Custom firewall rules

Scrutinizer firewall rules are managed using individual .nft files in /etc/nftables-plixer/ and enforced by the nftables framework.

The 00-base.nft file defines the base nftables sets and rules provided by Plixer. This file can be used as a reference for the required format/structure of rule definitions. However, directly modifying this file is not recommended.

New custom rules can be added as follows:

1. SSH to the Scrutinizer server as the plixer user:

   ssh plixer@SCRUTINIZER_IP
   

2. Create a copy of the example file:

   cp /etc/nftables-plixer/20-local-rules.nft.example /etc/nftables-plixer/20-local-rules.nft
   

   Alternatively, a blank file named 20-local-rules.nft can be manually created in the same directory if one does not exist yet.

3. Edit 20-local-rules.nft to add rule definitions (20-local-rules.nft.example has sample definitions commented out using \#).

4. Save the changes made to the 20-local-rules.nft.

5. Restart the nftables service:

   sudo systemctl reload nftables
   

Note

The 00-base-rules.nft, 10-plxr-*, and 10-replicator-* files may be modified or overwritten by Plixer processes or upgrades. 20-local-rules.nft will not be affected by upgrades.

Example rule

The rule definition for the Zabbix agent would be added to the file as follows:

add element inet filter tcp_service_ports { 10050 }

Technical details

• Service port sets can be updated using either tcp_service_ports or udp_service_ports.

• The following user-defined chains can be used to define additional custom rules as needed:

  • local_input_rules

  • local_output_rules

  • local_forward_rules

• To view all rules run:

  sudo nft list ruleset