Firewall Management

A device used on local area networks (LANs) and the internet is exposed to viruses, other malware, and a variety of attacks that exploit vulnerabilities in operating systems and software. The operating system firewall protects data stored on the user device by blocking most threats when the device is connected to the internet or a LAN.

The operating system firewall allows you to detect all network connections on the user device and provide a list of their IP addresses. The Firewall Management component allows you to set the status of the network connections by configuring the network packet rules.

You can use network packet rules to specify the desired level of device protection, from fully blocking Internet access for all applications to allowing unlimited access. All outbound connections are allowed by default, unless corresponding blocking rules for the Firewall Management component are specified.

The Firewall Management component is disabled by default.

It is recommended to disable other operating system firewall management tools before enabling the Firewall Management component.

When the Firewall Management component is enabled, Kaspersky Embedded Systems Security automatically deletes all custom rules configured for the firewall with tools provided by the operating system. These rules are not restored after the component is disabled. If required, save the custom firewall rules before enabling the Firewall Management component.

If firewall management is enabled, Kaspersky Embedded Systems Security scans the operating system firewall and blocks any attempt to change the firewall settings, for example, when an application or utility attempts to add or delete a firewall rule. Kaspersky Embedded Systems Security checks the operating system firewall every 60 seconds and, if necessary. restores the set of firewall rules created using the application. The checking period cannot be changed.

In some operating systems based on the Red Hat Enterprise Linux code base, firewall rules created in the Kaspersky Embedded Systems Security application can only be viewed using a management command (kess-control -F --query).

Kaspersky Embedded Systems Security still scans the operating system firewall when firewall management is disabled. This allows the application to restore dynamic rules.

You can enable or disable firewall management, and also configure the following settings:

• Configure a list of network packet rules that Kaspersky Embedded Systems Security will apply when an attempt to establish a network connection is detected. You can add or remove network packet rules, and also change the execution priority of a network packet rule.
• Select default actions to perform on incoming connections and packets if no other network packet rules apply to this connection type.
• Map network addresses to preset network zones. You can add IP addresses or subnets to network zones and delete address from network zones.
• Enables or disables automatic adding of allowing rules for Network Agent ports.

To avoid possible problems on systems with nftables, Kaspersky Embedded Systems Security uses the iptables and iptables-restore system utilities when adding rules for the firewall of the operating system. The application creates a special chain of allowing rules named kess_bypass and adds it first to the list of the mangle table of the iptables and ip6tables utilities. The rules of the kess_bypass chain make it possible to exclude traffic from scans by Kaspersky Embedded Systems Security. The rules in this chain can be changed by means of the operating system. When the application is removed, the kess_bypass rule chain in iptables and ip6tables is removed only if it was empty.