Custom firewall rules#
All firewall rules are managed through individual .nft files located in the /etc/nftables-plixer/ directory.
The 00-base.nft file defines the base nftables sets and rules provided by Plixer. This file can be useful for understanding how rules are structured but it is not recommended to directly modify this file.
To change the default firewall configuration or add custom rules, SSH to the instance as the plixer user via scrut_util. Then create a new .nft file in the /etc/nftables-plixer/ directory. When creating the .nft file, it is important to add a numeric prefix higher than 00 to ensure it is loaded after the base rules. Files use numeric prefixes to ensure they load in the correct order. Any additional .nft files created in this directory will be preserved across upgrades and will be used to apply custom firewall logic.
Service port sets can be updated using either tcp_service_ports or udp_service_ports.
The following user-defined chains can be used to define additional custom rules as needed:
local_input_ruleslocal_output_ruleslocal_forward_rules
Scrutinizer includes an example file that contains inline comments and a variety of sample configurations to help users get started in writing their own rules:
/etc/nftables-plixer/20-local-rules.nft.example