Firewall Policy
Overview
The Firewall Policy payload enables administrators to configure and enforce firewall settings on Linux devices through SureMDM. Using this payload, administrators can define default traffic handling policies, create custom firewall rules, and configure port forwarding to control network traffic and enhance device security.
Firewall policies can be deployed through Linux Profiles and applied to managed Linux devices.
This feature is supported on Linux devices with SureMDM Agent 7.17.1 or later.
Configuring Firewall Policy
To configure a Firewall Policy:
- Navigate to Profiles > Linux Profile.
- Create a new profile or edit an existing profile.
- Select Firewall Policy from the payload list.
- Configure the required firewall settings.
- Save the profile and deploy it to the target devices.
The Firewall Policy payload supports the following configuration modes:
- Basic Settings
- Advanced Settings
Basic Settings
The Basic Settings mode allows administrators to define default firewall behavior and configure port forwarding.
Default Firewall Policies
Default policies determine how network traffic is handled when no firewall rule explicitly matches the traffic.
Default Incoming Policy
Defines how incoming network traffic is handled.
Available options:
- Not Configured – No default policy is enforced by SureMDM.
- Allow – Permits all incoming traffic to the device.
- Reject – Blocks incoming traffic and notifies the source that the connection was rejected.
- Drop – Silently discards incoming traffic without sending a response.
Default Outgoing Policy
Defines how outgoing network traffic is handled.
Available options:
- Not Configured
- Allow
- Reject
- Drop
Default Forward Policy
Defines how forwarded network traffic is handled.
Available options:
- Not Configured
- Allow
- Reject
- Drop
Port Forwarding
Port Forwarding allows incoming traffic received on a specific port to be redirected to another port or destination.
Enable Port Forwarding to create and manage forwarding rules.
Once enabled, a rule table is displayed where administrators can add, edit, or remove forwarding rules.
The Port Forwarding table displays:
- Rule Name
- Incoming Port
- Protocol
- Forward To
Available actions include:
- Add
- Edit
- Delete
Adding a Port Forwarding Rule
To create a forwarding rule:
- Enable Port Forwarding.
- Click Add.
- Configure the required rule details.
- Click Save.
The following parameters are available:
| Parameter | Description |
|---|---|
| Rule Name | Name used to identify the forwarding rule. |
| Incoming Port | Port on which incoming traffic is received. Valid values range from 1 to 65535. |
| Protocol | Protocol used for forwarding. Supported values are TCP and UDP. |
| Forward To | Specifies whether traffic should be forwarded to the Local Device or a Remote Device. |
| Target Port | Destination port to which the traffic should be forwarded, this is applicable for Local Device. |
| Target IP | Enter a valid destination IPv4 and IPv6 address, this is applicable for Remote Device. |
NAT Settings
Administrators can enable Masquerading for forwarding rules.
When enabled, the source address of forwarded traffic is translated before being forwarded to the destination.
Masquerading is not required for local forwarding. Enable it only when necessary, as it hides the original client IP address.
Exclude SSH Traffic
- Enable Exclude SSH Traffic to prevent SSH traffic from being blocked by firewall policies.
- This option helps ensure continued remote access to Linux devices after firewall policies are deployed.
Disabling SSH access may prevent administrators from remotely managing the device, proceed with caution.
Advanced Settings
Advanced Settings provides granular control over firewall behavior through custom firewall rules.
Administrators can create, edit, delete, and prioritize firewall rules based on organizational requirements.
Managing Firewall Rules
The Advanced Settings page displays all configured firewall rules.
Available actions include:
- Add
- Edit
- Delete
- Move Up
- Move Down
- Search
Firewall rules are processed sequentially based on their order in the rule list.
Adding a Firewall Rule
To create a firewall rule:
- Navigate to Advanced Settings.
- Click + Add.
- Configure the required rule parameters.
- Click Save.
Rule Parameters
| Parameter | Description |
|---|---|
| Rule Name | Name used to identify the firewall rule. |
| Direction | Specifies whether the rule applies to incoming or outgoing traffic. |
| Action | Defines the action to perform when traffic matches the rule. Available action: Allow, Reject, and Drop. |
| IP Version | Specifies whether the rule applies to IPv4, IPv6 traffic or both. Note: If only one IP version is selected, traffic over the other IP version will not be affected by this rule. Ensure appropriate rules are configured to avoid unintended access. |
| Source IP | Source IP address or network range to which the rule applies. |
| Destination IP | Destination IP address or network range to which the rule applies. |
| Protocol | Select the protocol to which this rule will apply. TCP and UDP support port-based filtering while ICMP is used for network diagnostics traffic. |
| Ports | Port number or port range associated with the rule. |
| Interface | Specify the network interface for the rule. Select a category to apply the rule to a group of interfaces, or choose Custom to apply it to a specific interface. |
| Rule Persistence | Choose how long the rule should remain active. Temporary rules apply immediately but are removed after a reboot or service restart. Permanent rules persist across reboots and remain active until manually removed or updated.. |
Rule Priority
Firewall rules are evaluated in the order in which they appear.
Administrators can use the Move Up and Move Down options to adjust rule priority and ensure that critical rules are processed before other rules.
- Avoid configuring conflicting or overly restrictive rules, as this may block essential network access and make the device unreachable.
- Ensure that required communication paths are allowed and that the rules are ordered correctly, as rules are evaluated from top to bottom.
- By default, all SureMDM related traffic are allowed to maintain connectivity and proper device management.
Deploying the Firewall Policy
After configuring the Firewall Policy:
- Save the profile.
- Assign the profile to the required Linux devices or device groups.
- Deploy the profile.
The configured firewall settings are applied to the assigned devices during the next synchronization cycle.
Important Considerations
- Firewall rules are processed sequentially, and rule order can affect traffic behavior.
- Incorrect firewall configurations may block network access to the device.
- Use the Exclude SSH Traffic option when remote SSH access must be preserved.
- Port forwarding should be configured carefully to avoid exposing unintended services.
- Enable masquerading only when network address translation is required.
- Test firewall policies on a limited set of devices before deploying them across production environments.