Customizing network firewall

Last Updated : Sep 21, 2021 |

About this task

Use this procedure to customize the network firewall on Session Manager. On Session Manager, network firewall is managed through the snfw package. To retain firewall rules across the system restarts, the user should add firewall rules using the snfw command line utility instead of the nft command.

The snfw command is aliased to /etc/snfw/snfw-nft.sh. The arguments used in the command are passed as-is to the nft command, after listing it to a file to load them after standard snfw rules.

Before you begin

  • Ensure that you have root access to the system.

  • To customize network firewall, you must have good knowledge and understanding of the nftables and nft command line utility.

Procedure

  1. Run the following command to list help on the command line options: 
    snfw --help
  2. Run the following command to list the custom firewall rules: 
    snfw --nft-custom-list

    This command lists custom rules that are currently configured and set in the running instances of the firewall.

  3. Run the following command to add the custom firewall rule: 
    snfw --nft-custom-add <options>

    This command adds and loads a custom firewall rule. The arguments are saved to the archive at /etc/nftables/av-custom.nft. The arguments will be used to set the rule in  the running firewall instance.

  4. Run the following command to remove the custom firewall rule: 
    snfw --nft-custom-remove <options originally added>

    This command removes and clears the custom firewall rule if the rule is set earlier. This command removes the rule from the running as well as the archive.

    If the remove operation fails, you might need to remove firewall rules manually.

    Important:

    You must validate your command before using the nft.

Example

Sample console output

[root@purndyk029 ~]# snfw --nft-custom-list
[root@purndyk029 ~]# snfw -ncs
[root@purndyk029 ~]# snfw -nca inet filter sd_mgmt_rules tcp dport 2345 accept
Adding custom rule: 'inet filter sd_mgmt_rules tcp dport 2345 accept'
Checking if already added.. not found, OK
(1/3) Applying rule to the firewall.. OK
(2/3) Saving firewall rules .. OK
(3/3) Saving rule to archive.. OK
[root@purndyk029 ~]# snfw -ncs
add rule inet filter sd_mgmt_rules tcp dport 2345 accept
[root@purndyk029 ~]# snfw -ls | grep 2345
                    tcp dport 2345 accept
[root@purndyk029 ~]# nft list chain inet filter sd_mgmt_rules | grep 2345
                    tcp dport 2345 accept
[root@purndyk029 ~]# snfw -ncd inet filter sd_mgmt_rules tcp dport 2345 accept
Searching for rule: 'tcp dport 2345 accept'
Rule found, attempting to undo it through '/usr/sbin/nft delete rule inet filter sd_mgmt_rules handle 288'..
(1/3) Removing rule from the firewall.. OK
(2/3) Saving remainder firewall rules.. OK
(3/3) Removing from archive.. OK
[root@purndyk029 ~]# snfw -ncs
[root@purndyk029 ~]# snfw -ls | grep 2345
[root@purndyk029 ~]# nft list chain inet filter sd_mgmt_rules | grep 2345
[root@purndyk029 ~]#