range": "22", "ip": "0.0.0.0", "size": "0" },
  { "protocol": "TCP", "rule_type": "INBOUND", "range": "80,443", "ip": "0.0.0.0", "size": "0" },
  { "protocol": "ALL", "rule_type": "OUTBOUND" }
]
Maximum 40 inbound rules + 40 outbound rules per group. The system Default Firewall blocks TCP 135/139/445/5985–5986 and UDP 137–138 — those are stripped from any rule range you submit.

delete

raff security-group delete <sg-id>
Delete a Firewall Group. Fails if it’s still attached to any VM — detach with raff vm sg remove on each VM first.

Reboot reminder

Any rule change (create, attach, detach, delete) requires a VM reboot for the new rules to take effect inside the guest. The platform record updates immediately; the guest network stack picks it up only at boot. See Update rules for the full reboot rule.

VM commands

raff vm sg add to attach to a VM.

Firewall overview

The two-layer firewall model.

Inbound vs outbound

Rule format, port ranges, CIDR.
Last modified on May 8, 2026