Kaspersky Embedded Systems Security for Linux
3.4.0
English
Firewall Management  >  Firewall Management in the command line

Firewall Management in the command line

In the command line, you can configure Firewall Management using the Firewall Management predefined task (Firewall_Management).

By default, the Firewall Management Task is not run. You can start and stop this task manually.

You can configure the firewall management settings by editing the settings of the Firewall Management predefined task.

You can also configure Firewall Management settings using Firewall Management commands:

  • Create and delete network packet rules and change their execution priority.
  • Create a list of IP addresses or subnets in network zones.
  • View firewall rules created in Kaspersky Embedded Systems Security by using the following command: kess-control -F --query.

    Firewall Management task settings

    Setting

    Description

    Values

    DefaultIncomingAction

    The default action to perform on an inbound connection if no network rules apply to this connection type.

    Allow (default value) — Allow inbound connections.

    Block — Block inbound connections.

    DefaultIncomingPacketAction

    The default action to perform on an incoming packet if no network packet rules apply to this connection type.

    Allow (default value) — Allow incoming packets.

    Block — Block incoming packets.

    OpenNagentPorts

    Adds Network Agent dynamic rules to the network packet rules.

    Yes (default value) – Add Network Agent dynamic rules to the network packet rules.

    No – Do not add Network Agent dynamic rules to the network packet rules.

    The [PacketRules.item_#] section contains network packet rules for the Firewall Management task. You can specify several [PacketRules.item_#] sections in any order. The application processes the scopes by index in ascending order.

    Each [PacketRules.item_#] section contains the following settings:

    Name

    Network packet rule name.

    Default value: Packet rule #<n>, where n is an index.

    FirewallAction

    Action to be performed on connections specified in this network packet rule.

    Allow (default value) — Allow network connections.

    Block — Block network connections.

    Protocol

    Type of protocol for which network activity is to be monitored.

    Any (default value) — The Firewall Management task monitors all network activity.

    TCP

    UDP

    ICMP

    ICMPv6

    IGMP

    GRE

    RemotePorts

    Port numbers of the remote devices whose connection is monitored. An integer or interval can be specified for this value.

    This setting can only be specified if the Protocol setting is set to TCP or UDP.

    Any (default value) — Monitor all remote ports.

    065535.

    LocalPorts

    Port numbers of the local devices whose connection is monitored. An integer or interval can be specified for this value.

    This setting can only be specified if the Protocol setting is set to TCP or UDP.

    Any (default value) — Monitor all local ports.

    065535.

    ICMPType

    ICMP packet type.

    This setting can only be specified if the Protocol setting is set to ICMP or ICMPv6.

    Any (default value) — Monitor all ICMP packet types.

    Integer number according to the data transfer protocol specification.

    ICMPCode

    ICMP packet code.

    This setting can only be specified if the Protocol setting is set to ICMP or ICMPv6.

    Any (default value) — Monitor all ICMP packet codes.

    Integer number according to the data transfer protocol specification.

    Direction

    Direction of the monitored network activity.

    IncomingOutgoing or InOut (default value) — Monitor both inbound and outbound connections.

    Incoming or In — Monitor inbound connections.

    Outgoing or Out — Monitor outbound connections.

    IncomingPacket or InPacket — Monitor incoming packets.

    OutgoingPacket or OutPacket — Monitor outgoing packets.

    IncomingOutgoingPacket or InOutPacket — Monitor both incoming and outgoing packets.

    RemoteAddress

    The network addresses of the remote devices that can send and receive network packets.

    Any (default value) — Monitor network packets sent and/or received by remote devices with any IP address.

    Trusted — Predefined network zone for trusted networks.

    Local — Predefined network zone for local networks.

    Public — Predefined network zone for public networks.

    d.d.d.d — IPv4 address, where d is a decimal number from 0 to 255.

    dddddddd — Range of IPv4 addresses.

    d.d.d.d/p — Subnet of IPv4 addresses, where p is a number from 0 to 32.

    x:x:x:x:x:x:x:x — IPv6 address, where x is a hexadecimal number from 0 to ffff.

    x:x:x:x:x:x:x:xx:x:x:x:x:x:x:x — Range of IPv6 addresses.

    x:x:x:x:x:x:x:x/p — Subnet of IPv6 addresses, where p is a number from 0 to 128; you can use :: for brevity.

    LocalAddress

    Network addresses of devices that have Kaspersky Embedded Systems Security installed and can send and/or receive network packets.

    Any (default value) — Monitor network packets sent and/or received by local devices with any IP address.

    d.d.d.d — IPv4 address, where d is a decimal number from 0 to 255.

    dddddddd — Range of IPv4 addresses.

    d.d.d.d/p — Subnet of IPv4 addresses, where p is a number from 0 to 32.

    x:x:x:x:x:x:x:x — IPv6 address, where x is a hexadecimal number from 0 to ffff.

    x:x:x:x:x:x:x:xx:x:x:x:x:x:x:x — Range of IPv6 addresses.

    x:x:x:x:x:x:x:x/p — Subnet of IPv6 addresses, where p is a number from 0 to 128; you can use :: for brevity.

    LogAttempts

    Include a record of the network rule action in the report.

    Yes — Log actions in the report.

    No (default value)—Do not write the actions in the report.

    The [NetworkZonesPublic] section contains network addresses associated with public networks. You can specify several IP addresses or subnets of IP addresses.

    Address.item_#

    Specifies IP addresses or subnets of IP addresses.

    d.d.d.d — IPv4 address, where d is a decimal number from 0 to 255.

    d.d.d.d/p — Subnet of IPv4 addresses, where p is a number from 0 to 32.

    x:x:x:x:x:x:x:x — IPv6 address, where x is a hexadecimal number from 0 to ffff.

    x:x:x:x::0/p — Subnet of IPv6 addresses, where p is a number from 0 to 64.

    Default value: "" (no network addresses in this zone)

    The [NetworkZonesLocal] section contains network addresses associated with local networks. You can specify several IP addresses or subnets of IP addresses.

    Address.item_#

    Specifies IP addresses or subnets of IP addresses.

    d.d.d.d — IPv4 address, where d is a decimal number from 0 to 255.

    d.d.d.d/p — Subnet of IPv4 addresses, where p is a number from 0 to 32.

    x:x:x:x:x:x:x:x — IPv6 address, where x is a hexadecimal number from 0 to ffff.

    x:x:x:x::0/p — Subnet of IPv6 addresses, where p is a number from 0 to 64.

    Default value: "" (no network addresses in this zone)

    The [NetworkZonesTrusted] section contains network addresses associated with trusted networks. You can specify several IP addresses or subnets of IP addresses.

    Address.item_#

    Specifies IP addresses or subnets of IP addresses.

    d.d.d.d — IPv4 address, where d is a decimal number from 0 to 255.

    d.d.d.d/p — Subnet of IPv4 addresses, where p is a number from 0 to 32.

    x:x:x:x:x:x:x:x — IPv6 address, where x is a hexadecimal number from 0 to ffff.

    x:x:x:x::0/p — Subnet of IPv6 addresses, where p is a number from 0 to 64.

    Default value: "" (no network addresses in this zone)

In this section

Configuring a list of network packet rules in the command line

Configuring network zones in the command line
Article ID: 197674, Last review: Mar 10, 2025
Page top