Documentation > Administration > Firewall Management

Firewall Management

Comprehensive guide to deploying, configuring, and managing firewall software across your infrastructure with real-time monitoring and control.

Overview

SysManage provides centralized management of firewall software across all supported platforms. The platform automates deployment, enables real-time monitoring of firewall status, and provides tools to enable, disable, restart, or deploy firewall software remotely.

Key Features

  • Cross-Platform Support: Manage firewalls on Linux, BSD, macOS, and Windows systems
  • Automatic Detection: Agents automatically detect and report firewall software status
  • Remote Deployment: Deploy firewall software from the web interface with one click
  • Service Control: Enable, disable, or restart firewall services remotely
  • Port Monitoring: Real-time monitoring of open ports and firewall rules
  • Real-time Status: Monitor firewall status, enabled/disabled state, and port configuration
  • Agent Protection: Automatically opens required ports for agent communication when enabling firewall

Supported Firewall Software by Platform

Linux Systems

SysManage supports the following firewall solutions on Linux:

  • UFW (Uncomplicated Firewall) - User-friendly firewall frontend for iptables on Ubuntu/Debian systems
  • firewalld - Dynamic firewall management tool for RHEL, CentOS, Fedora, and openSUSE
  • iptables - Legacy netfilter firewall for Linux systems
  • nftables - Modern packet filtering framework replacing iptables

Distribution-Specific Details

  • Ubuntu/Debian: UFW (default), iptables, nftables
  • RHEL/CentOS/Fedora: firewalld (default), iptables
  • openSUSE: firewalld (default), iptables

BSD Systems

BSD platforms support multiple firewall frameworks:

  • FreeBSD: IPFW (default), PF (Packet Filter)
  • OpenBSD: PF (Packet Filter - default)
  • NetBSD: NPF (NetBSD Packet Filter - default), PF

BSD Firewall Details

  • IPFW: FreeBSD's stateful firewall with flexible rule syntax
  • PF: OpenBSD's sophisticated packet filter available on all BSD variants
  • NPF: NetBSD's modern, efficient packet filter designed for scalability

macOS

macOS supports multiple firewall options:

  • PF (Packet Filter): OpenBSD's packet filter ported to macOS
  • Application Firewall: macOS built-in application-level firewall

Windows

Windows supports Windows Defender Firewall:

  • Windows Defender Firewall: Integrated host-based firewall with advanced security features
  • Support for Domain, Private, and Public network profiles
  • Inbound and outbound rule management via PowerShell and netsh

Firewall Operations

Deploy Firewall

The Deploy Firewall operation installs and configures firewall software on hosts that don't have it installed or enabled.

Deploy via Web Interface

  1. Navigate to the host detail page for the target system
  2. Locate the Firewall Status card
  3. Click the Deploy Firewall button
  4. SysManage will automatically detect the appropriate firewall for the OS
  5. The agent installs the firewall package and configures initial rules
  6. Agent communication ports are automatically opened to prevent lockout
Automatic Port Configuration

When deploying or enabling a firewall, SysManage automatically opens the following ports:

  • Port 22 (SSH): Always opened for system administration
  • Agent Communication Port: Dynamically determined from agent configuration
  • Server Ports (if applicable): Opened if SysManage server is detected on the host

Enable Firewall

The Enable Firewall operation starts the firewall service on a host where firewall software is installed but disabled.

Enable via Web Interface

  1. Navigate to the host detail page
  2. Click the Enable Firewall button in the Firewall Status card
  3. The firewall service will start and required ports will be opened
  4. Firewall status will update to "Enabled" in real-time

Disable Firewall

The Disable Firewall operation stops the firewall service, allowing all traffic through the host.

Disable via Web Interface

  1. Navigate to the host detail page
  2. Click the Disable Firewall button in the Firewall Status card
  3. The firewall service will stop
  4. Firewall status will update to "Disabled" in real-time
Security Warning

Disabling the firewall removes network protection and exposes all services to the network. Only disable firewalls in controlled environments or when troubleshooting network connectivity issues.

Restart Firewall

The Restart Firewall operation stops and starts the firewall service, reloading configuration and rules.

Restart via Web Interface

  1. Navigate to the host detail page
  2. Click the Restart Firewall button in the Firewall Status card
  3. The firewall service will restart and reload all rules
  4. Use this after manually modifying firewall configuration files

Firewall Status Monitoring

The Firewall Status card on each host detail page provides real-time information about the firewall configuration.

Displayed Information

  • Firewall Name: The detected firewall software (e.g., ufw, firewalld, IPFW, PF, NPF, Windows Defender Firewall)
  • Status: Enabled or Disabled
  • TCP Open Ports: List of TCP ports with active allow rules
  • UDP Open Ports: List of UDP ports with active allow rules
  • IPv4 Ports: Ports configured for IPv4 traffic
  • IPv6 Ports: Ports configured for IPv6 traffic
  • Last Updated: Timestamp of the last status update from the agent

Automatic Status Updates

The agent automatically collects firewall status and sends updates to the server:

  • Periodic collection as part of regular system metrics gathering
  • Immediate update after deploy, enable, disable, or restart operations
  • Real-time display updates via WebSocket communication

Security and Access Control

Firewall management operations are protected by role-based access control (RBAC). Users must have specific security roles to perform firewall operations.

Required Security Roles

  • DEPLOY_FIREWALL: Required to deploy firewall software to hosts
  • ENABLE_FIREWALL: Required to enable firewall services
  • DISABLE_FIREWALL: Required to disable firewall services
  • RESTART_FIREWALL: Required to restart firewall services
  • VIEW_FIREWALL_STATUS: Required to view firewall status (automatically granted with any firewall role)

Assigning Firewall Roles

Administrators can assign firewall roles to users through the user management interface:

  1. Navigate to Administration → User Management
  2. Select the user to modify
  3. Click Edit Roles
  4. Select the appropriate firewall management roles
  5. Save changes

Technical Architecture

System Components

Server Components

  • Firewall Status API (backend/api/firewall_status.py): REST endpoints for firewall operations
  • Database Models (backend/persistence/models/core.py): FirewallStatus table for storing firewall state
  • Message Queue: Queues firewall commands for delivery to agents

Agent Components

  • Firewall Operations (src/sysmanage_agent/operations/firewall_operations.py): Main orchestrator
  • OS-Specific Implementations:
    • firewall_linux.py: UFW, firewalld, iptables, nftables
    • firewall_bsd.py: IPFW, PF, NPF
    • firewall_macos.py: PF, Application Firewall
    • firewall_windows.py: Windows Defender Firewall
  • Firewall Collector (src/sysmanage_agent/operations/firewall_collector.py): Detects and parses firewall status

Message Flow

  1. User clicks firewall button in web interface
  2. Frontend sends REST API request to server
  3. Server validates user permissions (RBAC check)
  4. Server enqueues firewall command message for agent
  5. Agent retrieves command from outbound message queue
  6. Agent executes OS-specific firewall operation
  7. Agent collects updated firewall status
  8. Agent sends status update to server via inbound queue
  9. Server updates FirewallStatus database table
  10. Frontend receives real-time update via WebSocket

Troubleshooting

Firewall Not Detected

Symptoms: Firewall Status card shows "No firewall detected"

Solutions:

  • Click "Deploy Firewall" to install firewall software automatically
  • Verify the agent has privileges to detect firewall status
  • Check agent logs for firewall detection errors

Deploy Firewall Fails

Symptoms: Deploy operation returns error or times out

Solutions:

  • Verify the agent is running with elevated privileges (root/Administrator)
  • Check network connectivity to package repositories
  • Review agent logs for detailed error messages
  • Ensure package manager is functioning (apt, yum, dnf, pkg, etc.)

Locked Out After Enabling Firewall

Symptoms: Cannot connect to agent after enabling firewall

Solutions:

  • This should not happen - agent automatically opens required ports
  • Access host via console or out-of-band management
  • Manually disable firewall and check agent configuration
  • Verify agent port configuration matches firewall rules

Status Not Updating

Symptoms: Firewall Status card shows stale or incorrect information

Solutions:

  • Click "Request Host Data" to force immediate status collection
  • Check agent connectivity to server
  • Review agent logs for errors during status collection
  • Verify WebSocket connection is active (check browser console)

Permission Denied Errors

Symptoms: Button is disabled or operation returns "Permission denied"

Solutions:

  • Verify your user account has the required firewall security role
  • Contact administrator to request firewall management permissions
  • Check that role assignments have been saved and user session refreshed

Best Practices

Firewall Deployment

  • Test firewall deployment on non-production hosts first
  • Ensure you have alternate access (console, IPMI) before enabling firewalls on remote hosts
  • Document custom port requirements before deployment
  • Use gradual rollout for firewall deployment across large infrastructures

Configuration Management

  • Regularly review and audit firewall rules
  • Use restart operation after manual configuration changes
  • Document all manual firewall rule modifications
  • Implement firewall configuration as code where possible

Security Practices

  • Grant firewall management roles only to trusted administrators
  • Monitor firewall disable operations in security logs
  • Implement alerts for firewall status changes
  • Regularly verify firewall status matches security policy
  • Use principle of least privilege when opening ports

Monitoring and Maintenance

  • Set up alerts for hosts with disabled firewalls
  • Regularly review open ports across your infrastructure
  • Verify firewall status as part of security audits
  • Monitor for unexpected firewall status changes

Related Documentation

Quick Navigation

← Antivirus Management Package Management →