How does the firewall work?¶

As of now the agent interfaces with IPtables and can manage a range of functions. This mandates that `iptables is installed on the device. The state based approach makes sure that the firewall rules are always checked and reestablished if they deviate from what is defined in the configuration.

Therefore, it is important that the firewall is either fully managed by the agent or not. If other tools configure the firewall this function should not be used as it would work against any other tool.

The agent always communicates over https on port 443, and it does not need any open ports, even for remote access.

Setting up the firewall configuration¶

First configure the default firewall policy:

• Accept - accept all connections on all ports

• Drop - deny all connections on all ports

Rules can be created for TCP or UDP.

It is possible to limit the IP access range in CIDR format, or use ANY or empty value in order to define any IP to connect. Destination ports are defined in a similar fashion where accepted port range is 1 - 65535, or use ANY or empty value to define any destination port.

CIDR notation is required for IP addresses, thus to use 192.168.100.0/24 will allow only devices from the ip range 192.168.100.0 to 192.168.100.255. More information on CIDR notation.