Contents
Firewall Management
A device used on local area networks (LANs) and the internet is exposed to viruses, other malware, and a variety of attacks that exploit vulnerabilities in operating systems and software. The operating system firewall protects data stored on the user device by blocking most threats when the device is connected to the internet or a LAN.
The operating system firewall allows you to detect all network connections on the user device and provide a list of their IP addresses. The Firewall Management component allows you to set the status of the network connections by configuring the network packet rules.
You can use network packet rules to specify the desired level of device protection, from fully blocking Internet access for all applications to allowing unlimited access. All outbound connections are allowed by default, unless corresponding blocking rules for the Firewall Management component are specified.
The Firewall Management component is disabled by default.
It is recommended to disable other operating system firewall management tools before enabling the Firewall Management component.
When the Firewall Management component is enabled, Kaspersky Embedded Systems Security automatically deletes all custom rules configured for the firewall with tools provided by the operating system. These rules are not restored after the component is disabled. If required, save the custom firewall rules before enabling the Firewall Management component.
If firewall management is enabled, Kaspersky Embedded Systems Security scans the operating system firewall and blocks any attempt to change the firewall settings, for example, when an application or utility attempts to add or delete a firewall rule. Kaspersky Embedded Systems Security checks the operating system firewall every 60 seconds and, if necessary. restores the set of firewall rules created using the application. The checking period cannot be changed.
In some operating systems based on the Red Hat Enterprise Linux code base, firewall rules created in the Kaspersky Embedded Systems Security application can only be viewed using a management command (kess-control -F --query).
Kaspersky Embedded Systems Security still scans the operating system firewall when firewall management is disabled. This allows the application to restore dynamic rules.
You can enable or disable firewall management, and also configure the following settings:
- Configure a list of network packet rules that Kaspersky Embedded Systems Security will apply when an attempt to establish a network connection is detected. You can add or remove network packet rules, and also change the execution priority of a network packet rule.
- Select default actions to perform on incoming connections and packets if no other network packet rules apply to this connection type.
- Map network addresses to preset network zones. You can add IP addresses or subnets to network zones and delete address from network zones.
- Enables or disables automatic adding of allowing rules for Network Agent ports.
To avoid possible problems on systems with nftables, Kaspersky Embedded Systems Security uses the iptables and iptables-restore system utilities when adding rules for the firewall of the operating system. The application creates a special chain of allowing rules named kess_bypass and adds it first to the list of the mangle table of the iptables and ip6tables utilities. The rules of the kess_bypass chain make it possible to exclude traffic from scans by Kaspersky Embedded Systems Security. The rules in this chain can be changed by means of the operating system. When the application is removed, the kess_bypass rule chain in iptables and ip6tables is removed only if it was empty.
About network packet rules
Network packet rules are actions taken by the Kaspersky Embedded Systems Security to allow or deny a detected network connection attempt.
Network packet rules impose restrictions on network packets regardless of the application. Such rules restrict inbound and outbound network traffic through specific ports of the selected data protocol.
All outbound connections are allowed by default (default action setting), unless the corresponding blocking rules for the Firewall Management are specified. The default action is performed with the lowest priority: if no other network packet rule has been triggered or if no network packet rules have been specified, the connection is allowed.
Firewall Management specifies certain network packet rules by default. You can create your own network packet rules and specify an execution priority for each network packet rule.
Page topAbout dynamic rules
Kaspersky Embedded Systems Security allows dynamic rules to be added to, or deleted from, the firewall to ensure the application works properly. For example, Network Agent adds dynamic rules that allow connections to Kaspersky Security Center initiated by the application or by Kaspersky Security Center. The rules of the Anti-Cryptor are also dynamic.
Kaspersky Embedded Systems Security does not control dynamic rules and does not block application components' access to network resources. Dynamic rules do not depend on the Firewall Management component state (enabled/disabled) or changes to the settings of the component operation. The execution priority of dynamic rules is higher than the priority of network packet rules. The application restores a set of dynamic rules if any of them are deleted, for example, by using the iptables utility.
You can view the set of dynamic rules (using the kess-control -F --query command); however the dynamic rules settings cannot be modified.
About the predefined network zone names
A predefined network zone is a specific group of IP addresses or subnets. Using a predefined network zone, you can use the same rules for several IP addresses or subnets without having to create a separate rule for each IP address or subnet. The network zone can be used as the value of the "remote address" parameter when creating a network packet rule. Kaspersky Embedded Systems Security has three predefined network zones with specific names:
- Public. Add a network address or subnet to this zone if it is assigned to networks that are not protected by any anti-virus applications, firewalls, or filters (for example, for Internet cafe networks).
- Local. Add a network address or subnet to this zone if it is assigned to networks whose users are trusted to access files and printers on this device (for example, a LAN or home network).
- Trusted. This zone is intended for a safe network in which the device is not exposed to attacks or unauthorized data access attempts.
You cannot create or delete a network zone. You can add or delete IP addresses and subnets to/from a network zone.
Page topFirewall Management in the Web Console
In the Web Console, you can configure Firewall Management settings in the policy properties (Application settings → Essential Threat Protection → Firewall Management).
Firewall Management settings
Setting |
Description |
|---|---|
Firewall Management enabled / disabled |
This toggle button enables or disables Firewall Management. The toggle button is switched off by default. |
Network packet rules |
Clicking the Configure network packet rules link opens the Network packet rules window. In this window, you can configure the list of network packet rules that are applied by the Firewall Management component when it detects the network connection attempt. |
Available networks |
Clicking the Configure available networks link opens the Available networks window. In this window, you can configure the list of networks that the Firewall Management component will monitor. |
Incoming connections |
In this drop-down list, you can select the action to be performed for incoming network connections:
|
Incoming packets |
In this drop-down list you can select the action to be performed for incoming packets:
|
Always add allowing rules for Network Agent ports |
This check box enables or disables automatic adding allowing rules for Network Agent ports. The check box is selected by default. |
Network packet rules window
The Network packet rules table contains network packet rules that the Firewall Management component uses for network activity monitoring. You can configure the settings described in the table below for network packet rules.
Network packet rules settings
Setting |
Description |
|---|---|
Name |
Network packet rule name. |
Action |
Action to be performed by Firewall Management when it detects the network activity. |
Local addresses |
Network addresses of devices that have Kaspersky Embedded Systems Security installed and can send and/or receive network packets. |
Remote addresses |
Network addresses of remote devices that can send and/or receive network packets. |
Direction |
Direction of the monitored network activity. |
Protocol |
Type of data transfer protocol for which network activity is monitored. |
Local ports |
Port numbers of local devices between which the connection is monitored. |
Remote ports |
Port numbers of remote devices between which the connection is monitored. |
ICMP type |
ICMP type. The Firewall Management component monitors messages of the specified type sent by a host or gateway. |
ICMP code |
ICMP code. The Firewall Management component monitors messages of the type specified in the ICMP type field and the code specified in the ICMP code field, sent by a host or gateway. |
Logging |
This column shows if the application logs actions of the network packet rule. If the value is Yes, the application logs the actions of the network packet rule. If the value is No, the application does not log the actions of the network packet rule. |
By default, the table of network packet rules is empty.
You can add, edit, delete, move up, and move down network packet rules in the table.
Page topNetwork packet rule window
In this window, you can configure the network packet rule.
Network packet rule settings
Setting |
Description |
|---|---|
Rule name |
The field for entering the name of the network packet rule. |
Action |
In the drop-down list, you can select an action to be performed by the Firewall Management component when it detects network activity:
|
Protocol |
In the drop-down list, you can select the type of data transfer protocol for which you want to monitor network activity:
|
Specify ICMP type |
This check box lets you specify the ICMP type. The Firewall Management component monitors messages of the specified type sent by the host or gateway. If this check box is selected, the field for entering the ICMP type is displayed. This check box is displayed only if ICMP or ICMPv6 data transfer protocol is selected in the Protocol drop-down list. This check box is cleared by default. |
Specify ICMP code |
This check box lets you specify the ICMP code. The Firewall Management component monitors messages of the type specified in the field under the ICMP type check box, with the code specified in the field under the ICMP code check box, and sent by the host or gateway. If this check box is selected, the field for entering the ICMP code is displayed. This check box is displayed only if ICMP or ICMPv6 data transfer protocol is selected in the Protocol drop-down list. It is available only if the Specify ICMP type check box is selected. This check box is cleared by default. |
Direction |
In this drop-down list, you can specify the direction of the monitored network activity:
|
Remote addresses |
In this drop-down list, you can specify network addresses of the remote devices that can send and receive network packets:
|
Specify remote ports |
This check box allows you to specify the port numbers of the remote devices between which the connection must be monitored. If this check box is selected, the field for entering port numbers is displayed. This check box is displayed only if TCP or UDP data transfer protocol is selected in the Protocol drop-down list. This check box is cleared by default. |
Local addresses |
In this drop-down list, you can specify the network addresses of the devices with Kaspersky Embedded Systems Security installed that can send and receive network packets:
|
Specify local ports |
This check box allows you to specify the port numbers of the local devices between which the connection must be monitored. If this check box is selected, the field for entering port numbers is displayed. This check box is displayed only if TCP or UDP data transfer protocol is selected in the Protocol drop-down list. This check box is cleared by default. |
Log events |
This check box lets you specify whether the actions of the network rule are recorded in the report. If the check box is selected, the application writes the actions of the network rule to the report. If the check box is cleared, the application does not write the actions of the network rule to the report. This check box is cleared by default. |
Available networks window
The Available networks table contains the networks controlled by the Firewall Management component. The table of available networks is empty by default.
Available networks settings
Setting |
Description |
|---|---|
IP address |
Network IP address. |
Network type |
Network type (Public network, Local network, or Trusted network). |
Network connection window
In this window, you can configure the network connection that the Firewall Management component will monitor.
Network connection
Setting |
Description |
|---|---|
IP address |
The field for entering IP address of the network. |
Network type |
You can select the type of the network:
|
Firewall Management in the Administration Console
In the Administration Console, you can configure Firewall Management settings in the policy properties (Application settings → Essential Threat Protection → Firewall Management).
Firewall Management settings
Setting |
Description |
|---|---|
Enable Firewall Management |
This check box enables or disables Firewall Management. This check box is cleared by default. |
Network packet rules |
This group of settings contains the Configure button. Clicking this button opens the Network packet rules window. In this window, you can configure network packet rules that are applied by the Firewall Management component when it detects the network connection attempt. |
Available networks |
This group of settings contains the Configure button. Clicking this button opens the Available networks window. In this window, you can configure the list of networks that the Firewall Management component will monitor. |
Incoming connections |
In this drop-down list, you can select the action to be performed for incoming network connections:
|
Incoming packets |
In this drop-down list you can select the action to be performed for incoming packets:
|
Always add allowing rules for Network Agent ports |
This check box enables or disables automatic adding allowing rules for Network Agent ports. The check box is selected by default. |
Network packet rules window
The Network packet rules table contains network packet rules that the Firewall Management component uses for network activity monitoring. You can configure the settings described in the table below for network packet rules.
Network packet rules settings
Setting |
Description |
|---|---|
Name |
Network packet rule name. |
Action |
Action to be performed by Firewall Management when it detects the network activity. |
Local address |
Network addresses of devices that have Kaspersky Embedded Systems Security installed and can send and/or receive network packets. |
Remote address |
Network addresses of remote devices that can send and/or receive network packets. |
Logging |
This column shows if the application logs actions of the network packet rule. If the value is Yes, the application logs the actions of the network packet rule. If the value is No, the application does not log the actions of the network packet rule. |
By default, the table of network packet rules is empty.
You can add, edit, delete, move up, and move down network packet rules in the table.
Page topAdded network packet rule window
In this window, you can configure the added network packet rule settings.
Network packet rule settings
Setting |
Description |
|---|---|
Protocol |
You can select the type of data transfer protocol for which you want to monitor network activity:
|
Direction |
You can specify the direction of network activity being monitored:
|
ICMP type |
You can specify the ICMP type. The Firewall Management component monitors messages of the specified type sent by the host or gateway. If the Specified option is selected, the field for entering the ICMP type will be displayed. This window is displayed if the ICMP or ICMPv6 data transfer protocol is selected in the Protocol drop-down list. |
ICMP code |
You can specify the ICMP code. The Firewall Management component monitors messages of the type specified in the ICMP type field, with the code specified in the ICMP code field, and sent by the host or gateway. If the Specified option is selected, the field for entering the ICMP code will be displayed. This window is displayed if the ICMP or ICMPv6 data transfer protocol is selected in the Protocol drop-down list. |
Remote ports |
You can specify the port numbers of the remote devices between which the connection is to be monitored. If the Specified option is selected, the field for entering the port numbers will be displayed. This window is displayed only if TCP or UDP data transfer protocol is selected in the Protocol drop-down list. |
Local ports |
You can specify the port numbers of the local devices between which the connection is to be monitored. If the Specified option is selected, the field for entering the port numbers will be displayed. This window is displayed only if TCP or UDP data transfer protocol is selected in the Protocol drop-down list. |
Remote addresses |
You can specify the network addresses of the remote devices that can send and receive network packets:
|
Local addresses |
You can specify the network addresses of the devices with Kaspersky Embedded Systems Security installed that can send and receive network packets:
|
Action |
You can select an action to be performed by the Firewall Management component when it detects network activity:
|
Logging |
You can specify whether the actions of the network rule will be logged in the report. |
Rule name |
The field for entering the name of the network packet rule. |
Add IP addresses window
In this window, you can specify the IP address of the device, network address or range of IP addresses.
You can specify multiple addresses; enter each address on a new line for convenience of copying them.
Page topAvailable networks window
The Available networks table contains the networks controlled by the Firewall Management component. The table of available networks is empty by default.
Available networks settings
Setting |
Description |
|---|---|
IP address |
Network IP address. |
Network type |
Network type (Public network, Local network, or Trusted network). |
Network connection window
In this window, you can configure the network connection that the Firewall Management component will monitor.
Network connection
Setting |
Description |
|---|---|
IP address |
The field for entering IP address of the network. |
Network type |
You can select the type of the network:
|
Firewall Management in the command line
In the command line, you can configure Firewall Management using the Firewall Management predefined task (Firewall_Management).
By default, the Firewall Management Task is not run. You can start and stop this task manually.
You can configure the firewall management settings by editing the settings of the Firewall Management predefined task.
You can also configure Firewall Management settings using Firewall Management commands:
- Create and delete network packet rules and change their execution priority.
- Create a list of IP addresses or subnets in network zones.
- View firewall rules created in Kaspersky Embedded Systems Security by using the following command:
kess-control -F --query.Firewall Management task settings
Setting
Description
Values
DefaultIncomingActionThe default action to perform on an inbound connection if no network rules apply to this connection type.
Allow(default value) — Allow inbound connections.Block— Block inbound connections.DefaultIncomingPacketActionThe default action to perform on an incoming packet if no network packet rules apply to this connection type.
Allow(default value) — Allow incoming packets.Block— Block incoming packets.OpenNagentPortsAdds Network Agent dynamic rules to the network packet rules.
Yes(default value) – Add Network Agent dynamic rules to the network packet rules.No– Do not add Network Agent dynamic rules to the network packet rules.The [PacketRules.item_#] section contains network packet rules for the Firewall Management task. You can specify several
[PacketRules.item_#]sections in any order. The application processes the scopes by index in ascending order.Each
[PacketRules.item_#]section contains the following settings:NameNetwork packet rule name.
Default value:
Packet rule #<n>, where n is an index.FirewallActionAction to be performed on connections specified in this network packet rule.
Allow(default value) — Allow network connections.Block— Block network connections.ProtocolType of protocol for which network activity is to be monitored.
Any(default value) — The Firewall Management task monitors all network activity.TCPUDPICMPICMPv6IGMPGRERemotePortsPort numbers of the remote devices whose connection is monitored. An integer or interval can be specified for this value.
This setting can only be specified if the
Protocolsetting is set toTCPorUDP.Any(default value) — Monitor all remote ports.0–65535.LocalPortsPort numbers of the local devices whose connection is monitored. An integer or interval can be specified for this value.
This setting can only be specified if the
Protocolsetting is set toTCPorUDP.Any(default value) — Monitor all local ports.0–65535.ICMPTypeICMP packet type.
This setting can only be specified if the
Protocolsetting is set toICMPorICMPv6.Any(default value) — Monitor all ICMP packet types.Integer number according to the data transfer protocol specification.
ICMPCodeICMP packet code.
This setting can only be specified if the
Protocolsetting is set toICMPorICMPv6.Any(default value) — Monitor all ICMP packet codes.Integer number according to the data transfer protocol specification.
DirectionDirection of the monitored network activity.
IncomingOutgoingorInOut(default value) — Monitor both inbound and outbound connections.IncomingorIn— Monitor inbound connections.OutgoingorOut— Monitor outbound connections.IncomingPacketorInPacket— Monitor incoming packets.OutgoingPacketorOutPacket— Monitor outgoing packets.IncomingOutgoingPacketorInOutPacket— Monitor both incoming and outgoing packets.RemoteAddressThe network addresses of the remote devices that can send and receive network packets.
Any(default value) — Monitor network packets sent and/or received by remote devices with any IP address.Trusted— Predefined network zone for trusted networks.Local— Predefined network zone for local networks.Public— Predefined network zone for public networks.d.d.d.d— IPv4 address, where d is a decimal number from 0 to 255.dddd–dddd— Range of IPv4 addresses.d.d.d.d/p— Subnet of IPv4 addresses, where p is a number from 0 to 32.x:x:x:x:x:x:x:x— IPv6 address, where x is a hexadecimal number from 0 to ffff.x:x:x:x:x:x:x:x–x:x:x:x:x:x:x:x— Range of IPv6 addresses.x:x:x:x:x:x:x:x/p — Subnet of IPv6 addresses, where p is a number from 0 to 128; you can use :: for brevity.
LocalAddressNetwork addresses of devices that have Kaspersky Embedded Systems Security installed and can send and/or receive network packets.
Any(default value) — Monitor network packets sent and/or received by local devices with any IP address.d.d.d.d— IPv4 address, where d is a decimal number from 0 to 255.dddd–dddd— Range of IPv4 addresses.d.d.d.d/p— Subnet of IPv4 addresses, where p is a number from 0 to 32.x:x:x:x:x:x:x:x— IPv6 address, where x is a hexadecimal number from 0 to ffff.x:x:x:x:x:x:x:x–x:x:x:x:x:x:x:x— Range of IPv6 addresses.x:x:x:x:x:x:x:x/p — Subnet of IPv6 addresses, where p is a number from 0 to 128; you can use :: for brevity.
LogAttemptsInclude a record of the network rule action in the report.
Yes— Log actions in the report.No(default value)—Do not write the actions in the report.The [NetworkZonesPublic] section contains network addresses associated with public networks. You can specify several IP addresses or subnets of IP addresses.
Address.item_#Specifies IP addresses or subnets of IP addresses.
d.d.d.d— IPv4 address, where d is a decimal number from 0 to 255.d.d.d.d/p— Subnet of IPv4 addresses, where p is a number from 0 to 32.x:x:x:x:x:x:x:x— IPv6 address, where x is a hexadecimal number from 0 to ffff.x:x:x:x::0/p— Subnet of IPv6 addresses, where p is a number from 0 to 64.Default value: "" (no network addresses in this zone)
The [NetworkZonesLocal] section contains network addresses associated with local networks. You can specify several IP addresses or subnets of IP addresses.
Address.item_#Specifies IP addresses or subnets of IP addresses.
d.d.d.d— IPv4 address, where d is a decimal number from 0 to 255.d.d.d.d/p— Subnet of IPv4 addresses, where p is a number from 0 to 32.x:x:x:x:x:x:x:x— IPv6 address, where x is a hexadecimal number from 0 to ffff.x:x:x:x::0/p— Subnet of IPv6 addresses, where p is a number from 0 to 64.Default value:
""(no network addresses in this zone)The [NetworkZonesTrusted] section contains network addresses associated with trusted networks. You can specify several IP addresses or subnets of IP addresses.
Address.item_#Specifies IP addresses or subnets of IP addresses.
d.d.d.d— IPv4 address, where d is a decimal number from 0 to 255.d.d.d.d/p— Subnet of IPv4 addresses, where p is a number from 0 to 32.x:x:x:x:x:x:x:x— IPv6 address, where x is a hexadecimal number from 0 to ffff.x:x:x:x::0/p— Subnet of IPv6 addresses, where p is a number from 0 to 64.Default value:
""(no network addresses in this zone)
Configuring a list of network packet rules in the command line
To add a network packet rule, execute the following command:
kess-control --add-rule [--name <rule name>] [--action <action>] [--protocol <protocol>] [--direction <direction>] [--remote <remote address>[:<port range>]] [--local <local address>[:<port range>]] [--at <index>]
where:
--name <rule name>is the name of the network packet rule.--action <action>is the action to be performed on connections specified in network packet rule.--protocol <protocol>is the type of data transfer protocol for which you want to monitor network activity.--direction <direction>is the direction of the monitored network activity.--remote <remote address[:<port range>]>is the network address of the remote device. You can specify the name of a predefined network zone as the remote address.--local <local address[:<port range>]>is the network address of the device with Kaspersky Embedded Systems Security installed.--at <index>is the index of rules in the list of network packet rules. If the--atoption is not specified or its value is larger than the number of rules in the list, the new rule is added to the end of the list.
Parameters that you do not specify values for in the command are set to their default values.
Examples: To create a rule that blocks all incoming and established connections to TCP port 23, execute the following command:
To create a rule that blocks incoming and established connections via the TCP port 23 for the Public network zone, execute the following command:
|
To delete a network packet rule, execute one of the following commands:
kess-control --del-rule --name <rule name>kess-control --del-rule --index <index>
where:
--name <rule name>is the name of the network packet rule.--index <index>is the current index of rules in the list of network packet rules.
If the list of network packet rules contains multiple rules with an identical name or does not contain a rule with a specified name or index, an error occurs.
To change a network packet rule's execution priority, execute one of the following commands:
kess-control --move-rule --name <rule name> --at <index>kess-control --move-rule --index <index> --at <index>
where:
--name <rule name>is the name of the network packet rule.--index <index>is the current index of rules in the list of network packet rules.--at <index>is the new index of rules in the list of network packet rules.
Configuring network zones in the command line
To add a network address to the zone, execute the following command:
kess-control --add-zone --zone <zone> --address <address>
where:
--zone <zone>is the predefined name of the network zone. Possible values:Public,Local,Trusted.--address <address>is the network address or subnet.
To delete a network address from a zone, execute one of the following commands:
kess-control --del-zone --zone <zone> --address <address>kess-control --del-zone --zone <zone> --index <address index in the zone>
If a zone contains several items with the same network address, the --del-zone command will not be executed.
If the specified network address or index does not exist, an error message is generated.