Kaspersky Embedded Systems Security for Linux
3.3.0
English

Contents

Firewall Management task (Firewall_Management, ID:12)

During use on local area networks (LANs) and the Internet, a device is exposed to viruses, other malware, and a variety of attacks that exploit vulnerabilities in operating systems and software.

The operating system firewall protects data stored on the user device by blocking most threats when the device is connected to the internet or a LAN.

The operating system firewall allows you to detect all network connections on the user device and provide a list of their IP addresses. The Firewall Management task allows you to set the status of the network connections by configuring the network packet rules. Configuring network packet rules lets you specify the desired level of the device protection, from blocking Internet access for all applications to allowing unlimited access. All outbound connections are allowed by default, unless corresponding blocking rules for the Firewall Management task are specified.

When the Firewall Management task is enabled, Kaspersky Embedded Systems Security automatically deletes all custom rules configured for the firewall with tools provided by the operating system. These rules are not restored after the task is disabled. If required, save the custom firewall rules before enabling the Firewall Management task.

While the Firewall Management task is running, Kaspersky Embedded Systems Security blocks any configuration of the operating system's firewall settings, for example, any attempt by a program or utility to add or delete a firewall rule. Kaspersky Embedded Systems Security checks the operating system firewall every 60 seconds and restores the set of firewall rules if necessary. The checking period cannot be changed.

In the Red Hat Enterprise Linux and CentOS 8 operating systems, firewall rules created using Kaspersky Embedded Systems Security can only be viewed through the application (kess-control -F --query command).

The operating system firewall continues to be checked even when the Firewall Management task is stopped. This allows the application to restore dynamic rules.

To avoid problems on systems with nftables, Kaspersky Embedded Systems Security uses the iptables and iptables-restore system utilities when adding rules for the system firewall.

The application creates a special chain of allowing rules named kess_bypass and adds it first to the list of the mangle table of the iptables and ip6tables utilities. The rules of the kess_bypass chain make it possible to exclude traffic from scans by Kaspersky Embedded Systems Security. The rules in this chain can be changed by means of the operating system.

When the application is removed, the kess_bypass rule chain in iptables and ip6tables is removed only if it was empty.

It is recommended to disable other operating system firewall management tools before enabling the Firewall Management task.

In this Help section

About network packet rules

About dynamic rules

About the predefined network zone names

Firewall Management task settings

Adding a network packet rule

Deleting a network packet rule

Changing the execution priority of a network packet rule

Adding a network address to a zone section

Deleting a network address from a zone section
Page top
[Topic 234820]

About network packet rules

Network packet rules are actions taken by the Kaspersky Embedded Systems Security to allow or deny a detected network connection attempt.

Network packet rules impose restrictions on network packets regardless of the application. Such rules restrict inbound and outbound network traffic through specific ports of the selected data protocol.

All outbound connections are allowed by default (default action setting), unless the corresponding blocking rules for the Firewall Management are specified. The default action is performed with the lowest priority: if no other network packet rule has been triggered or if no network packet rules have been specified, the connection is allowed.

Firewall Management specifies certain network packet rules by default. You can create your own network packet rules and specify an execution priority for each network packet rule.

Page top
[Topic 198000]

About dynamic rules

Kaspersky Embedded Systems Security allows dynamic rules to be added to, or deleted from, the firewall to ensure the application works properly. For example, Network Agent adds dynamic rules that allow connections to Kaspersky Security Center initiated by the application or by Kaspersky Security Center. The rules of the Anti-Cryptor are also dynamic.

Kaspersky Embedded Systems Security does not control dynamic rules and does not block application components' access to network resources. Dynamic rules do not depend on Firewall Management status (started/stopped) or on changes in the Firewall Management settings. The execution priority of dynamic rules is higher than the priority of network packet rules. The application restores a set of dynamic rules if any of them are deleted, for example, by using the iptables utility.

You can view the set of dynamic rules (using the kess-control -F --query command); however the dynamic rules settings cannot be modified.

Page top
[Topic 198001]

About the predefined network zone names

A predefined network zone is a specific group of IP addresses or subnets. Using a predefined network zone, you can use the same rules for several IP addresses or subnets without having to create a separate rule for each IP address or subnet. The network zone can be used as the value of the "remote address" parameter when creating a network packet rule. Kaspersky Embedded Systems Security has three predefined network zones with specific names:

  • Public. Add a network address or subnet to this zone if it is assigned to networks that are not protected by any anti-virus applications, firewalls, or filters (for example, for Internet cafe networks).
  • Local. Add a network address or subnet to this zone if it is assigned to networks whose users are trusted to access files and printers on this device (for example, a LAN or home network).
  • Trusted. This zone is intended for a safe network in which the device is not exposed to attacks or unauthorized data access attempts.

You cannot create or delete a network zone. You can add or delete IP addresses and subnets to/from a network zone.

Page top
[Topic 198002]

Firewall Management task settings

The table describes all available values and the default values of all the settings that you can specify for the Firewall Management task.

Firewall Management task settings

Setting

Description

Values

DefaultIncomingAction

The default action to perform on an inbound connection if no network rules apply to this connection type.

Allow (default value) — Allow inbound connections.

Block — Block inbound connections.

DefaultIncomingPacketAction

The default action to perform on an incoming packet if no network packet rules apply to this connection type.

Allow (default value) — Allow incoming packets.

Block — Block incoming packets.

OpenNagentPorts

Adds Network Agent dynamic rules to the network packet rules.

Yes (default value) – Add Network Agent dynamic rules to the network packet rules.

No – Do not add Network Agent dynamic rules to the network packet rules.

The [PacketRules.item_#] section contains network packet rules for the Firewall Management task. You can specify several [PacketRules.item_#] sections in any order. The application processes the scopes by index in ascending order.

Each [PacketRules.item_#] section contains the following settings:

Name

Network packet rule name.

Default value: Packet rule #<n>, where n is an index.

FirewallAction

Action to be performed on connections specified in this network packet rule.

Allow (default value) — Allow network connections.

Block — Block network connections.

Protocol

Type of protocol for which network activity is to be monitored.

Any (default value) — The Firewall Management task monitors all network activity.

TCP

UDP

ICMP

ICMPv6

IGMP

GRE

RemotePorts

Port numbers of the remote devices whose connection is monitored.

This setting can only be specified if the Protocol setting is set to TCP or UDP.

An integer or interval can be specified for this setting.

Any (default value) — Monitor all remote ports.

065535.

LocalPorts

Port numbers of the local devices whose connection is monitored.

This setting can only be specified if the Protocol setting is set to TCP or UDP.

An integer or interval can be specified for this setting.

Any (default value) — Monitor all local ports.

065535.

ICMPType

ICMP packet type.

This setting can only be specified if the Protocol setting is set to ICMP or ICMPv6.

Any (default value) — Monitor all ICMP packet types.

Integer number according to the data transfer protocol specification.

ICMPCode

ICMP packet code.

This setting can only be specified if the Protocol setting is set to ICMP or ICMPv6.

Any (default value) — Monitor all ICMP packet codes.

Integer number according to the data transfer protocol specification.

Direction

Direction of the monitored network activity.

IncomingOutgoing or InOut (default value) — Monitor both inbound and outbound connections.

Incoming or In — Monitor inbound connections.

Outgoing or Out — Monitor outbound connections.

IncomingPacket or InPacket — Monitor incoming packets.

OutgoingPacket or OutPacket — Monitor outgoing packets.

IncomingOutgoingPacket or InOutPacket — Monitor both incoming and outgoing packets.

RemoteAddress

The network addresses of the remote devices that can send and receive network packets.

Any (default value) — Monitor network packets sent and/or received by remote devices with any IP address.

Trusted — Predefined network zone for trusted networks.

Local — Predefined network zone for local networks.

Public — Predefined network zone for public networks.

d.d.d.d — IPv4 address, where d is a decimal number from 0 to 255.

d.d.d.d/p — Subnet of IPv4 addresses, where p is a number from 0 to 32.

x:x:x:x:x:x:x:x — IPv6 address, where x is a hexadecimal number from 0 to ffff.

x:x:x:x::0/p — Subnet of IPv6 addresses, where p is a number from 0 to 64.

LocalAddress

Network addresses of devices that have Kaspersky Embedded Systems Security installed and can send and/or receive network packets.

Any (default value) — Monitor network packets sent and/or received by local devices with any IP address.

d.d.d.d — IPv4 address, where d is a decimal number from 0 to 255.

d.d.d.d/p — Subnet of IPv4 addresses, where p is a number from 0 to 32.

x:x:x:x:x:x:x:x — IPv6 address, where x is a hexadecimal number from 0 to ffff.

x:x:x:x::0/p — Subnet of IPv6 addresses, where p is a number from 0 to 64.

LogAttempts

Specify whether you want the actions of the network rule to be included in the report.

Yes — Include actions in the report.

No (default value) — Do not include actions in the report.

The [NetworkZonesPublic] section contains network addresses associated with public networks.

You can specify several IP addresses or subnets of IP addresses.

Address.item_#

Specifies IP addresses or subnets of IP addresses.

d.d.d.d — IPv4 address, where d is a decimal number from 0 to 255.

d.d.d.d/p — Subnet of IPv4 addresses, where p is a number from 0 to 32.

x:x:x:x:x:x:x:x — IPv6 address, where x is a hexadecimal number from 0 to ffff.

x:x:x:x::0/p — Subnet of IPv6 addresses, where p is a number from 0 to 64.

Default value: "" (no network addresses in this zone)

The [NetworkZonesLocal] section contains network addresses associated with local networks.

You can specify several IP addresses or subnets of IP addresses.

Address.item_#

Specifies IP addresses or subnets of IP addresses.

d.d.d.d — IPv4 address, where d is a decimal number from 0 to 255.

d.d.d.d/p — Subnet of IPv4 addresses, where p is a number from 0 to 32.

x:x:x:x:x:x:x:x — IPv6 address, where x is a hexadecimal number from 0 to ffff.

x:x:x:x::0/p — Subnet of IPv6 addresses, where p is a number from 0 to 64.

Default value: "" (no network addresses in this zone)

The [NetworkZonesTrusted] section contains network addresses associated with trusted networks.

You can specify several IP addresses or subnets of IP addresses.

Address.item_#

Specifies IP addresses or subnets of IP addresses.

d.d.d.d — IPv4 address, where d is a decimal number from 0 to 255.

d.d.d.d/p — Subnet of IPv4 addresses, where p is a number from 0 to 32.

x:x:x:x:x:x:x:x — IPv6 address, where x is a hexadecimal number from 0 to ffff.

x:x:x:x::0/p — Subnet of IPv6 addresses, where p is a number from 0 to 64.

Default value: "" (no network addresses in this zone)

Page top

[Topic 198003]

Adding a network packet rule

You can manually add a network packet rule.

You can add only one network packet rule at a time.

To add a network packet rule, execute the following command:

kess-control -F --add-rule --name <rule name> --action <action> --protocol <protocol> --direction <direction> --remote <remote address> --local <local address> --at <index in a list of network packet rules>

A section containing new network packet rule settings is added to the Firewall Management task configuration file. If you did not specify a certain setting in the command, the default value is set.

The --at setting lets you specify the index of the created rule in the list of network packet rules. If the --at setting is not specified or its value is larger than the number of rules in the list, the new rule is added to the end of the list.

Examples:

To create a rule that blocks all incoming and established connections to TCP port 23, execute the following command:

kess-control --add-rule --name Block_Telnet --action Block --direction in --protocol TCP --local any:23

--remote any

To create a rule that blocks incoming and established connections via the TCP port 23 for the Public network zone, execute the following command:

kess-control --add-rule --name Block_Telnet --action Block --direction in --protocol TCP --local any:23

--remote Public

Page top

[Topic 198004]

Deleting a network packet rule

You can manually delete a network packet rule.

You can delete only one network packet rule at a time.

To delete a network packet rule, execute one of the following commands:

  • kess-control -F --del-rule --name <rule name>

    A network packet rule will be deleted by its name. If a list of network packet rules contains several rules with the same name, the application does not delete any of them.

  • kess-control -F --del-rule --index <index>

    A network packet rule will be deleted by its index in the network packet rules list.

A section with network packet rules settings is deleted from the configuration file of the Firewall Management task.

If the list of network packet rules does not contain a rule with a specified name or index, an error occurs.

Page top
[Topic 198005]

Changing the execution priority of a network packet rule

You can manually change a network packet rule's execution priority.

To change a network packet rule's execution priority, execute the following command:

kess-control -F --move-rule [--name <rule name>|--index <index>] --at <index>

The execution priority of the network packet rule will be changed according to the specified index.

Page top
[Topic 198006]

Adding a network address to a zone section

You can manually add network addresses associated with a certain type of network to the configuration file of the Firewall Management task.

To add a network address to the zone, execute the following command:

kess-control -F --add-zone <Public|Local|Trusted> --address <address>

The network address is added to the indicated zone section in the task configuration file.

Page top
[Topic 198007]

Deleting a network address from a zone section

You can manually delete network addresses associated with a certain type of network from the configuration file of the Firewall Management task. This may be useful if the network addresses are not used any more.

To delete a network address from a zone, execute the following command:

kess-control -F --del-zone <zone> [--address <address>| --index <address index in the zone>]

The specified network address will be deleted from the indicated zone section in the configuration file.

If a zone contains several items with the same network address, the --del-zone command will not be executed.

If the specified network address or index does not exist, an error message is generated.

Page top
[Topic 198008]