Documentation > Administration > Firewall Management

Firewall Management

Comprehensive guide to deploying, configuring, and managing firewall software across your infrastructure with real-time monitoring and control.

Overview

SysManage provides centralized management of firewall software across all supported platforms. The platform automates deployment, enables real-time monitoring of firewall status, and provides tools to enable, disable, restart, or deploy firewall software remotely.

Key Features

  • Cross-Platform Support: Manage firewalls on Linux, BSD, macOS, and Windows systems
  • Automatic Detection: Agents automatically detect and report firewall software status
  • Remote Deployment: Deploy firewall software from the web interface with one click
  • Service Control: Enable, disable, or restart firewall services remotely
  • Port Monitoring: Real-time monitoring of open ports and firewall rules
  • Real-time Status: Monitor firewall status, enabled/disabled state, and port configuration
  • Agent Protection: Automatically opens required ports for agent communication when enabling firewall

Supported Firewall Software by Platform

Linux Systems

SysManage supports the following firewall solutions on Linux:

  • UFW (Uncomplicated Firewall) - User-friendly firewall frontend for iptables on Ubuntu/Debian systems
  • firewalld - Dynamic firewall management tool for RHEL, CentOS, Fedora, and openSUSE
  • iptables - Legacy netfilter firewall for Linux systems
  • nftables - Modern packet filtering framework replacing iptables

Distribution-Specific Details

  • Ubuntu/Debian: UFW (default), iptables, nftables
  • RHEL/CentOS/Fedora: firewalld (default), iptables
  • openSUSE: firewalld (default), iptables

BSD Systems

BSD platforms support multiple firewall frameworks:

  • FreeBSD: IPFW (default), PF (Packet Filter)
  • OpenBSD: PF (Packet Filter - default)
  • NetBSD: NPF (NetBSD Packet Filter - default), PF

BSD Firewall Details

  • IPFW: FreeBSD's stateful firewall with flexible rule syntax
  • PF: OpenBSD's sophisticated packet filter available on all BSD variants
  • NPF: NetBSD's modern, efficient packet filter designed for scalability

macOS

macOS supports multiple firewall options:

  • PF (Packet Filter): OpenBSD's packet filter ported to macOS
  • Application Firewall: macOS built-in application-level firewall

Windows

Windows supports Windows Defender Firewall:

  • Windows Defender Firewall: Integrated host-based firewall with advanced security features
  • Support for Domain, Private, and Public network profiles
  • Inbound and outbound rule management via PowerShell and netsh

Firewall Operations

Deploy Firewall

The Deploy Firewall operation installs and configures firewall software on hosts that don't have it installed or enabled.

Deploy via Web Interface

  1. Navigate to the host detail page for the target system
  2. Locate the Firewall Status card
  3. Click the Deploy Firewall button
  4. SysManage will automatically detect the appropriate firewall for the OS
  5. The agent installs the firewall package and configures initial rules
  6. Agent communication ports are automatically opened to prevent lockout
Automatic Port Configuration

When deploying or enabling a firewall, SysManage automatically opens the following ports:

  • Port 22 (SSH): Always opened for system administration
  • Agent Communication Port: Dynamically determined from agent configuration
  • Server Ports (if applicable): Opened if SysManage server is detected on the host

Enable Firewall

The Enable Firewall operation starts the firewall service on a host where firewall software is installed but disabled.

Enable via Web Interface

  1. Navigate to the host detail page
  2. Click the Enable Firewall button in the Firewall Status card
  3. The firewall service will start and required ports will be opened
  4. Firewall status will update to "Enabled" in real-time

Disable Firewall

The Disable Firewall operation stops the firewall service, allowing all traffic through the host.

Disable via Web Interface

  1. Navigate to the host detail page
  2. Click the Disable Firewall button in the Firewall Status card
  3. The firewall service will stop
  4. Firewall status will update to "Disabled" in real-time
Security Warning

Disabling the firewall removes network protection and exposes all services to the network. Only disable firewalls in controlled environments or when troubleshooting network connectivity issues.

Restart Firewall

The Restart Firewall operation stops and starts the firewall service, reloading configuration and rules.

Restart via Web Interface

  1. Navigate to the host detail page
  2. Click the Restart Firewall button in the Firewall Status card
  3. The firewall service will restart and reload all rules
  4. Use this after manually modifying firewall configuration files

Firewall Roles

Firewall Roles provide centralized, reusable firewall configurations that can be assigned to multiple hosts. Define port requirements once and apply them consistently across your infrastructure.

Key Benefits

  • Centralized Management: Define firewall rules in one place and apply to many hosts
  • Consistency: Ensure all hosts with the same role have identical firewall configurations
  • Reusability: Create roles for common server types (web server, database, etc.) and reuse them
  • Protocol Control: Configure TCP and/or UDP for each port independently
  • IP Version Support: Configure IPv4 and/or IPv6 rules separately
  • Common Ports: Quick selection of well-known ports (SSH, HTTP, HTTPS, etc.)

Creating a Firewall Role

Create firewall roles to define sets of ports that should be open for specific types of servers.

  1. Navigate to Administration in the main menu
  2. Select Firewall Roles from the submenu
  3. Click the Create Role button
  4. Enter a descriptive name for the role (e.g., "Web Server", "Database Server")
  5. Add ports using either the common ports dropdown or by entering custom port numbers
  6. For each port, select the protocol (TCP, UDP, or both) and IP version (IPv4, IPv6, or both)
  7. Click Save to create the role
Common Ports Available

The common ports dropdown includes frequently used services:

  • SSH (22): Secure shell access
  • HTTP (80): Web traffic
  • HTTPS (443): Secure web traffic
  • DNS (53): Domain name resolution
  • MySQL (3306): MySQL database
  • PostgreSQL (5432): PostgreSQL database
  • And many more including SMTP, IMAP, Redis, MongoDB, RDP, VNC, NTP, SNMP, OpenVPN, and WireGuard

Assigning Roles to Hosts

Once a firewall role is created, assign it to hosts to apply the firewall configuration.

  1. Navigate to the host detail page for the target system
  2. Locate the Firewall Roles card
  3. Click Add Role
  4. Select the desired firewall role from the dropdown
  5. Click Assign to apply the role
  6. The ports defined in the role will be opened on the host's firewall
Multiple Roles

A host can have multiple firewall roles assigned. All ports from all assigned roles will be opened. Duplicate ports are handled automatically.

Removing Roles from Hosts

When a firewall role is removed from a host, the ports defined in that role are closed.

  1. Navigate to the host detail page
  2. Locate the assigned role in the Firewall Roles card
  3. Click the Remove button next to the role
  4. Confirm the removal when prompted
  5. The ports from that role will be removed from the host's firewall
Protected Ports

SSH (port 22) and agent communication ports are always preserved to prevent lockout, even when removing firewall roles.

Example: Web Server Role

A typical web server firewall role might include:

Port Service Protocol IP Version
80 HTTP TCP IPv4 + IPv6
443 HTTPS TCP IPv4 + IPv6

Platform Support

Firewall roles are supported on all platforms:

  • Linux: UFW (Ubuntu/Debian), firewalld (RHEL/CentOS/Fedora)
  • BSD: PF (OpenBSD/FreeBSD), IPFW (FreeBSD), NPF (NetBSD)
  • macOS: PF (Packet Filter)
  • Windows: Windows Defender Firewall

Firewall Status Monitoring

The Firewall Status card on each host detail page provides real-time information about the firewall configuration.

Displayed Information

  • Firewall Name: The detected firewall software (e.g., ufw, firewalld, IPFW, PF, NPF, Windows Defender Firewall)
  • Status: Enabled or Disabled
  • TCP Open Ports: List of TCP ports with active allow rules
  • UDP Open Ports: List of UDP ports with active allow rules
  • IPv4 Ports: Ports configured for IPv4 traffic
  • IPv6 Ports: Ports configured for IPv6 traffic
  • Last Updated: Timestamp of the last status update from the agent

Automatic Status Updates

The agent automatically collects firewall status and sends updates to the server:

  • Periodic collection as part of regular system metrics gathering
  • Immediate update after deploy, enable, disable, or restart operations
  • Real-time display updates via WebSocket communication

Security and Access Control

Firewall management operations are protected by role-based access control (RBAC). Users must have specific security roles to perform firewall operations.

Required Security Roles

  • DEPLOY_FIREWALL: Required to deploy firewall software to hosts
  • ENABLE_FIREWALL: Required to enable firewall services
  • DISABLE_FIREWALL: Required to disable firewall services
  • RESTART_FIREWALL: Required to restart firewall services
  • VIEW_FIREWALL_STATUS: Required to view firewall status (automatically granted with any firewall role)

Assigning Firewall Roles

Administrators can assign firewall roles to users through the user management interface:

  1. Navigate to Administration → User Management
  2. Select the user to modify
  3. Click Edit Roles
  4. Select the appropriate firewall management roles
  5. Save changes

Technical Architecture

System Components

Server Components

  • Firewall Status API (backend/api/firewall_status.py): REST endpoints for firewall operations
  • Database Models (backend/persistence/models/core.py): FirewallStatus table for storing firewall state
  • Message Queue: Queues firewall commands for delivery to agents

Agent Components

  • Firewall Operations (src/sysmanage_agent/operations/firewall_operations.py): Main orchestrator
  • OS-Specific Implementations:
    • firewall_linux.py: UFW, firewalld, iptables, nftables
    • firewall_bsd.py: IPFW, PF, NPF
    • firewall_macos.py: PF, Application Firewall
    • firewall_windows.py: Windows Defender Firewall
  • Firewall Collector (src/sysmanage_agent/operations/firewall_collector.py): Detects and parses firewall status

Message Flow

  1. User clicks firewall button in web interface
  2. Frontend sends REST API request to server
  3. Server validates user permissions (RBAC check)
  4. Server enqueues firewall command message for agent
  5. Agent retrieves command from outbound message queue
  6. Agent executes OS-specific firewall operation
  7. Agent collects updated firewall status
  8. Agent sends status update to server via inbound queue
  9. Server updates FirewallStatus database table
  10. Frontend receives real-time update via WebSocket

Troubleshooting

Firewall Not Detected

Symptoms: Firewall Status card shows "No firewall detected"

Solutions:

  • Click "Deploy Firewall" to install firewall software automatically
  • Verify the agent has privileges to detect firewall status
  • Check agent logs for firewall detection errors

Deploy Firewall Fails

Symptoms: Deploy operation returns error or times out

Solutions:

  • Verify the agent is running with elevated privileges (root/Administrator)
  • Check network connectivity to package repositories
  • Review agent logs for detailed error messages
  • Ensure package manager is functioning (apt, yum, dnf, pkg, etc.)

Locked Out After Enabling Firewall

Symptoms: Cannot connect to agent after enabling firewall

Solutions:

  • This should not happen - agent automatically opens required ports
  • Access host via console or out-of-band management
  • Manually disable firewall and check agent configuration
  • Verify agent port configuration matches firewall rules

Status Not Updating

Symptoms: Firewall Status card shows stale or incorrect information

Solutions:

  • Click "Request Host Data" to force immediate status collection
  • Check agent connectivity to server
  • Review agent logs for errors during status collection
  • Verify WebSocket connection is active (check browser console)

Permission Denied Errors

Symptoms: Button is disabled or operation returns "Permission denied"

Solutions:

  • Verify your user account has the required firewall security role
  • Contact administrator to request firewall management permissions
  • Check that role assignments have been saved and user session refreshed

Best Practices

Firewall Deployment

  • Test firewall deployment on non-production hosts first
  • Ensure you have alternate access (console, IPMI) before enabling firewalls on remote hosts
  • Document custom port requirements before deployment
  • Use gradual rollout for firewall deployment across large infrastructures

Configuration Management

  • Regularly review and audit firewall rules
  • Use restart operation after manual configuration changes
  • Document all manual firewall rule modifications
  • Implement firewall configuration as code where possible

Security Practices

  • Grant firewall management roles only to trusted administrators
  • Monitor firewall disable operations in security logs
  • Implement alerts for firewall status changes
  • Regularly verify firewall status matches security policy
  • Use principle of least privilege when opening ports

Monitoring and Maintenance

  • Set up alerts for hosts with disabled firewalls
  • Regularly review open ports across your infrastructure
  • Verify firewall status as part of security audits
  • Monitor for unexpected firewall status changes

Related Documentation

Quick Navigation

← Antivirus Management Package Management →