1. Packages
  2. Unifi
  3. API Docs
  4. firewall
  5. Rule
Unifi v0.2.0 published on Tuesday, Feb 17, 2026 by Pulumiverse
Schema (JSON)
pulumiverse/pulumi-unifi

unifi.firewall.Rule

unifi logo
Unifi v0.2.0 published on Tuesday, Feb 17, 2026 by Pulumiverse
Schema (JSON)
pulumiverse/pulumi-unifi

    The unifi.firewall.Rule resource manages firewall rules.

    This resource allows you to create and manage firewall rules that control traffic flow between different network segments (WAN, LAN, Guest) for both IPv4 and IPv6 traffic. Rules can be configured to allow, drop, or reject traffic based on various criteria including protocols, ports, and IP addresses.

    Rules are processed in order based on their rule_index, with lower numbers being processed first. Custom rules should use indices between 2000-2999 or 4000-4999 to avoid conflicts with system rules.

    Example Usage

    import * as pulumi from "@pulumi/pulumi";
import * as unifi from "@pulumiverse/unifi";

const config = new pulumi.Config();
const ipAddress = config.require("ipAddress");
const dropAll = new unifi.firewall.Rule("drop_all", {
    name: "drop all",
    action: "drop",
    ruleset: "LAN_IN",
    ruleIndex: 2011,
    protocol: "all",
    dstAddress: ipAddress,
});

    import pulumi
import pulumiverse_unifi as unifi

config = pulumi.Config()
ip_address = config.require("ipAddress")
drop_all = unifi.firewall.Rule("drop_all",
    name="drop all",
    action="drop",
    ruleset="LAN_IN",
    rule_index=2011,
    protocol="all",
    dst_address=ip_address)

    package main

import (
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi/config"
	"github.com/pulumiverse/pulumi-unifi/sdk/go/unifi/firewall"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		cfg := config.New(ctx, "")
		ipAddress := cfg.Require("ipAddress")
		_, err := firewall.NewRule(ctx, "drop_all", &firewall.RuleArgs{
			Name:       pulumi.String("drop all"),
			Action:     pulumi.String("drop"),
			Ruleset:    pulumi.String("LAN_IN"),
			RuleIndex:  pulumi.Int(2011),
			Protocol:   pulumi.String("all"),
			DstAddress: pulumi.String(ipAddress),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

    using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Unifi = Pulumiverse.Unifi;

return await Deployment.RunAsync(() => 
{
    var config = new Config();
    var ipAddress = config.Require("ipAddress");
    var dropAll = new Unifi.Firewall.Rule("drop_all", new()
    {
        Name = "drop all",
        Action = "drop",
        Ruleset = "LAN_IN",
        RuleIndex = 2011,
        Protocol = "all",
        DstAddress = ipAddress,
    });

});

    package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumiverse.unifi.firewall.Rule;
import com.pulumiverse.unifi.firewall.RuleArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        final var config = ctx.config();
        final var ipAddress = config.require("ipAddress");
        var dropAll = new Rule("dropAll", RuleArgs.builder()
            .name("drop all")
            .action("drop")
            .ruleset("LAN_IN")
            .ruleIndex(2011)
            .protocol("all")
            .dstAddress(ipAddress)
            .build());

    }
}

    configuration:
  ipAddress:
    type: string
resources:
  dropAll:
    type: unifi:firewall:Rule
    name: drop_all
    properties:
      name: drop all
      action: drop
      ruleset: LAN_IN
      ruleIndex: 2011
      protocol: all
      dstAddress: ${ipAddress}

    Create Rule Resource

    Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

    Constructor syntax

    new Rule(name: string, args: RuleArgs, opts?: CustomResourceOptions);
    @overload
def Rule(resource_name: str,
         args: RuleArgs,
         opts: Optional[ResourceOptions] = None)

@overload
def Rule(resource_name: str,
         opts: Optional[ResourceOptions] = None,
         action: Optional[str] = None,
         ruleset: Optional[str] = None,
         rule_index: Optional[int] = None,
         protocol_v6: Optional[str] = None,
         dst_address: Optional[str] = None,
         dst_network_type: Optional[str] = None,
         dst_port: Optional[str] = None,
         enabled: Optional[bool] = None,
         icmp_typename: Optional[str] = None,
         icmp_v6_typename: Optional[str] = None,
         ip_sec: Optional[str] = None,
         logging: Optional[bool] = None,
         name: Optional[str] = None,
         protocol: Optional[str] = None,
         dst_firewall_group_ids: Optional[Sequence[str]] = None,
         dst_address_ipv6: Optional[str] = None,
         dst_network_id: Optional[str] = None,
         site: Optional[str] = None,
         src_address: Optional[str] = None,
         src_address_ipv6: Optional[str] = None,
         src_firewall_group_ids: Optional[Sequence[str]] = None,
         src_mac: Optional[str] = None,
         src_network_id: Optional[str] = None,
         src_network_type: Optional[str] = None,
         src_port: Optional[str] = None,
         state_established: Optional[bool] = None,
         state_invalid: Optional[bool] = None,
         state_new: Optional[bool] = None,
         state_related: Optional[bool] = None)
    func NewRule(ctx *Context, name string, args RuleArgs, opts ...ResourceOption) (*Rule, error)
    public Rule(string name, RuleArgs args, CustomResourceOptions? opts = null)
    public Rule(String name, RuleArgs args)
public Rule(String name, RuleArgs args, CustomResourceOptions options)

    type: unifi:firewall:Rule
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

    Parameters

    name string
    The unique name of the resource.
    args RuleArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    resource_name str
    The unique name of the resource.
    args RuleArgs
    The arguments to resource properties.
    opts ResourceOptions
    Bag of options to control resource's behavior.
    ctx Context
    Context object for the current deployment.
    name string
    The unique name of the resource.
    args RuleArgs
    The arguments to resource properties.
    opts ResourceOption
    Bag of options to control resource's behavior.
    name string
    The unique name of the resource.
    args RuleArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    name String
    The unique name of the resource.
    args RuleArgs
    The arguments to resource properties.
    options CustomResourceOptions
    Bag of options to control resource's behavior.

    Constructor example

    The following reference example uses placeholder values for all input properties.

    var ruleResource = new Unifi.Firewall.Rule("ruleResource", new()
{
    Action = "string",
    Ruleset = "string",
    RuleIndex = 0,
    ProtocolV6 = "string",
    DstAddress = "string",
    DstNetworkType = "string",
    DstPort = "string",
    Enabled = false,
    IcmpTypename = "string",
    IcmpV6Typename = "string",
    IpSec = "string",
    Logging = false,
    Name = "string",
    Protocol = "string",
    DstFirewallGroupIds = new[]
    {
        "string",
    },
    DstAddressIpv6 = "string",
    DstNetworkId = "string",
    Site = "string",
    SrcAddress = "string",
    SrcAddressIpv6 = "string",
    SrcFirewallGroupIds = new[]
    {
        "string",
    },
    SrcMac = "string",
    SrcNetworkId = "string",
    SrcNetworkType = "string",
    SrcPort = "string",
    StateEstablished = false,
    StateInvalid = false,
    StateNew = false,
    StateRelated = false,
});

    example, err := firewall.NewRule(ctx, "ruleResource", &firewall.RuleArgs{
	Action:         pulumi.String("string"),
	Ruleset:        pulumi.String("string"),
	RuleIndex:      pulumi.Int(0),
	ProtocolV6:     pulumi.String("string"),
	DstAddress:     pulumi.String("string"),
	DstNetworkType: pulumi.String("string"),
	DstPort:        pulumi.String("string"),
	Enabled:        pulumi.Bool(false),
	IcmpTypename:   pulumi.String("string"),
	IcmpV6Typename: pulumi.String("string"),
	IpSec:          pulumi.String("string"),
	Logging:        pulumi.Bool(false),
	Name:           pulumi.String("string"),
	Protocol:       pulumi.String("string"),
	DstFirewallGroupIds: pulumi.StringArray{
		pulumi.String("string"),
	},
	DstAddressIpv6: pulumi.String("string"),
	DstNetworkId:   pulumi.String("string"),
	Site:           pulumi.String("string"),
	SrcAddress:     pulumi.String("string"),
	SrcAddressIpv6: pulumi.String("string"),
	SrcFirewallGroupIds: pulumi.StringArray{
		pulumi.String("string"),
	},
	SrcMac:           pulumi.String("string"),
	SrcNetworkId:     pulumi.String("string"),
	SrcNetworkType:   pulumi.String("string"),
	SrcPort:          pulumi.String("string"),
	StateEstablished: pulumi.Bool(false),
	StateInvalid:     pulumi.Bool(false),
	StateNew:         pulumi.Bool(false),
	StateRelated:     pulumi.Bool(false),
})

    var ruleResource = new Rule("ruleResource", RuleArgs.builder()
    .action("string")
    .ruleset("string")
    .ruleIndex(0)
    .protocolV6("string")
    .dstAddress("string")
    .dstNetworkType("string")
    .dstPort("string")
    .enabled(false)
    .icmpTypename("string")
    .icmpV6Typename("string")
    .ipSec("string")
    .logging(false)
    .name("string")
    .protocol("string")
    .dstFirewallGroupIds("string")
    .dstAddressIpv6("string")
    .dstNetworkId("string")
    .site("string")
    .srcAddress("string")
    .srcAddressIpv6("string")
    .srcFirewallGroupIds("string")
    .srcMac("string")
    .srcNetworkId("string")
    .srcNetworkType("string")
    .srcPort("string")
    .stateEstablished(false)
    .stateInvalid(false)
    .stateNew(false)
    .stateRelated(false)
    .build());

    rule_resource = unifi.firewall.Rule("ruleResource",
    action="string",
    ruleset="string",
    rule_index=0,
    protocol_v6="string",
    dst_address="string",
    dst_network_type="string",
    dst_port="string",
    enabled=False,
    icmp_typename="string",
    icmp_v6_typename="string",
    ip_sec="string",
    logging=False,
    name="string",
    protocol="string",
    dst_firewall_group_ids=["string"],
    dst_address_ipv6="string",
    dst_network_id="string",
    site="string",
    src_address="string",
    src_address_ipv6="string",
    src_firewall_group_ids=["string"],
    src_mac="string",
    src_network_id="string",
    src_network_type="string",
    src_port="string",
    state_established=False,
    state_invalid=False,
    state_new=False,
    state_related=False)

    const ruleResource = new unifi.firewall.Rule("ruleResource", {
    action: "string",
    ruleset: "string",
    ruleIndex: 0,
    protocolV6: "string",
    dstAddress: "string",
    dstNetworkType: "string",
    dstPort: "string",
    enabled: false,
    icmpTypename: "string",
    icmpV6Typename: "string",
    ipSec: "string",
    logging: false,
    name: "string",
    protocol: "string",
    dstFirewallGroupIds: ["string"],
    dstAddressIpv6: "string",
    dstNetworkId: "string",
    site: "string",
    srcAddress: "string",
    srcAddressIpv6: "string",
    srcFirewallGroupIds: ["string"],
    srcMac: "string",
    srcNetworkId: "string",
    srcNetworkType: "string",
    srcPort: "string",
    stateEstablished: false,
    stateInvalid: false,
    stateNew: false,
    stateRelated: false,
});

    type: unifi:firewall:Rule
properties:
    action: string
    dstAddress: string
    dstAddressIpv6: string
    dstFirewallGroupIds:
        - string
    dstNetworkId: string
    dstNetworkType: string
    dstPort: string
    enabled: false
    icmpTypename: string
    icmpV6Typename: string
    ipSec: string
    logging: false
    name: string
    protocol: string
    protocolV6: string
    ruleIndex: 0
    ruleset: string
    site: string
    srcAddress: string
    srcAddressIpv6: string
    srcFirewallGroupIds:
        - string
    srcMac: string
    srcNetworkId: string
    srcNetworkType: string
    srcPort: string
    stateEstablished: false
    stateInvalid: false
    stateNew: false
    stateRelated: false

    Rule Resource Properties

    To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

    Inputs

    In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.

    The Rule resource accepts the following input properties:

    Action string
    The action to take when traffic matches this rule. Valid values are:

    • accept - Allow the traffic
    • drop - Silently block the traffic
    • reject - Block the traffic and send an ICMP rejection message
    RuleIndex int
    The processing order for this rule. Lower numbers are processed first. Custom rules should use:

    • 2000-2999 for rules processed before auto-generated rules
    • 4000-4999 for rules processed after auto-generated rules
    Ruleset string

    Defines which traffic flow this rule applies to. The format is [NETWORK]_[DIRECTION], where:

    • NETWORK can be: WAN, LAN, GUEST (or their IPv6 variants WANv6, LANv6, GUESTv6)
    • DIRECTION can be:
      • IN - Traffic entering the network
      • OUT - Traffic leaving the network
      • LOCAL - Traffic destined for the USG/UDM itself

    Examples: WAN_IN (incoming WAN traffic), LAN_OUT (outgoing LAN traffic), GUEST_LOCAL (traffic to Controller from guest network)

    DstAddress string
    The destination IPv4 address or network in CIDR notation (e.g., '192.168.1.10' or '192.168.0.0/24'). The format must match dst_network_type - use a single IP for ADDRv4 or CIDR for NETv4.
    DstAddressIpv6 string
    The destination IPv6 address or network in CIDR notation (e.g., '2001:db8::1' or '2001:db8::/64'). Used for IPv6 firewall rules.
    DstFirewallGroupIds List<string>
    A list of firewall group IDs to use as destinations. Groups can contain IP addresses, networks, or port numbers. This allows you to create reusable sets of addresses/ports and reference them in multiple rules.
    DstNetworkId string
    The ID of the destination network this rule applies to. This can be found in the URL when viewing the network in the UniFi controller.
    DstNetworkType string
    The type of destination network address. Valid values are:

    • ADDRv4 - Single IPv4 address
    • NETv4 - IPv4 network in CIDR notation
    DstPort string
    The destination port(s) for this rule. Can be:

    • A single port number (e.g., '80')
    • A port range (e.g., '8000:8080')
    • A list of ports/ranges separated by commas
    Enabled bool
    Whether this firewall rule is active (true) or disabled (false). Defaults to true.
    IcmpTypename string
    The ICMP type name when protocol is set to 'icmp'. Common values include:

    • echo-request - ICMP ping requests
    • echo-reply - ICMP ping replies
    • destination-unreachable - Host/network unreachable messages
    • time-exceeded - TTL exceeded messages (traceroute)
    IcmpV6Typename string
    The ICMPv6 type name when protocol_v6 is set to 'ipv6-icmp'. Common values (not all are listed) include:

    • echo-request - IPv6 ping requests
    • echo-reply - IPv6 ping replies
    • neighbor-solicitation - IPv6 neighbor discovery
    • neighbor-advertisement - IPv6 neighbor announcements
    • destination-unreachable - Host/network unreachable messages
    • packet-too-big - Path MTU discovery messages
    IpSec string
    Specify whether the rule matches on IPsec packets. Can be one of match-ipsec or match-none.
    Logging bool
    Enable logging for the firewall rule.
    Name string
    A friendly name for the firewall rule. This helps identify the rule's purpose in the UniFi controller UI.
    Protocol string

    The IPv4 protocol this rule applies to. Common values (not all are listed) include:

    • all - Match all protocols
    • tcp - TCP traffic only (e.g., web, email)
    • udp - UDP traffic only (e.g., DNS, VoIP)
    • tcp_udp - Both TCP and UDP
    • icmp - ICMP traffic (ping, traceroute)
    • Protocol numbers (1-255) for other protocols

    Examples:

    • Use 'tcp' for web server rules (ports 80, 443)
    • Use 'udp' for VoIP or gaming traffic
    • Use 'all' for general network access rules
    ProtocolV6 string
    The IPv6 protocol this rule applies to. Similar to 'protocol' but for IPv6 traffic. Common values (not all are listed) include:

    • all - Match all protocols
    • tcp - TCP traffic only
    • udp - UDP traffic only
    • tcp_udp - Both TCP and UDP traffic
    • ipv6-icmp - ICMPv6 traffic
    Site string
    The name of the UniFi site where the firewall rule should be created. If not specified, the default site will be used.
    SrcAddress string
    The source IPv4 address for the firewall rule.
    SrcAddressIpv6 string
    The source IPv6 address or network in CIDR notation (e.g., '2001:db8::1' or '2001:db8::/64'). Used for IPv6 firewall rules.
    SrcFirewallGroupIds List<string>

    A list of firewall group IDs to use as sources. Groups can contain:

    • IP Address Groups - For matching specific IP addresses
    • Network Groups - For matching entire subnets
    • Port Groups - For matching specific port numbers

    Example uses:

    • Group of trusted admin IPs for remote access
    • Group of IoT device networks for isolation
    • Group of common service ports for allowing specific applications
    SrcMac string
    The source MAC address this rule applies to. Use this to create rules that match specific devices regardless of their IP address. Format: 'XX:XX:XX:XX:XX:XX'. MAC addresses are case-insensitive.
    SrcNetworkId string
    The ID of the source network this rule applies to. This can be found in the URL when viewing the network in the UniFi controller, or by using the network's name in the form [site]/<span pulumi-lang-nodejs="[networkName]" pulumi-lang-dotnet="[NetworkName]" pulumi-lang-go="[networkName]" pulumi-lang-python="[network_name]" pulumi-lang-yaml="[networkName]" pulumi-lang-java="[networkName]">[network_name]</span>.
    SrcNetworkType string
    The type of source network address. Valid values are:

    • ADDRv4 - Single IPv4 address
    • NETv4 - IPv4 network in CIDR notation
    SrcPort string
    The source port(s) for this rule. Can be:

    • A single port number (e.g., '80')
    • A port range (e.g., '8000:8080')
    • A list of ports/ranges separated by commas
    StateEstablished bool

    Match established connections. When enabled:

    • Rule only applies to packets that are part of an existing connection
    • Useful for allowing return traffic without creating separate rules
    • Common in WAN_IN rules to allow responses to outbound connections

    Example: Allow established connections from WAN while blocking new incoming connections

    StateInvalid bool
    Match where the state is invalid.
    StateNew bool
    Match where the state is new.
    StateRelated bool
    Match where the state is related.
    Action string
    The action to take when traffic matches this rule. Valid values are:

    • accept - Allow the traffic
    • drop - Silently block the traffic
    • reject - Block the traffic and send an ICMP rejection message
    RuleIndex int
    The processing order for this rule. Lower numbers are processed first. Custom rules should use:

    • 2000-2999 for rules processed before auto-generated rules
    • 4000-4999 for rules processed after auto-generated rules
    Ruleset string

    Defines which traffic flow this rule applies to. The format is [NETWORK]_[DIRECTION], where:

    • NETWORK can be: WAN, LAN, GUEST (or their IPv6 variants WANv6, LANv6, GUESTv6)
    • DIRECTION can be:
      • IN - Traffic entering the network
      • OUT - Traffic leaving the network
      • LOCAL - Traffic destined for the USG/UDM itself

    Examples: WAN_IN (incoming WAN traffic), LAN_OUT (outgoing LAN traffic), GUEST_LOCAL (traffic to Controller from guest network)

    DstAddress string
    The destination IPv4 address or network in CIDR notation (e.g., '192.168.1.10' or '192.168.0.0/24'). The format must match dst_network_type - use a single IP for ADDRv4 or CIDR for NETv4.
    DstAddressIpv6 string
    The destination IPv6 address or network in CIDR notation (e.g., '2001:db8::1' or '2001:db8::/64'). Used for IPv6 firewall rules.
    DstFirewallGroupIds []string
    A list of firewall group IDs to use as destinations. Groups can contain IP addresses, networks, or port numbers. This allows you to create reusable sets of addresses/ports and reference them in multiple rules.
    DstNetworkId string
    The ID of the destination network this rule applies to. This can be found in the URL when viewing the network in the UniFi controller.
    DstNetworkType string
    The type of destination network address. Valid values are:

    • ADDRv4 - Single IPv4 address
    • NETv4 - IPv4 network in CIDR notation
    DstPort string
    The destination port(s) for this rule. Can be:

    • A single port number (e.g., '80')
    • A port range (e.g., '8000:8080')
    • A list of ports/ranges separated by commas
    Enabled bool
    Whether this firewall rule is active (true) or disabled (false). Defaults to true.
    IcmpTypename string
    The ICMP type name when protocol is set to 'icmp'. Common values include:

    • echo-request - ICMP ping requests
    • echo-reply - ICMP ping replies
    • destination-unreachable - Host/network unreachable messages
    • time-exceeded - TTL exceeded messages (traceroute)
    IcmpV6Typename string
    The ICMPv6 type name when protocol_v6 is set to 'ipv6-icmp'. Common values (not all are listed) include:

    • echo-request - IPv6 ping requests
    • echo-reply - IPv6 ping replies
    • neighbor-solicitation - IPv6 neighbor discovery
    • neighbor-advertisement - IPv6 neighbor announcements
    • destination-unreachable - Host/network unreachable messages
    • packet-too-big - Path MTU discovery messages
    IpSec string
    Specify whether the rule matches on IPsec packets. Can be one of match-ipsec or match-none.
    Logging bool
    Enable logging for the firewall rule.
    Name string
    A friendly name for the firewall rule. This helps identify the rule's purpose in the UniFi controller UI.
    Protocol string

    The IPv4 protocol this rule applies to. Common values (not all are listed) include:

    • all - Match all protocols
    • tcp - TCP traffic only (e.g., web, email)
    • udp - UDP traffic only (e.g., DNS, VoIP)
    • tcp_udp - Both TCP and UDP
    • icmp - ICMP traffic (ping, traceroute)
    • Protocol numbers (1-255) for other protocols

    Examples:

    • Use 'tcp' for web server rules (ports 80, 443)
    • Use 'udp' for VoIP or gaming traffic
    • Use 'all' for general network access rules
    ProtocolV6 string
    The IPv6 protocol this rule applies to. Similar to 'protocol' but for IPv6 traffic. Common values (not all are listed) include:

    • all - Match all protocols
    • tcp - TCP traffic only
    • udp - UDP traffic only
    • tcp_udp - Both TCP and UDP traffic
    • ipv6-icmp - ICMPv6 traffic
    Site string
    The name of the UniFi site where the firewall rule should be created. If not specified, the default site will be used.
    SrcAddress string
    The source IPv4 address for the firewall rule.
    SrcAddressIpv6 string
    The source IPv6 address or network in CIDR notation (e.g., '2001:db8::1' or '2001:db8::/64'). Used for IPv6 firewall rules.
    SrcFirewallGroupIds []string

    A list of firewall group IDs to use as sources. Groups can contain:

    • IP Address Groups - For matching specific IP addresses
    • Network Groups - For matching entire subnets
    • Port Groups - For matching specific port numbers

    Example uses:

    • Group of trusted admin IPs for remote access
    • Group of IoT device networks for isolation
    • Group of common service ports for allowing specific applications
    SrcMac string
    The source MAC address this rule applies to. Use this to create rules that match specific devices regardless of their IP address. Format: 'XX:XX:XX:XX:XX:XX'. MAC addresses are case-insensitive.
    SrcNetworkId string
    The ID of the source network this rule applies to. This can be found in the URL when viewing the network in the UniFi controller, or by using the network's name in the form [site]/<span pulumi-lang-nodejs="[networkName]" pulumi-lang-dotnet="[NetworkName]" pulumi-lang-go="[networkName]" pulumi-lang-python="[network_name]" pulumi-lang-yaml="[networkName]" pulumi-lang-java="[networkName]">[network_name]</span>.
    SrcNetworkType string
    The type of source network address. Valid values are:

    • ADDRv4 - Single IPv4 address
    • NETv4 - IPv4 network in CIDR notation
    SrcPort string
    The source port(s) for this rule. Can be:

    • A single port number (e.g., '80')
    • A port range (e.g., '8000:8080')
    • A list of ports/ranges separated by commas
    StateEstablished bool

    Match established connections. When enabled:

    • Rule only applies to packets that are part of an existing connection
    • Useful for allowing return traffic without creating separate rules
    • Common in WAN_IN rules to allow responses to outbound connections

    Example: Allow established connections from WAN while blocking new incoming connections

    StateInvalid bool
    Match where the state is invalid.
    StateNew bool
    Match where the state is new.
    StateRelated bool
    Match where the state is related.
    action String
    The action to take when traffic matches this rule. Valid values are:

    • accept - Allow the traffic
    • drop - Silently block the traffic
    • reject - Block the traffic and send an ICMP rejection message
    ruleIndex Integer
    The processing order for this rule. Lower numbers are processed first. Custom rules should use:

    • 2000-2999 for rules processed before auto-generated rules
    • 4000-4999 for rules processed after auto-generated rules
    ruleset String

    Defines which traffic flow this rule applies to. The format is [NETWORK]_[DIRECTION], where:

    • NETWORK can be: WAN, LAN, GUEST (or their IPv6 variants WANv6, LANv6, GUESTv6)
    • DIRECTION can be:
      • IN - Traffic entering the network
      • OUT - Traffic leaving the network
      • LOCAL - Traffic destined for the USG/UDM itself

    Examples: WAN_IN (incoming WAN traffic), LAN_OUT (outgoing LAN traffic), GUEST_LOCAL (traffic to Controller from guest network)

    dstAddress String
    The destination IPv4 address or network in CIDR notation (e.g., '192.168.1.10' or '192.168.0.0/24'). The format must match dst_network_type - use a single IP for ADDRv4 or CIDR for NETv4.
    dstAddressIpv6 String
    The destination IPv6 address or network in CIDR notation (e.g., '2001:db8::1' or '2001:db8::/64'). Used for IPv6 firewall rules.
    dstFirewallGroupIds List<String>
    A list of firewall group IDs to use as destinations. Groups can contain IP addresses, networks, or port numbers. This allows you to create reusable sets of addresses/ports and reference them in multiple rules.
    dstNetworkId String
    The ID of the destination network this rule applies to. This can be found in the URL when viewing the network in the UniFi controller.
    dstNetworkType String
    The type of destination network address. Valid values are:

    • ADDRv4 - Single IPv4 address
    • NETv4 - IPv4 network in CIDR notation
    dstPort String
    The destination port(s) for this rule. Can be:

    • A single port number (e.g., '80')
    • A port range (e.g., '8000:8080')
    • A list of ports/ranges separated by commas
    enabled Boolean
    Whether this firewall rule is active (true) or disabled (false). Defaults to true.
    icmpTypename String
    The ICMP type name when protocol is set to 'icmp'. Common values include:

    • echo-request - ICMP ping requests
    • echo-reply - ICMP ping replies
    • destination-unreachable - Host/network unreachable messages
    • time-exceeded - TTL exceeded messages (traceroute)
    icmpV6Typename String
    The ICMPv6 type name when protocol_v6 is set to 'ipv6-icmp'. Common values (not all are listed) include:

    • echo-request - IPv6 ping requests
    • echo-reply - IPv6 ping replies
    • neighbor-solicitation - IPv6 neighbor discovery
    • neighbor-advertisement - IPv6 neighbor announcements
    • destination-unreachable - Host/network unreachable messages
    • packet-too-big - Path MTU discovery messages
    ipSec String
    Specify whether the rule matches on IPsec packets. Can be one of match-ipsec or match-none.
    logging Boolean
    Enable logging for the firewall rule.
    name String
    A friendly name for the firewall rule. This helps identify the rule's purpose in the UniFi controller UI.
    protocol String

    The IPv4 protocol this rule applies to. Common values (not all are listed) include:

    • all - Match all protocols
    • tcp - TCP traffic only (e.g., web, email)
    • udp - UDP traffic only (e.g., DNS, VoIP)
    • tcp_udp - Both TCP and UDP
    • icmp - ICMP traffic (ping, traceroute)
    • Protocol numbers (1-255) for other protocols

    Examples:

    • Use 'tcp' for web server rules (ports 80, 443)
    • Use 'udp' for VoIP or gaming traffic
    • Use 'all' for general network access rules
    protocolV6 String
    The IPv6 protocol this rule applies to. Similar to 'protocol' but for IPv6 traffic. Common values (not all are listed) include:

    • all - Match all protocols
    • tcp - TCP traffic only
    • udp - UDP traffic only
    • tcp_udp - Both TCP and UDP traffic
    • ipv6-icmp - ICMPv6 traffic
    site String
    The name of the UniFi site where the firewall rule should be created. If not specified, the default site will be used.
    srcAddress String
    The source IPv4 address for the firewall rule.
    srcAddressIpv6 String
    The source IPv6 address or network in CIDR notation (e.g., '2001:db8::1' or '2001:db8::/64'). Used for IPv6 firewall rules.
    srcFirewallGroupIds List<String>

    A list of firewall group IDs to use as sources. Groups can contain:

    • IP Address Groups - For matching specific IP addresses
    • Network Groups - For matching entire subnets
    • Port Groups - For matching specific port numbers

    Example uses:

    • Group of trusted admin IPs for remote access
    • Group of IoT device networks for isolation
    • Group of common service ports for allowing specific applications
    srcMac String
    The source MAC address this rule applies to. Use this to create rules that match specific devices regardless of their IP address. Format: 'XX:XX:XX:XX:XX:XX'. MAC addresses are case-insensitive.
    srcNetworkId String
    The ID of the source network this rule applies to. This can be found in the URL when viewing the network in the UniFi controller, or by using the network's name in the form [site]/<span pulumi-lang-nodejs="[networkName]" pulumi-lang-dotnet="[NetworkName]" pulumi-lang-go="[networkName]" pulumi-lang-python="[network_name]" pulumi-lang-yaml="[networkName]" pulumi-lang-java="[networkName]">[network_name]</span>.
    srcNetworkType String
    The type of source network address. Valid values are:

    • ADDRv4 - Single IPv4 address
    • NETv4 - IPv4 network in CIDR notation
    srcPort String
    The source port(s) for this rule. Can be:

    • A single port number (e.g., '80')
    • A port range (e.g., '8000:8080')
    • A list of ports/ranges separated by commas
    stateEstablished Boolean

    Match established connections. When enabled:

    • Rule only applies to packets that are part of an existing connection
    • Useful for allowing return traffic without creating separate rules
    • Common in WAN_IN rules to allow responses to outbound connections

    Example: Allow established connections from WAN while blocking new incoming connections

    stateInvalid Boolean
    Match where the state is invalid.
    stateNew Boolean
    Match where the state is new.
    stateRelated Boolean
    Match where the state is related.
    action string
    The action to take when traffic matches this rule. Valid values are:

    • accept - Allow the traffic
    • drop - Silently block the traffic
    • reject - Block the traffic and send an ICMP rejection message
    ruleIndex number
    The processing order for this rule. Lower numbers are processed first. Custom rules should use:

    • 2000-2999 for rules processed before auto-generated rules
    • 4000-4999 for rules processed after auto-generated rules
    ruleset string

    Defines which traffic flow this rule applies to. The format is [NETWORK]_[DIRECTION], where:

    • NETWORK can be: WAN, LAN, GUEST (or their IPv6 variants WANv6, LANv6, GUESTv6)
    • DIRECTION can be:
      • IN - Traffic entering the network
      • OUT - Traffic leaving the network
      • LOCAL - Traffic destined for the USG/UDM itself

    Examples: WAN_IN (incoming WAN traffic), LAN_OUT (outgoing LAN traffic), GUEST_LOCAL (traffic to Controller from guest network)

    dstAddress string
    The destination IPv4 address or network in CIDR notation (e.g., '192.168.1.10' or '192.168.0.0/24'). The format must match dst_network_type - use a single IP for ADDRv4 or CIDR for NETv4.
    dstAddressIpv6 string
    The destination IPv6 address or network in CIDR notation (e.g., '2001:db8::1' or '2001:db8::/64'). Used for IPv6 firewall rules.
    dstFirewallGroupIds string[]
    A list of firewall group IDs to use as destinations. Groups can contain IP addresses, networks, or port numbers. This allows you to create reusable sets of addresses/ports and reference them in multiple rules.
    dstNetworkId string
    The ID of the destination network this rule applies to. This can be found in the URL when viewing the network in the UniFi controller.
    dstNetworkType string
    The type of destination network address. Valid values are:

    • ADDRv4 - Single IPv4 address
    • NETv4 - IPv4 network in CIDR notation
    dstPort string
    The destination port(s) for this rule. Can be:

    • A single port number (e.g., '80')
    • A port range (e.g., '8000:8080')
    • A list of ports/ranges separated by commas
    enabled boolean
    Whether this firewall rule is active (true) or disabled (false). Defaults to true.
    icmpTypename string
    The ICMP type name when protocol is set to 'icmp'. Common values include:

    • echo-request - ICMP ping requests
    • echo-reply - ICMP ping replies
    • destination-unreachable - Host/network unreachable messages
    • time-exceeded - TTL exceeded messages (traceroute)
    icmpV6Typename string
    The ICMPv6 type name when protocol_v6 is set to 'ipv6-icmp'. Common values (not all are listed) include:

    • echo-request - IPv6 ping requests
    • echo-reply - IPv6 ping replies
    • neighbor-solicitation - IPv6 neighbor discovery
    • neighbor-advertisement - IPv6 neighbor announcements
    • destination-unreachable - Host/network unreachable messages
    • packet-too-big - Path MTU discovery messages
    ipSec string
    Specify whether the rule matches on IPsec packets. Can be one of match-ipsec or match-none.
    logging boolean
    Enable logging for the firewall rule.
    name string
    A friendly name for the firewall rule. This helps identify the rule's purpose in the UniFi controller UI.
    protocol string

    The IPv4 protocol this rule applies to. Common values (not all are listed) include:

    • all - Match all protocols
    • tcp - TCP traffic only (e.g., web, email)
    • udp - UDP traffic only (e.g., DNS, VoIP)
    • tcp_udp - Both TCP and UDP
    • icmp - ICMP traffic (ping, traceroute)
    • Protocol numbers (1-255) for other protocols

    Examples:

    • Use 'tcp' for web server rules (ports 80, 443)
    • Use 'udp' for VoIP or gaming traffic
    • Use 'all' for general network access rules
    protocolV6 string
    The IPv6 protocol this rule applies to. Similar to 'protocol' but for IPv6 traffic. Common values (not all are listed) include:

    • all - Match all protocols
    • tcp - TCP traffic only
    • udp - UDP traffic only
    • tcp_udp - Both TCP and UDP traffic
    • ipv6-icmp - ICMPv6 traffic
    site string
    The name of the UniFi site where the firewall rule should be created. If not specified, the default site will be used.
    srcAddress string
    The source IPv4 address for the firewall rule.
    srcAddressIpv6 string
    The source IPv6 address or network in CIDR notation (e.g., '2001:db8::1' or '2001:db8::/64'). Used for IPv6 firewall rules.
    srcFirewallGroupIds string[]

    A list of firewall group IDs to use as sources. Groups can contain:

    • IP Address Groups - For matching specific IP addresses
    • Network Groups - For matching entire subnets
    • Port Groups - For matching specific port numbers

    Example uses:

    • Group of trusted admin IPs for remote access
    • Group of IoT device networks for isolation
    • Group of common service ports for allowing specific applications
    srcMac string
    The source MAC address this rule applies to. Use this to create rules that match specific devices regardless of their IP address. Format: 'XX:XX:XX:XX:XX:XX'. MAC addresses are case-insensitive.
    srcNetworkId string
    The ID of the source network this rule applies to. This can be found in the URL when viewing the network in the UniFi controller, or by using the network's name in the form [site]/<span pulumi-lang-nodejs="[networkName]" pulumi-lang-dotnet="[NetworkName]" pulumi-lang-go="[networkName]" pulumi-lang-python="[network_name]" pulumi-lang-yaml="[networkName]" pulumi-lang-java="[networkName]">[network_name]</span>.
    srcNetworkType string
    The type of source network address. Valid values are:

    • ADDRv4 - Single IPv4 address
    • NETv4 - IPv4 network in CIDR notation
    srcPort string
    The source port(s) for this rule. Can be:

    • A single port number (e.g., '80')
    • A port range (e.g., '8000:8080')
    • A list of ports/ranges separated by commas
    stateEstablished boolean

    Match established connections. When enabled:

    • Rule only applies to packets that are part of an existing connection
    • Useful for allowing return traffic without creating separate rules
    • Common in WAN_IN rules to allow responses to outbound connections

    Example: Allow established connections from WAN while blocking new incoming connections

    stateInvalid boolean
    Match where the state is invalid.
    stateNew boolean
    Match where the state is new.
    stateRelated boolean
    Match where the state is related.
    action str
    The action to take when traffic matches this rule. Valid values are:

    • accept - Allow the traffic
    • drop - Silently block the traffic
    • reject - Block the traffic and send an ICMP rejection message
    rule_index int
    The processing order for this rule. Lower numbers are processed first. Custom rules should use:

    • 2000-2999 for rules processed before auto-generated rules
    • 4000-4999 for rules processed after auto-generated rules
    ruleset str

    Defines which traffic flow this rule applies to. The format is [NETWORK]_[DIRECTION], where:

    • NETWORK can be: WAN, LAN, GUEST (or their IPv6 variants WANv6, LANv6, GUESTv6)
    • DIRECTION can be:
      • IN - Traffic entering the network
      • OUT - Traffic leaving the network
      • LOCAL - Traffic destined for the USG/UDM itself

    Examples: WAN_IN (incoming WAN traffic), LAN_OUT (outgoing LAN traffic), GUEST_LOCAL (traffic to Controller from guest network)

    dst_address str
    The destination IPv4 address or network in CIDR notation (e.g., '192.168.1.10' or '192.168.0.0/24'). The format must match dst_network_type - use a single IP for ADDRv4 or CIDR for NETv4.
    dst_address_ipv6 str
    The destination IPv6 address or network in CIDR notation (e.g., '2001:db8::1' or '2001:db8::/64'). Used for IPv6 firewall rules.
    dst_firewall_group_ids Sequence[str]
    A list of firewall group IDs to use as destinations. Groups can contain IP addresses, networks, or port numbers. This allows you to create reusable sets of addresses/ports and reference them in multiple rules.
    dst_network_id str
    The ID of the destination network this rule applies to. This can be found in the URL when viewing the network in the UniFi controller.
    dst_network_type str
    The type of destination network address. Valid values are:

    • ADDRv4 - Single IPv4 address
    • NETv4 - IPv4 network in CIDR notation
    dst_port str
    The destination port(s) for this rule. Can be:

    • A single port number (e.g., '80')
    • A port range (e.g., '8000:8080')
    • A list of ports/ranges separated by commas
    enabled bool
    Whether this firewall rule is active (true) or disabled (false). Defaults to true.
    icmp_typename str
    The ICMP type name when protocol is set to 'icmp'. Common values include:

    • echo-request - ICMP ping requests
    • echo-reply - ICMP ping replies
    • destination-unreachable - Host/network unreachable messages
    • time-exceeded - TTL exceeded messages (traceroute)
    icmp_v6_typename str
    The ICMPv6 type name when protocol_v6 is set to 'ipv6-icmp'. Common values (not all are listed) include:

    • echo-request - IPv6 ping requests
    • echo-reply - IPv6 ping replies
    • neighbor-solicitation - IPv6 neighbor discovery
    • neighbor-advertisement - IPv6 neighbor announcements
    • destination-unreachable - Host/network unreachable messages
    • packet-too-big - Path MTU discovery messages
    ip_sec str
    Specify whether the rule matches on IPsec packets. Can be one of match-ipsec or match-none.
    logging bool
    Enable logging for the firewall rule.
    name str
    A friendly name for the firewall rule. This helps identify the rule's purpose in the UniFi controller UI.
    protocol str

    The IPv4 protocol this rule applies to. Common values (not all are listed) include:

    • all - Match all protocols
    • tcp - TCP traffic only (e.g., web, email)
    • udp - UDP traffic only (e.g., DNS, VoIP)
    • tcp_udp - Both TCP and UDP
    • icmp - ICMP traffic (ping, traceroute)
    • Protocol numbers (1-255) for other protocols

    Examples:

    • Use 'tcp' for web server rules (ports 80, 443)
    • Use 'udp' for VoIP or gaming traffic
    • Use 'all' for general network access rules
    protocol_v6 str
    The IPv6 protocol this rule applies to. Similar to 'protocol' but for IPv6 traffic. Common values (not all are listed) include:

    • all - Match all protocols
    • tcp - TCP traffic only
    • udp - UDP traffic only
    • tcp_udp - Both TCP and UDP traffic
    • ipv6-icmp - ICMPv6 traffic
    site str
    The name of the UniFi site where the firewall rule should be created. If not specified, the default site will be used.
    src_address str
    The source IPv4 address for the firewall rule.
    src_address_ipv6 str
    The source IPv6 address or network in CIDR notation (e.g., '2001:db8::1' or '2001:db8::/64'). Used for IPv6 firewall rules.
    src_firewall_group_ids Sequence[str]

    A list of firewall group IDs to use as sources. Groups can contain:

    • IP Address Groups - For matching specific IP addresses
    • Network Groups - For matching entire subnets
    • Port Groups - For matching specific port numbers

    Example uses:

    • Group of trusted admin IPs for remote access
    • Group of IoT device networks for isolation
    • Group of common service ports for allowing specific applications
    src_mac str
    The source MAC address this rule applies to. Use this to create rules that match specific devices regardless of their IP address. Format: 'XX:XX:XX:XX:XX:XX'. MAC addresses are case-insensitive.
    src_network_id str
    The ID of the source network this rule applies to. This can be found in the URL when viewing the network in the UniFi controller, or by using the network's name in the form [site]/<span pulumi-lang-nodejs="[networkName]" pulumi-lang-dotnet="[NetworkName]" pulumi-lang-go="[networkName]" pulumi-lang-python="[network_name]" pulumi-lang-yaml="[networkName]" pulumi-lang-java="[networkName]">[network_name]</span>.
    src_network_type str
    The type of source network address. Valid values are:

    • ADDRv4 - Single IPv4 address
    • NETv4 - IPv4 network in CIDR notation
    src_port str
    The source port(s) for this rule. Can be:

    • A single port number (e.g., '80')
    • A port range (e.g., '8000:8080')
    • A list of ports/ranges separated by commas
    state_established bool

    Match established connections. When enabled:

    • Rule only applies to packets that are part of an existing connection
    • Useful for allowing return traffic without creating separate rules
    • Common in WAN_IN rules to allow responses to outbound connections

    Example: Allow established connections from WAN while blocking new incoming connections

    state_invalid bool
    Match where the state is invalid.
    state_new bool
    Match where the state is new.
    state_related bool
    Match where the state is related.
    action String
    The action to take when traffic matches this rule. Valid values are:

    • accept - Allow the traffic
    • drop - Silently block the traffic
    • reject - Block the traffic and send an ICMP rejection message
    ruleIndex Number
    The processing order for this rule. Lower numbers are processed first. Custom rules should use:

    • 2000-2999 for rules processed before auto-generated rules
    • 4000-4999 for rules processed after auto-generated rules
    ruleset String

    Defines which traffic flow this rule applies to. The format is [NETWORK]_[DIRECTION], where:

    • NETWORK can be: WAN, LAN, GUEST (or their IPv6 variants WANv6, LANv6, GUESTv6)
    • DIRECTION can be:
      • IN - Traffic entering the network
      • OUT - Traffic leaving the network
      • LOCAL - Traffic destined for the USG/UDM itself

    Examples: WAN_IN (incoming WAN traffic), LAN_OUT (outgoing LAN traffic), GUEST_LOCAL (traffic to Controller from guest network)

    dstAddress String
    The destination IPv4 address or network in CIDR notation (e.g., '192.168.1.10' or '192.168.0.0/24'). The format must match dst_network_type - use a single IP for ADDRv4 or CIDR for NETv4.
    dstAddressIpv6 String
    The destination IPv6 address or network in CIDR notation (e.g., '2001:db8::1' or '2001:db8::/64'). Used for IPv6 firewall rules.
    dstFirewallGroupIds List<String>
    A list of firewall group IDs to use as destinations. Groups can contain IP addresses, networks, or port numbers. This allows you to create reusable sets of addresses/ports and reference them in multiple rules.
    dstNetworkId String
    The ID of the destination network this rule applies to. This can be found in the URL when viewing the network in the UniFi controller.
    dstNetworkType String
    The type of destination network address. Valid values are:

    • ADDRv4 - Single IPv4 address
    • NETv4 - IPv4 network in CIDR notation
    dstPort String
    The destination port(s) for this rule. Can be:

    • A single port number (e.g., '80')
    • A port range (e.g., '8000:8080')
    • A list of ports/ranges separated by commas
    enabled Boolean
    Whether this firewall rule is active (true) or disabled (false). Defaults to true.
    icmpTypename String
    The ICMP type name when protocol is set to 'icmp'. Common values include:

    • echo-request - ICMP ping requests
    • echo-reply - ICMP ping replies
    • destination-unreachable - Host/network unreachable messages
    • time-exceeded - TTL exceeded messages (traceroute)
    icmpV6Typename String
    The ICMPv6 type name when protocol_v6 is set to 'ipv6-icmp'. Common values (not all are listed) include:

    • echo-request - IPv6 ping requests
    • echo-reply - IPv6 ping replies
    • neighbor-solicitation - IPv6 neighbor discovery
    • neighbor-advertisement - IPv6 neighbor announcements
    • destination-unreachable - Host/network unreachable messages
    • packet-too-big - Path MTU discovery messages
    ipSec String
    Specify whether the rule matches on IPsec packets. Can be one of match-ipsec or match-none.
    logging Boolean
    Enable logging for the firewall rule.
    name String
    A friendly name for the firewall rule. This helps identify the rule's purpose in the UniFi controller UI.
    protocol String

    The IPv4 protocol this rule applies to. Common values (not all are listed) include:

    • all - Match all protocols
    • tcp - TCP traffic only (e.g., web, email)
    • udp - UDP traffic only (e.g., DNS, VoIP)
    • tcp_udp - Both TCP and UDP
    • icmp - ICMP traffic (ping, traceroute)
    • Protocol numbers (1-255) for other protocols

    Examples:

    • Use 'tcp' for web server rules (ports 80, 443)
    • Use 'udp' for VoIP or gaming traffic
    • Use 'all' for general network access rules
    protocolV6 String
    The IPv6 protocol this rule applies to. Similar to 'protocol' but for IPv6 traffic. Common values (not all are listed) include:

    • all - Match all protocols
    • tcp - TCP traffic only
    • udp - UDP traffic only
    • tcp_udp - Both TCP and UDP traffic
    • ipv6-icmp - ICMPv6 traffic
    site String
    The name of the UniFi site where the firewall rule should be created. If not specified, the default site will be used.
    srcAddress String
    The source IPv4 address for the firewall rule.
    srcAddressIpv6 String
    The source IPv6 address or network in CIDR notation (e.g., '2001:db8::1' or '2001:db8::/64'). Used for IPv6 firewall rules.
    srcFirewallGroupIds List<String>

    A list of firewall group IDs to use as sources. Groups can contain:

    • IP Address Groups - For matching specific IP addresses
    • Network Groups - For matching entire subnets
    • Port Groups - For matching specific port numbers

    Example uses:

    • Group of trusted admin IPs for remote access
    • Group of IoT device networks for isolation
    • Group of common service ports for allowing specific applications
    srcMac String
    The source MAC address this rule applies to. Use this to create rules that match specific devices regardless of their IP address. Format: 'XX:XX:XX:XX:XX:XX'. MAC addresses are case-insensitive.
    srcNetworkId String
    The ID of the source network this rule applies to. This can be found in the URL when viewing the network in the UniFi controller, or by using the network's name in the form [site]/<span pulumi-lang-nodejs="[networkName]" pulumi-lang-dotnet="[NetworkName]" pulumi-lang-go="[networkName]" pulumi-lang-python="[network_name]" pulumi-lang-yaml="[networkName]" pulumi-lang-java="[networkName]">[network_name]</span>.
    srcNetworkType String
    The type of source network address. Valid values are:

    • ADDRv4 - Single IPv4 address
    • NETv4 - IPv4 network in CIDR notation
    srcPort String
    The source port(s) for this rule. Can be:

    • A single port number (e.g., '80')
    • A port range (e.g., '8000:8080')
    • A list of ports/ranges separated by commas
    stateEstablished Boolean

    Match established connections. When enabled:

    • Rule only applies to packets that are part of an existing connection
    • Useful for allowing return traffic without creating separate rules
    • Common in WAN_IN rules to allow responses to outbound connections

    Example: Allow established connections from WAN while blocking new incoming connections

    stateInvalid Boolean
    Match where the state is invalid.
    stateNew Boolean
    Match where the state is new.
    stateRelated Boolean
    Match where the state is related.

    Outputs

    All input properties are implicitly available as output properties. Additionally, the Rule resource produces the following output properties:

    Id string
    The provider-assigned unique ID for this managed resource.
    Id string
    The provider-assigned unique ID for this managed resource.
    id String
    The provider-assigned unique ID for this managed resource.
    id string
    The provider-assigned unique ID for this managed resource.
    id str
    The provider-assigned unique ID for this managed resource.
    id String
    The provider-assigned unique ID for this managed resource.

    Look up Existing Rule Resource

    Get an existing Rule resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

    public static get(name: string, id: Input<ID>, state?: RuleState, opts?: CustomResourceOptions): Rule
    @staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        action: Optional[str] = None,
        dst_address: Optional[str] = None,
        dst_address_ipv6: Optional[str] = None,
        dst_firewall_group_ids: Optional[Sequence[str]] = None,
        dst_network_id: Optional[str] = None,
        dst_network_type: Optional[str] = None,
        dst_port: Optional[str] = None,
        enabled: Optional[bool] = None,
        icmp_typename: Optional[str] = None,
        icmp_v6_typename: Optional[str] = None,
        ip_sec: Optional[str] = None,
        logging: Optional[bool] = None,
        name: Optional[str] = None,
        protocol: Optional[str] = None,
        protocol_v6: Optional[str] = None,
        rule_index: Optional[int] = None,
        ruleset: Optional[str] = None,
        site: Optional[str] = None,
        src_address: Optional[str] = None,
        src_address_ipv6: Optional[str] = None,
        src_firewall_group_ids: Optional[Sequence[str]] = None,
        src_mac: Optional[str] = None,
        src_network_id: Optional[str] = None,
        src_network_type: Optional[str] = None,
        src_port: Optional[str] = None,
        state_established: Optional[bool] = None,
        state_invalid: Optional[bool] = None,
        state_new: Optional[bool] = None,
        state_related: Optional[bool] = None) -> Rule
    func GetRule(ctx *Context, name string, id IDInput, state *RuleState, opts ...ResourceOption) (*Rule, error)
    public static Rule Get(string name, Input<string> id, RuleState? state, CustomResourceOptions? opts = null)
    public static Rule get(String name, Output<String> id, RuleState state, CustomResourceOptions options)
    resources:  _:    type: unifi:firewall:Rule    get:      id: ${id}
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    resource_name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    The following state arguments are supported:
    Action string
    The action to take when traffic matches this rule. Valid values are:

    • accept - Allow the traffic
    • drop - Silently block the traffic
    • reject - Block the traffic and send an ICMP rejection message
    DstAddress string
    The destination IPv4 address or network in CIDR notation (e.g., '192.168.1.10' or '192.168.0.0/24'). The format must match dst_network_type - use a single IP for ADDRv4 or CIDR for NETv4.
    DstAddressIpv6 string
    The destination IPv6 address or network in CIDR notation (e.g., '2001:db8::1' or '2001:db8::/64'). Used for IPv6 firewall rules.
    DstFirewallGroupIds List<string>
    A list of firewall group IDs to use as destinations. Groups can contain IP addresses, networks, or port numbers. This allows you to create reusable sets of addresses/ports and reference them in multiple rules.
    DstNetworkId string
    The ID of the destination network this rule applies to. This can be found in the URL when viewing the network in the UniFi controller.
    DstNetworkType string
    The type of destination network address. Valid values are:

    • ADDRv4 - Single IPv4 address
    • NETv4 - IPv4 network in CIDR notation
    DstPort string
    The destination port(s) for this rule. Can be:

    • A single port number (e.g., '80')
    • A port range (e.g., '8000:8080')
    • A list of ports/ranges separated by commas
    Enabled bool
    Whether this firewall rule is active (true) or disabled (false). Defaults to true.
    IcmpTypename string
    The ICMP type name when protocol is set to 'icmp'. Common values include:

    • echo-request - ICMP ping requests
    • echo-reply - ICMP ping replies
    • destination-unreachable - Host/network unreachable messages
    • time-exceeded - TTL exceeded messages (traceroute)
    IcmpV6Typename string
    The ICMPv6 type name when protocol_v6 is set to 'ipv6-icmp'. Common values (not all are listed) include:

    • echo-request - IPv6 ping requests
    • echo-reply - IPv6 ping replies
    • neighbor-solicitation - IPv6 neighbor discovery
    • neighbor-advertisement - IPv6 neighbor announcements
    • destination-unreachable - Host/network unreachable messages
    • packet-too-big - Path MTU discovery messages
    IpSec string
    Specify whether the rule matches on IPsec packets. Can be one of match-ipsec or match-none.
    Logging bool
    Enable logging for the firewall rule.
    Name string
    A friendly name for the firewall rule. This helps identify the rule's purpose in the UniFi controller UI.
    Protocol string

    The IPv4 protocol this rule applies to. Common values (not all are listed) include:

    • all - Match all protocols
    • tcp - TCP traffic only (e.g., web, email)
    • udp - UDP traffic only (e.g., DNS, VoIP)
    • tcp_udp - Both TCP and UDP
    • icmp - ICMP traffic (ping, traceroute)
    • Protocol numbers (1-255) for other protocols

    Examples:

    • Use 'tcp' for web server rules (ports 80, 443)
    • Use 'udp' for VoIP or gaming traffic
    • Use 'all' for general network access rules
    ProtocolV6 string
    The IPv6 protocol this rule applies to. Similar to 'protocol' but for IPv6 traffic. Common values (not all are listed) include:

    • all - Match all protocols
    • tcp - TCP traffic only
    • udp - UDP traffic only
    • tcp_udp - Both TCP and UDP traffic
    • ipv6-icmp - ICMPv6 traffic
    RuleIndex int
    The processing order for this rule. Lower numbers are processed first. Custom rules should use:

    • 2000-2999 for rules processed before auto-generated rules
    • 4000-4999 for rules processed after auto-generated rules
    Ruleset string

    Defines which traffic flow this rule applies to. The format is [NETWORK]_[DIRECTION], where:

    • NETWORK can be: WAN, LAN, GUEST (or their IPv6 variants WANv6, LANv6, GUESTv6)
    • DIRECTION can be:
      • IN - Traffic entering the network
      • OUT - Traffic leaving the network
      • LOCAL - Traffic destined for the USG/UDM itself

    Examples: WAN_IN (incoming WAN traffic), LAN_OUT (outgoing LAN traffic), GUEST_LOCAL (traffic to Controller from guest network)

    Site string
    The name of the UniFi site where the firewall rule should be created. If not specified, the default site will be used.
    SrcAddress string
    The source IPv4 address for the firewall rule.
    SrcAddressIpv6 string
    The source IPv6 address or network in CIDR notation (e.g., '2001:db8::1' or '2001:db8::/64'). Used for IPv6 firewall rules.
    SrcFirewallGroupIds List<string>

    A list of firewall group IDs to use as sources. Groups can contain:

    • IP Address Groups - For matching specific IP addresses
    • Network Groups - For matching entire subnets
    • Port Groups - For matching specific port numbers

    Example uses:

    • Group of trusted admin IPs for remote access
    • Group of IoT device networks for isolation
    • Group of common service ports for allowing specific applications
    SrcMac string
    The source MAC address this rule applies to. Use this to create rules that match specific devices regardless of their IP address. Format: 'XX:XX:XX:XX:XX:XX'. MAC addresses are case-insensitive.
    SrcNetworkId string
    The ID of the source network this rule applies to. This can be found in the URL when viewing the network in the UniFi controller, or by using the network's name in the form [site]/<span pulumi-lang-nodejs="[networkName]" pulumi-lang-dotnet="[NetworkName]" pulumi-lang-go="[networkName]" pulumi-lang-python="[network_name]" pulumi-lang-yaml="[networkName]" pulumi-lang-java="[networkName]">[network_name]</span>.
    SrcNetworkType string
    The type of source network address. Valid values are:

    • ADDRv4 - Single IPv4 address
    • NETv4 - IPv4 network in CIDR notation
    SrcPort string
    The source port(s) for this rule. Can be:

    • A single port number (e.g., '80')
    • A port range (e.g., '8000:8080')
    • A list of ports/ranges separated by commas
    StateEstablished bool

    Match established connections. When enabled:

    • Rule only applies to packets that are part of an existing connection
    • Useful for allowing return traffic without creating separate rules
    • Common in WAN_IN rules to allow responses to outbound connections

    Example: Allow established connections from WAN while blocking new incoming connections

    StateInvalid bool
    Match where the state is invalid.
    StateNew bool
    Match where the state is new.
    StateRelated bool
    Match where the state is related.
    Action string
    The action to take when traffic matches this rule. Valid values are:

    • accept - Allow the traffic
    • drop - Silently block the traffic
    • reject - Block the traffic and send an ICMP rejection message
    DstAddress string
    The destination IPv4 address or network in CIDR notation (e.g., '192.168.1.10' or '192.168.0.0/24'). The format must match dst_network_type - use a single IP for ADDRv4 or CIDR for NETv4.
    DstAddressIpv6 string
    The destination IPv6 address or network in CIDR notation (e.g., '2001:db8::1' or '2001:db8::/64'). Used for IPv6 firewall rules.
    DstFirewallGroupIds []string
    A list of firewall group IDs to use as destinations. Groups can contain IP addresses, networks, or port numbers. This allows you to create reusable sets of addresses/ports and reference them in multiple rules.
    DstNetworkId string
    The ID of the destination network this rule applies to. This can be found in the URL when viewing the network in the UniFi controller.
    DstNetworkType string
    The type of destination network address. Valid values are:

    • ADDRv4 - Single IPv4 address
    • NETv4 - IPv4 network in CIDR notation
    DstPort string
    The destination port(s) for this rule. Can be:

    • A single port number (e.g., '80')
    • A port range (e.g., '8000:8080')
    • A list of ports/ranges separated by commas
    Enabled bool
    Whether this firewall rule is active (true) or disabled (false). Defaults to true.
    IcmpTypename string
    The ICMP type name when protocol is set to 'icmp'. Common values include:

    • echo-request - ICMP ping requests
    • echo-reply - ICMP ping replies
    • destination-unreachable - Host/network unreachable messages
    • time-exceeded - TTL exceeded messages (traceroute)
    IcmpV6Typename string
    The ICMPv6 type name when protocol_v6 is set to 'ipv6-icmp'. Common values (not all are listed) include:

    • echo-request - IPv6 ping requests
    • echo-reply - IPv6 ping replies
    • neighbor-solicitation - IPv6 neighbor discovery
    • neighbor-advertisement - IPv6 neighbor announcements
    • destination-unreachable - Host/network unreachable messages
    • packet-too-big - Path MTU discovery messages
    IpSec string
    Specify whether the rule matches on IPsec packets. Can be one of match-ipsec or match-none.
    Logging bool
    Enable logging for the firewall rule.
    Name string
    A friendly name for the firewall rule. This helps identify the rule's purpose in the UniFi controller UI.
    Protocol string

    The IPv4 protocol this rule applies to. Common values (not all are listed) include:

    • all - Match all protocols
    • tcp - TCP traffic only (e.g., web, email)
    • udp - UDP traffic only (e.g., DNS, VoIP)
    • tcp_udp - Both TCP and UDP
    • icmp - ICMP traffic (ping, traceroute)
    • Protocol numbers (1-255) for other protocols

    Examples:

    • Use 'tcp' for web server rules (ports 80, 443)
    • Use 'udp' for VoIP or gaming traffic
    • Use 'all' for general network access rules
    ProtocolV6 string
    The IPv6 protocol this rule applies to. Similar to 'protocol' but for IPv6 traffic. Common values (not all are listed) include:

    • all - Match all protocols
    • tcp - TCP traffic only
    • udp - UDP traffic only
    • tcp_udp - Both TCP and UDP traffic
    • ipv6-icmp - ICMPv6 traffic
    RuleIndex int
    The processing order for this rule. Lower numbers are processed first. Custom rules should use:

    • 2000-2999 for rules processed before auto-generated rules
    • 4000-4999 for rules processed after auto-generated rules
    Ruleset string

    Defines which traffic flow this rule applies to. The format is [NETWORK]_[DIRECTION], where:

    • NETWORK can be: WAN, LAN, GUEST (or their IPv6 variants WANv6, LANv6, GUESTv6)
    • DIRECTION can be:
      • IN - Traffic entering the network
      • OUT - Traffic leaving the network
      • LOCAL - Traffic destined for the USG/UDM itself

    Examples: WAN_IN (incoming WAN traffic), LAN_OUT (outgoing LAN traffic), GUEST_LOCAL (traffic to Controller from guest network)

    Site string
    The name of the UniFi site where the firewall rule should be created. If not specified, the default site will be used.
    SrcAddress string
    The source IPv4 address for the firewall rule.
    SrcAddressIpv6 string
    The source IPv6 address or network in CIDR notation (e.g., '2001:db8::1' or '2001:db8::/64'). Used for IPv6 firewall rules.
    SrcFirewallGroupIds []string

    A list of firewall group IDs to use as sources. Groups can contain:

    • IP Address Groups - For matching specific IP addresses
    • Network Groups - For matching entire subnets
    • Port Groups - For matching specific port numbers

    Example uses:

    • Group of trusted admin IPs for remote access
    • Group of IoT device networks for isolation
    • Group of common service ports for allowing specific applications
    SrcMac string
    The source MAC address this rule applies to. Use this to create rules that match specific devices regardless of their IP address. Format: 'XX:XX:XX:XX:XX:XX'. MAC addresses are case-insensitive.
    SrcNetworkId string
    The ID of the source network this rule applies to. This can be found in the URL when viewing the network in the UniFi controller, or by using the network's name in the form [site]/<span pulumi-lang-nodejs="[networkName]" pulumi-lang-dotnet="[NetworkName]" pulumi-lang-go="[networkName]" pulumi-lang-python="[network_name]" pulumi-lang-yaml="[networkName]" pulumi-lang-java="[networkName]">[network_name]</span>.
    SrcNetworkType string
    The type of source network address. Valid values are:

    • ADDRv4 - Single IPv4 address
    • NETv4 - IPv4 network in CIDR notation
    SrcPort string
    The source port(s) for this rule. Can be:

    • A single port number (e.g., '80')
    • A port range (e.g., '8000:8080')
    • A list of ports/ranges separated by commas
    StateEstablished bool

    Match established connections. When enabled:

    • Rule only applies to packets that are part of an existing connection
    • Useful for allowing return traffic without creating separate rules
    • Common in WAN_IN rules to allow responses to outbound connections

    Example: Allow established connections from WAN while blocking new incoming connections

    StateInvalid bool
    Match where the state is invalid.
    StateNew bool
    Match where the state is new.
    StateRelated bool
    Match where the state is related.
    action String
    The action to take when traffic matches this rule. Valid values are:

    • accept - Allow the traffic
    • drop - Silently block the traffic
    • reject - Block the traffic and send an ICMP rejection message
    dstAddress String
    The destination IPv4 address or network in CIDR notation (e.g., '192.168.1.10' or '192.168.0.0/24'). The format must match dst_network_type - use a single IP for ADDRv4 or CIDR for NETv4.
    dstAddressIpv6 String
    The destination IPv6 address or network in CIDR notation (e.g., '2001:db8::1' or '2001:db8::/64'). Used for IPv6 firewall rules.
    dstFirewallGroupIds List<String>
    A list of firewall group IDs to use as destinations. Groups can contain IP addresses, networks, or port numbers. This allows you to create reusable sets of addresses/ports and reference them in multiple rules.
    dstNetworkId String
    The ID of the destination network this rule applies to. This can be found in the URL when viewing the network in the UniFi controller.
    dstNetworkType String
    The type of destination network address. Valid values are:

    • ADDRv4 - Single IPv4 address
    • NETv4 - IPv4 network in CIDR notation
    dstPort String
    The destination port(s) for this rule. Can be:

    • A single port number (e.g., '80')
    • A port range (e.g., '8000:8080')
    • A list of ports/ranges separated by commas
    enabled Boolean
    Whether this firewall rule is active (true) or disabled (false). Defaults to true.
    icmpTypename String
    The ICMP type name when protocol is set to 'icmp'. Common values include:

    • echo-request - ICMP ping requests
    • echo-reply - ICMP ping replies
    • destination-unreachable - Host/network unreachable messages
    • time-exceeded - TTL exceeded messages (traceroute)
    icmpV6Typename String
    The ICMPv6 type name when protocol_v6 is set to 'ipv6-icmp'. Common values (not all are listed) include:

    • echo-request - IPv6 ping requests
    • echo-reply - IPv6 ping replies
    • neighbor-solicitation - IPv6 neighbor discovery
    • neighbor-advertisement - IPv6 neighbor announcements
    • destination-unreachable - Host/network unreachable messages
    • packet-too-big - Path MTU discovery messages
    ipSec String
    Specify whether the rule matches on IPsec packets. Can be one of match-ipsec or match-none.
    logging Boolean
    Enable logging for the firewall rule.
    name String
    A friendly name for the firewall rule. This helps identify the rule's purpose in the UniFi controller UI.
    protocol String

    The IPv4 protocol this rule applies to. Common values (not all are listed) include:

    • all - Match all protocols
    • tcp - TCP traffic only (e.g., web, email)
    • udp - UDP traffic only (e.g., DNS, VoIP)
    • tcp_udp - Both TCP and UDP
    • icmp - ICMP traffic (ping, traceroute)
    • Protocol numbers (1-255) for other protocols

    Examples:

    • Use 'tcp' for web server rules (ports 80, 443)
    • Use 'udp' for VoIP or gaming traffic
    • Use 'all' for general network access rules
    protocolV6 String
    The IPv6 protocol this rule applies to. Similar to 'protocol' but for IPv6 traffic. Common values (not all are listed) include:

    • all - Match all protocols
    • tcp - TCP traffic only
    • udp - UDP traffic only
    • tcp_udp - Both TCP and UDP traffic
    • ipv6-icmp - ICMPv6 traffic
    ruleIndex Integer
    The processing order for this rule. Lower numbers are processed first. Custom rules should use:

    • 2000-2999 for rules processed before auto-generated rules
    • 4000-4999 for rules processed after auto-generated rules
    ruleset String

    Defines which traffic flow this rule applies to. The format is [NETWORK]_[DIRECTION], where:

    • NETWORK can be: WAN, LAN, GUEST (or their IPv6 variants WANv6, LANv6, GUESTv6)
    • DIRECTION can be:
      • IN - Traffic entering the network
      • OUT - Traffic leaving the network
      • LOCAL - Traffic destined for the USG/UDM itself

    Examples: WAN_IN (incoming WAN traffic), LAN_OUT (outgoing LAN traffic), GUEST_LOCAL (traffic to Controller from guest network)

    site String
    The name of the UniFi site where the firewall rule should be created. If not specified, the default site will be used.
    srcAddress String
    The source IPv4 address for the firewall rule.
    srcAddressIpv6 String
    The source IPv6 address or network in CIDR notation (e.g., '2001:db8::1' or '2001:db8::/64'). Used for IPv6 firewall rules.
    srcFirewallGroupIds List<String>

    A list of firewall group IDs to use as sources. Groups can contain:

    • IP Address Groups - For matching specific IP addresses
    • Network Groups - For matching entire subnets
    • Port Groups - For matching specific port numbers

    Example uses:

    • Group of trusted admin IPs for remote access
    • Group of IoT device networks for isolation
    • Group of common service ports for allowing specific applications
    srcMac String
    The source MAC address this rule applies to. Use this to create rules that match specific devices regardless of their IP address. Format: 'XX:XX:XX:XX:XX:XX'. MAC addresses are case-insensitive.
    srcNetworkId String
    The ID of the source network this rule applies to. This can be found in the URL when viewing the network in the UniFi controller, or by using the network's name in the form [site]/<span pulumi-lang-nodejs="[networkName]" pulumi-lang-dotnet="[NetworkName]" pulumi-lang-go="[networkName]" pulumi-lang-python="[network_name]" pulumi-lang-yaml="[networkName]" pulumi-lang-java="[networkName]">[network_name]</span>.
    srcNetworkType String
    The type of source network address. Valid values are:

    • ADDRv4 - Single IPv4 address
    • NETv4 - IPv4 network in CIDR notation
    srcPort String
    The source port(s) for this rule. Can be:

    • A single port number (e.g., '80')
    • A port range (e.g., '8000:8080')
    • A list of ports/ranges separated by commas
    stateEstablished Boolean

    Match established connections. When enabled:

    • Rule only applies to packets that are part of an existing connection
    • Useful for allowing return traffic without creating separate rules
    • Common in WAN_IN rules to allow responses to outbound connections

    Example: Allow established connections from WAN while blocking new incoming connections

    stateInvalid Boolean
    Match where the state is invalid.
    stateNew Boolean
    Match where the state is new.
    stateRelated Boolean
    Match where the state is related.
    action string
    The action to take when traffic matches this rule. Valid values are:

    • accept - Allow the traffic
    • drop - Silently block the traffic
    • reject - Block the traffic and send an ICMP rejection message
    dstAddress string
    The destination IPv4 address or network in CIDR notation (e.g., '192.168.1.10' or '192.168.0.0/24'). The format must match dst_network_type - use a single IP for ADDRv4 or CIDR for NETv4.
    dstAddressIpv6 string
    The destination IPv6 address or network in CIDR notation (e.g., '2001:db8::1' or '2001:db8::/64'). Used for IPv6 firewall rules.
    dstFirewallGroupIds string[]
    A list of firewall group IDs to use as destinations. Groups can contain IP addresses, networks, or port numbers. This allows you to create reusable sets of addresses/ports and reference them in multiple rules.
    dstNetworkId string
    The ID of the destination network this rule applies to. This can be found in the URL when viewing the network in the UniFi controller.
    dstNetworkType string
    The type of destination network address. Valid values are:

    • ADDRv4 - Single IPv4 address
    • NETv4 - IPv4 network in CIDR notation
    dstPort string
    The destination port(s) for this rule. Can be:

    • A single port number (e.g., '80')
    • A port range (e.g., '8000:8080')
    • A list of ports/ranges separated by commas
    enabled boolean
    Whether this firewall rule is active (true) or disabled (false). Defaults to true.
    icmpTypename string
    The ICMP type name when protocol is set to 'icmp'. Common values include:

    • echo-request - ICMP ping requests
    • echo-reply - ICMP ping replies
    • destination-unreachable - Host/network unreachable messages
    • time-exceeded - TTL exceeded messages (traceroute)
    icmpV6Typename string
    The ICMPv6 type name when protocol_v6 is set to 'ipv6-icmp'. Common values (not all are listed) include:

    • echo-request - IPv6 ping requests
    • echo-reply - IPv6 ping replies
    • neighbor-solicitation - IPv6 neighbor discovery
    • neighbor-advertisement - IPv6 neighbor announcements
    • destination-unreachable - Host/network unreachable messages
    • packet-too-big - Path MTU discovery messages
    ipSec string
    Specify whether the rule matches on IPsec packets. Can be one of match-ipsec or match-none.
    logging boolean
    Enable logging for the firewall rule.
    name string
    A friendly name for the firewall rule. This helps identify the rule's purpose in the UniFi controller UI.
    protocol string

    The IPv4 protocol this rule applies to. Common values (not all are listed) include:

    • all - Match all protocols
    • tcp - TCP traffic only (e.g., web, email)
    • udp - UDP traffic only (e.g., DNS, VoIP)
    • tcp_udp - Both TCP and UDP
    • icmp - ICMP traffic (ping, traceroute)
    • Protocol numbers (1-255) for other protocols

    Examples:

    • Use 'tcp' for web server rules (ports 80, 443)
    • Use 'udp' for VoIP or gaming traffic
    • Use 'all' for general network access rules
    protocolV6 string
    The IPv6 protocol this rule applies to. Similar to 'protocol' but for IPv6 traffic. Common values (not all are listed) include:

    • all - Match all protocols
    • tcp - TCP traffic only
    • udp - UDP traffic only
    • tcp_udp - Both TCP and UDP traffic
    • ipv6-icmp - ICMPv6 traffic
    ruleIndex number
    The processing order for this rule. Lower numbers are processed first. Custom rules should use:

    • 2000-2999 for rules processed before auto-generated rules
    • 4000-4999 for rules processed after auto-generated rules
    ruleset string

    Defines which traffic flow this rule applies to. The format is [NETWORK]_[DIRECTION], where:

    • NETWORK can be: WAN, LAN, GUEST (or their IPv6 variants WANv6, LANv6, GUESTv6)
    • DIRECTION can be:
      • IN - Traffic entering the network
      • OUT - Traffic leaving the network
      • LOCAL - Traffic destined for the USG/UDM itself

    Examples: WAN_IN (incoming WAN traffic), LAN_OUT (outgoing LAN traffic), GUEST_LOCAL (traffic to Controller from guest network)

    site string
    The name of the UniFi site where the firewall rule should be created. If not specified, the default site will be used.
    srcAddress string
    The source IPv4 address for the firewall rule.
    srcAddressIpv6 string
    The source IPv6 address or network in CIDR notation (e.g., '2001:db8::1' or '2001:db8::/64'). Used for IPv6 firewall rules.
    srcFirewallGroupIds string[]

    A list of firewall group IDs to use as sources. Groups can contain:

    • IP Address Groups - For matching specific IP addresses
    • Network Groups - For matching entire subnets
    • Port Groups - For matching specific port numbers

    Example uses:

    • Group of trusted admin IPs for remote access
    • Group of IoT device networks for isolation
    • Group of common service ports for allowing specific applications
    srcMac string
    The source MAC address this rule applies to. Use this to create rules that match specific devices regardless of their IP address. Format: 'XX:XX:XX:XX:XX:XX'. MAC addresses are case-insensitive.
    srcNetworkId string
    The ID of the source network this rule applies to. This can be found in the URL when viewing the network in the UniFi controller, or by using the network's name in the form [site]/<span pulumi-lang-nodejs="[networkName]" pulumi-lang-dotnet="[NetworkName]" pulumi-lang-go="[networkName]" pulumi-lang-python="[network_name]" pulumi-lang-yaml="[networkName]" pulumi-lang-java="[networkName]">[network_name]</span>.
    srcNetworkType string
    The type of source network address. Valid values are:

    • ADDRv4 - Single IPv4 address
    • NETv4 - IPv4 network in CIDR notation
    srcPort string
    The source port(s) for this rule. Can be:

    • A single port number (e.g., '80')
    • A port range (e.g., '8000:8080')
    • A list of ports/ranges separated by commas
    stateEstablished boolean

    Match established connections. When enabled:

    • Rule only applies to packets that are part of an existing connection
    • Useful for allowing return traffic without creating separate rules
    • Common in WAN_IN rules to allow responses to outbound connections

    Example: Allow established connections from WAN while blocking new incoming connections

    stateInvalid boolean
    Match where the state is invalid.
    stateNew boolean
    Match where the state is new.
    stateRelated boolean
    Match where the state is related.
    action str
    The action to take when traffic matches this rule. Valid values are:

    • accept - Allow the traffic
    • drop - Silently block the traffic
    • reject - Block the traffic and send an ICMP rejection message
    dst_address str
    The destination IPv4 address or network in CIDR notation (e.g., '192.168.1.10' or '192.168.0.0/24'). The format must match dst_network_type - use a single IP for ADDRv4 or CIDR for NETv4.
    dst_address_ipv6 str
    The destination IPv6 address or network in CIDR notation (e.g., '2001:db8::1' or '2001:db8::/64'). Used for IPv6 firewall rules.
    dst_firewall_group_ids Sequence[str]
    A list of firewall group IDs to use as destinations. Groups can contain IP addresses, networks, or port numbers. This allows you to create reusable sets of addresses/ports and reference them in multiple rules.
    dst_network_id str
    The ID of the destination network this rule applies to. This can be found in the URL when viewing the network in the UniFi controller.
    dst_network_type str
    The type of destination network address. Valid values are:

    • ADDRv4 - Single IPv4 address
    • NETv4 - IPv4 network in CIDR notation
    dst_port str
    The destination port(s) for this rule. Can be:

    • A single port number (e.g., '80')
    • A port range (e.g., '8000:8080')
    • A list of ports/ranges separated by commas
    enabled bool
    Whether this firewall rule is active (true) or disabled (false). Defaults to true.
    icmp_typename str
    The ICMP type name when protocol is set to 'icmp'. Common values include:

    • echo-request - ICMP ping requests
    • echo-reply - ICMP ping replies
    • destination-unreachable - Host/network unreachable messages
    • time-exceeded - TTL exceeded messages (traceroute)
    icmp_v6_typename str
    The ICMPv6 type name when protocol_v6 is set to 'ipv6-icmp'. Common values (not all are listed) include:

    • echo-request - IPv6 ping requests
    • echo-reply - IPv6 ping replies
    • neighbor-solicitation - IPv6 neighbor discovery
    • neighbor-advertisement - IPv6 neighbor announcements
    • destination-unreachable - Host/network unreachable messages
    • packet-too-big - Path MTU discovery messages
    ip_sec str
    Specify whether the rule matches on IPsec packets. Can be one of match-ipsec or match-none.
    logging bool
    Enable logging for the firewall rule.
    name str
    A friendly name for the firewall rule. This helps identify the rule's purpose in the UniFi controller UI.
    protocol str

    The IPv4 protocol this rule applies to. Common values (not all are listed) include:

    • all - Match all protocols
    • tcp - TCP traffic only (e.g., web, email)
    • udp - UDP traffic only (e.g., DNS, VoIP)
    • tcp_udp - Both TCP and UDP
    • icmp - ICMP traffic (ping, traceroute)
    • Protocol numbers (1-255) for other protocols

    Examples:

    • Use 'tcp' for web server rules (ports 80, 443)
    • Use 'udp' for VoIP or gaming traffic
    • Use 'all' for general network access rules
    protocol_v6 str
    The IPv6 protocol this rule applies to. Similar to 'protocol' but for IPv6 traffic. Common values (not all are listed) include:

    • all - Match all protocols
    • tcp - TCP traffic only
    • udp - UDP traffic only
    • tcp_udp - Both TCP and UDP traffic
    • ipv6-icmp - ICMPv6 traffic
    rule_index int
    The processing order for this rule. Lower numbers are processed first. Custom rules should use:

    • 2000-2999 for rules processed before auto-generated rules
    • 4000-4999 for rules processed after auto-generated rules
    ruleset str

    Defines which traffic flow this rule applies to. The format is [NETWORK]_[DIRECTION], where:

    • NETWORK can be: WAN, LAN, GUEST (or their IPv6 variants WANv6, LANv6, GUESTv6)
    • DIRECTION can be:
      • IN - Traffic entering the network
      • OUT - Traffic leaving the network
      • LOCAL - Traffic destined for the USG/UDM itself

    Examples: WAN_IN (incoming WAN traffic), LAN_OUT (outgoing LAN traffic), GUEST_LOCAL (traffic to Controller from guest network)

    site str
    The name of the UniFi site where the firewall rule should be created. If not specified, the default site will be used.
    src_address str
    The source IPv4 address for the firewall rule.
    src_address_ipv6 str
    The source IPv6 address or network in CIDR notation (e.g., '2001:db8::1' or '2001:db8::/64'). Used for IPv6 firewall rules.
    src_firewall_group_ids Sequence[str]

    A list of firewall group IDs to use as sources. Groups can contain:

    • IP Address Groups - For matching specific IP addresses
    • Network Groups - For matching entire subnets
    • Port Groups - For matching specific port numbers

    Example uses:

    • Group of trusted admin IPs for remote access
    • Group of IoT device networks for isolation
    • Group of common service ports for allowing specific applications
    src_mac str
    The source MAC address this rule applies to. Use this to create rules that match specific devices regardless of their IP address. Format: 'XX:XX:XX:XX:XX:XX'. MAC addresses are case-insensitive.
    src_network_id str
    The ID of the source network this rule applies to. This can be found in the URL when viewing the network in the UniFi controller, or by using the network's name in the form [site]/<span pulumi-lang-nodejs="[networkName]" pulumi-lang-dotnet="[NetworkName]" pulumi-lang-go="[networkName]" pulumi-lang-python="[network_name]" pulumi-lang-yaml="[networkName]" pulumi-lang-java="[networkName]">[network_name]</span>.
    src_network_type str
    The type of source network address. Valid values are:

    • ADDRv4 - Single IPv4 address
    • NETv4 - IPv4 network in CIDR notation
    src_port str
    The source port(s) for this rule. Can be:

    • A single port number (e.g., '80')
    • A port range (e.g., '8000:8080')
    • A list of ports/ranges separated by commas
    state_established bool

    Match established connections. When enabled:

    • Rule only applies to packets that are part of an existing connection
    • Useful for allowing return traffic without creating separate rules
    • Common in WAN_IN rules to allow responses to outbound connections

    Example: Allow established connections from WAN while blocking new incoming connections

    state_invalid bool
    Match where the state is invalid.
    state_new bool
    Match where the state is new.
    state_related bool
    Match where the state is related.
    action String
    The action to take when traffic matches this rule. Valid values are:

    • accept - Allow the traffic
    • drop - Silently block the traffic
    • reject - Block the traffic and send an ICMP rejection message
    dstAddress String
    The destination IPv4 address or network in CIDR notation (e.g., '192.168.1.10' or '192.168.0.0/24'). The format must match dst_network_type - use a single IP for ADDRv4 or CIDR for NETv4.
    dstAddressIpv6 String
    The destination IPv6 address or network in CIDR notation (e.g., '2001:db8::1' or '2001:db8::/64'). Used for IPv6 firewall rules.
    dstFirewallGroupIds List<String>
    A list of firewall group IDs to use as destinations. Groups can contain IP addresses, networks, or port numbers. This allows you to create reusable sets of addresses/ports and reference them in multiple rules.
    dstNetworkId String
    The ID of the destination network this rule applies to. This can be found in the URL when viewing the network in the UniFi controller.
    dstNetworkType String
    The type of destination network address. Valid values are:

    • ADDRv4 - Single IPv4 address
    • NETv4 - IPv4 network in CIDR notation
    dstPort String
    The destination port(s) for this rule. Can be:

    • A single port number (e.g., '80')
    • A port range (e.g., '8000:8080')
    • A list of ports/ranges separated by commas
    enabled Boolean
    Whether this firewall rule is active (true) or disabled (false). Defaults to true.
    icmpTypename String
    The ICMP type name when protocol is set to 'icmp'. Common values include:

    • echo-request - ICMP ping requests
    • echo-reply - ICMP ping replies
    • destination-unreachable - Host/network unreachable messages
    • time-exceeded - TTL exceeded messages (traceroute)
    icmpV6Typename String
    The ICMPv6 type name when protocol_v6 is set to 'ipv6-icmp'. Common values (not all are listed) include:

    • echo-request - IPv6 ping requests
    • echo-reply - IPv6 ping replies
    • neighbor-solicitation - IPv6 neighbor discovery
    • neighbor-advertisement - IPv6 neighbor announcements
    • destination-unreachable - Host/network unreachable messages
    • packet-too-big - Path MTU discovery messages
    ipSec String
    Specify whether the rule matches on IPsec packets. Can be one of match-ipsec or match-none.
    logging Boolean
    Enable logging for the firewall rule.
    name String
    A friendly name for the firewall rule. This helps identify the rule's purpose in the UniFi controller UI.
    protocol String

    The IPv4 protocol this rule applies to. Common values (not all are listed) include:

    • all - Match all protocols
    • tcp - TCP traffic only (e.g., web, email)
    • udp - UDP traffic only (e.g., DNS, VoIP)
    • tcp_udp - Both TCP and UDP
    • icmp - ICMP traffic (ping, traceroute)
    • Protocol numbers (1-255) for other protocols

    Examples:

    • Use 'tcp' for web server rules (ports 80, 443)
    • Use 'udp' for VoIP or gaming traffic
    • Use 'all' for general network access rules
    protocolV6 String
    The IPv6 protocol this rule applies to. Similar to 'protocol' but for IPv6 traffic. Common values (not all are listed) include:

    • all - Match all protocols
    • tcp - TCP traffic only
    • udp - UDP traffic only
    • tcp_udp - Both TCP and UDP traffic
    • ipv6-icmp - ICMPv6 traffic
    ruleIndex Number
    The processing order for this rule. Lower numbers are processed first. Custom rules should use:

    • 2000-2999 for rules processed before auto-generated rules
    • 4000-4999 for rules processed after auto-generated rules
    ruleset String

    Defines which traffic flow this rule applies to. The format is [NETWORK]_[DIRECTION], where:

    • NETWORK can be: WAN, LAN, GUEST (or their IPv6 variants WANv6, LANv6, GUESTv6)
    • DIRECTION can be:
      • IN - Traffic entering the network
      • OUT - Traffic leaving the network
      • LOCAL - Traffic destined for the USG/UDM itself

    Examples: WAN_IN (incoming WAN traffic), LAN_OUT (outgoing LAN traffic), GUEST_LOCAL (traffic to Controller from guest network)

    site String
    The name of the UniFi site where the firewall rule should be created. If not specified, the default site will be used.
    srcAddress String
    The source IPv4 address for the firewall rule.
    srcAddressIpv6 String
    The source IPv6 address or network in CIDR notation (e.g., '2001:db8::1' or '2001:db8::/64'). Used for IPv6 firewall rules.
    srcFirewallGroupIds List<String>

    A list of firewall group IDs to use as sources. Groups can contain:

    • IP Address Groups - For matching specific IP addresses
    • Network Groups - For matching entire subnets
    • Port Groups - For matching specific port numbers

    Example uses:

    • Group of trusted admin IPs for remote access
    • Group of IoT device networks for isolation
    • Group of common service ports for allowing specific applications
    srcMac String
    The source MAC address this rule applies to. Use this to create rules that match specific devices regardless of their IP address. Format: 'XX:XX:XX:XX:XX:XX'. MAC addresses are case-insensitive.
    srcNetworkId String
    The ID of the source network this rule applies to. This can be found in the URL when viewing the network in the UniFi controller, or by using the network's name in the form [site]/<span pulumi-lang-nodejs="[networkName]" pulumi-lang-dotnet="[NetworkName]" pulumi-lang-go="[networkName]" pulumi-lang-python="[network_name]" pulumi-lang-yaml="[networkName]" pulumi-lang-java="[networkName]">[network_name]</span>.
    srcNetworkType String
    The type of source network address. Valid values are:

    • ADDRv4 - Single IPv4 address
    • NETv4 - IPv4 network in CIDR notation
    srcPort String
    The source port(s) for this rule. Can be:

    • A single port number (e.g., '80')
    • A port range (e.g., '8000:8080')
    • A list of ports/ranges separated by commas
    stateEstablished Boolean

    Match established connections. When enabled:

    • Rule only applies to packets that are part of an existing connection
    • Useful for allowing return traffic without creating separate rules
    • Common in WAN_IN rules to allow responses to outbound connections

    Example: Allow established connections from WAN while blocking new incoming connections

    stateInvalid Boolean
    Match where the state is invalid.
    stateNew Boolean
    Match where the state is new.
    stateRelated Boolean
    Match where the state is related.

    Import

    import using the ID from the controller API/UI

    $ pulumi import unifi:firewall/rule:Rule my_rule 5f7080eb6b8969064f80494f

    To learn more about importing existing cloud resources, see Importing resources.

    Package Details

    Repository
    unifi pulumiverse/pulumi-unifi
    License
    Apache-2.0
    Notes
    This Pulumi package is based on the unifi Terraform Provider.
    unifi logo
    Unifi v0.2.0 published on Tuesday, Feb 17, 2026 by Pulumiverse
    Schema (JSON)
    pulumiverse/pulumi-unifi
      Meet Neo: Your AI Platform Teammate