Firewall Custom Rules
- Nathaniel Halbrooks
Custom firewall rules can be added by creating the files /etc/firewall-4.rules (for IPv4) and /etc/firewall-6.rules (for IPv6)
These files must be only writable by root, otherwise the Firewall service will not process them. You also need to enable them in Advanced Settings.
Each line that does NOT start with a '#' (comment) in the file will be run by the firewall service as a param to 'iptables' (or 'ip6tables') on startup. For example, if you wanted to log all traffic before it entered the firewall, you could create the file containing this:
# This is a comment and is disregarded
# Comments must be on a separate line and first character of the line must be #
# This next line logs all traffic. This is extremely verbose, don't do this on
# a production machine.
-I INPUT -j LOG |
That will INSERT the rule '-j LOG' before the first entry in the INPUT chain.
You can validate these commands are running by watching /tmp/firewall.log, and you will see 'Custom Rules' being processed. If there are any errors, they will be displayed in that file.
Setting Permissions
To set the files to be writable only by root, execute the following commands:
chown root:root /etc/firewall-4.rules
chown root:root /etc/firewall-6.rules
chmod 644 /etc/firewall-4.rules
chmod 644 /etc/firewall-6.rules |