# doctl compute firewall – DigitalOcean Documentation > The sub-commands of `doctl compute firewall` manage DigitalOcean cloud firewalls. Cloud firewalls allow you to restrict network access to and from a Droplet by defining which ports accept inbound or outbound connections. With these commands, you can list, create, or delete Cloud firewalls, as well as modify access rules. Note: Cloud firewalls are not internal Droplet firewalls on Droplets, such as UFW or FirewallD. A firewall's `inbound_rules` and `outbound_rules` attributes contain arrays of objects as their values. These objects contain the standard attributes of their associated types, which can be found below. Inbound access rules specify the protocol (TCP, UDP, or ICMP), ports, and sources for inbound traffic that will be allowed through the Firewall to the target Droplets. The `ports` attribute may contain a single port, a range of ports (e.g. `8000-9000`), or `all` to allow traffic on all ports for the specified protocol. The `sources` attribute will contain an object specifying a whitelist of sources from which traffic will be accepted. - [doctl compute firewall add-droplets](https://docs.digitalocean.com/reference/doctl/reference/compute/firewall/add-droplets/index.html.md): Assigns Droplets to a cloud firewall on your account. - [doctl compute firewall add-rules](https://docs.digitalocean.com/reference/doctl/reference/compute/firewall/add-rules/index.html.md): Add inbound or outbound rules to a cloud firewall. - [doctl compute firewall add-tags](https://docs.digitalocean.com/reference/doctl/reference/compute/firewall/add-tags/index.html.md): Add tags to a cloud firewall. This adds all assets using that tag to the firewall. - [doctl compute firewall create](https://docs.digitalocean.com/reference/doctl/reference/compute/firewall/create/index.html.md): Creates a cloud firewall. This command must contain at least one inbound or outbound access rule. - [doctl compute firewall delete](https://docs.digitalocean.com/reference/doctl/reference/compute/firewall/delete/index.html.md): Permanently deletes a cloud firewall. This is irreversible, but does not delete any Droplets assigned to the cloud firewall. - [doctl compute firewall get](https://docs.digitalocean.com/reference/doctl/reference/compute/firewall/get/index.html.md): Retrieves information about an existing cloud firewall, including: - The firewall's UUID - The firewall's name - The status of the firewall. Possible values: `waiting`, `succeeded`, `failed`. - The firewall's creation date, in ISO8601 combined date and … - [doctl compute firewall list](https://docs.digitalocean.com/reference/doctl/reference/compute/firewall/list/index.html.md): Retrieves a list of cloud firewalls on your account. - [doctl compute firewall list-by-droplet](https://docs.digitalocean.com/reference/doctl/reference/compute/firewall/list-by-droplet/index.html.md): Lists the cloud firewalls assigned to a Droplet. - [doctl compute firewall remove-droplets](https://docs.digitalocean.com/reference/doctl/reference/compute/firewall/remove-droplets/index.html.md): Removes Droplets from a cloud firewall. - [doctl compute firewall remove-rules](https://docs.digitalocean.com/reference/doctl/reference/compute/firewall/remove-rules/index.html.md): Remove inbound or outbound rules from a cloud firewall. - [doctl compute firewall remove-tags](https://docs.digitalocean.com/reference/doctl/reference/compute/firewall/remove-tags/index.html.md): Removes tags from a cloud firewall. This removes all assets using that tag from the firewall. - [doctl compute firewall update](https://docs.digitalocean.com/reference/doctl/reference/compute/firewall/update/index.html.md): Updates the configuration of an existing cloud firewall. The request should contain a full representation of the firewall, including existing attributes. Any attributes that are not provided are reset to their default values.