Firewall Management in the command line

In the command line, you can configure Firewall Management using the Firewall Management predefined task (Firewall_Management).

By default, the Firewall Management Task is not run. You can start and stop this task manually.

You can configure the firewall management settings by editing the settings of the Firewall Management predefined task.

You can also configure Firewall Management settings using Firewall Management commands:

• Create and delete network packet rules and change their execution priority.
• Create a list of IP addresses or subnets in network zones.
• View firewall rules created in Kaspersky Embedded Systems Security by using the following command: kess-control -F --query.

  Firewall Management task settings

  Setting	Description	Values
  DefaultIncomingAction	The default action to perform on an inbound connection if no network rules apply to this connection type.	Allow (default value) — Allow inbound connections. Block — Block inbound connections.
  DefaultIncomingPacketAction	The default action to perform on an incoming packet if no network packet rules apply to this connection type.	Allow (default value) — Allow incoming packets. Block — Block incoming packets.
  OpenNagentPorts	Adds Network Agent dynamic rules to the network packet rules.	Yes (default value) – Add Network Agent dynamic rules to the network packet rules. No – Do not add Network Agent dynamic rules to the network packet rules.
  The [PacketRules.item_#] section contains network packet rules for the Firewall Management task. You can specify several [PacketRules.item_#] sections in any order. The application processes the scopes by index in ascending order. Each [PacketRules.item_#] section contains the following settings:
  Name	Network packet rule name.	Default value: Packet rule #<n>, where n is an index.
  FirewallAction	Action to be performed on connections specified in this network packet rule.	Allow (default value) — Allow network connections. Block — Block network connections.
  Protocol	Type of protocol for which network activity is to be monitored.	Any (default value) — The Firewall Management task monitors all network activity. TCP UDP ICMP ICMPv6 IGMP GRE
  RemotePorts	Port numbers of the remote devices whose connection is monitored. An integer or interval can be specified for this value. This setting can only be specified if the Protocol setting is set to TCP or UDP.	Any (default value) — Monitor all remote ports. 0 – 65535.
  LocalPorts	Port numbers of the local devices whose connection is monitored. An integer or interval can be specified for this value. This setting can only be specified if the Protocol setting is set to TCP or UDP.	Any (default value) — Monitor all local ports. 0 – 65535.
  ICMPType	ICMP packet type. This setting can only be specified if the Protocol setting is set to ICMP or ICMPv6.	Any (default value) — Monitor all ICMP packet types. Integer number according to the data transfer protocol specification.
  ICMPCode	ICMP packet code. This setting can only be specified if the Protocol setting is set to ICMP or ICMPv6.	Any (default value) — Monitor all ICMP packet codes. Integer number according to the data transfer protocol specification.
  Direction	Direction of the monitored network activity.	IncomingOutgoing or InOut (default value) — Monitor both inbound and outbound connections. Incoming or In — Monitor inbound connections. Outgoing or Out — Monitor outbound connections. IncomingPacket or InPacket — Monitor incoming packets. OutgoingPacket or OutPacket — Monitor outgoing packets. IncomingOutgoingPacket or InOutPacket — Monitor both incoming and outgoing packets.
  RemoteAddress	The network addresses of the remote devices that can send and receive network packets.	Any (default value) — Monitor network packets sent and/or received by remote devices with any IP address. Trusted — Predefined network zone for trusted networks. Local — Predefined network zone for local networks. Public — Predefined network zone for public networks. d.d.d.d — IPv4 address, where d is a decimal number from 0 to 255. dddd – dddd — Range of IPv4 addresses. d.d.d.d/p — Subnet of IPv4 addresses, where p is a number from 0 to 32. x:x:x:x:x:x:x:x — IPv6 address, where x is a hexadecimal number from 0 to ffff. x:x:x:x:x:x:x:x – x:x:x:x:x:x:x:x — Range of IPv6 addresses. x:x:x:x:x:x:x:x/p — Subnet of IPv6 addresses, where p is a number from 0 to 128; you can use :: for brevity.
  LocalAddress	Network addresses of devices that have Kaspersky Embedded Systems Security installed and can send and/or receive network packets.	Any (default value) — Monitor network packets sent and/or received by local devices with any IP address. d.d.d.d — IPv4 address, where d is a decimal number from 0 to 255. dddd – dddd — Range of IPv4 addresses. d.d.d.d/p — Subnet of IPv4 addresses, where p is a number from 0 to 32. x:x:x:x:x:x:x:x — IPv6 address, where x is a hexadecimal number from 0 to ffff. x:x:x:x:x:x:x:x – x:x:x:x:x:x:x:x — Range of IPv6 addresses. x:x:x:x:x:x:x:x/p — Subnet of IPv6 addresses, where p is a number from 0 to 128; you can use :: for brevity.
  LogAttempts	Include a record of the network rule action in the report.	Yes — Log actions in the report. No (default value)—Do not write the actions in the report.
  The [NetworkZonesPublic] section contains network addresses associated with public networks. You can specify several IP addresses or subnets of IP addresses.
  Address.item_#	Specifies IP addresses or subnets of IP addresses.	d.d.d.d — IPv4 address, where d is a decimal number from 0 to 255. d.d.d.d/p — Subnet of IPv4 addresses, where p is a number from 0 to 32. x:x:x:x:x:x:x:x — IPv6 address, where x is a hexadecimal number from 0 to ffff. x:x:x:x::0/p — Subnet of IPv6 addresses, where p is a number from 0 to 64. Default value: "" (no network addresses in this zone)
  The [NetworkZonesLocal] section contains network addresses associated with local networks. You can specify several IP addresses or subnets of IP addresses.
  Address.item_#	Specifies IP addresses or subnets of IP addresses.	d.d.d.d — IPv4 address, where d is a decimal number from 0 to 255. d.d.d.d/p — Subnet of IPv4 addresses, where p is a number from 0 to 32. x:x:x:x:x:x:x:x — IPv6 address, where x is a hexadecimal number from 0 to ffff. x:x:x:x::0/p — Subnet of IPv6 addresses, where p is a number from 0 to 64. Default value: "" (no network addresses in this zone)
  The [NetworkZonesTrusted] section contains network addresses associated with trusted networks. You can specify several IP addresses or subnets of IP addresses.
  Address.item_#	Specifies IP addresses or subnets of IP addresses.	d.d.d.d — IPv4 address, where d is a decimal number from 0 to 255. d.d.d.d/p — Subnet of IPv4 addresses, where p is a number from 0 to 32. x:x:x:x:x:x:x:x — IPv6 address, where x is a hexadecimal number from 0 to ffff. x:x:x:x::0/p — Subnet of IPv6 addresses, where p is a number from 0 to 64. Default value: "" (no network addresses in this zone)

Configuring a list of network packet rules in the command line

To add a network packet rule, execute the following command:

kess-control --add-rule [--name <rule name>] [--action <action>] [--protocol <protocol>] [--direction <direction>] [--remote <remote address>[:<port range>]] [--local <local address>[:<port range>]] [--at <index>]

where:

• --name <rule name> is the name of the network packet rule.
• --action <action> is the action to be performed on connections specified in network packet rule.
• --protocol <protocol> is the type of data transfer protocol for which you want to monitor network activity.
• --direction <direction> is the direction of the monitored network activity.
• --remote <remote address[:<port range>]> is the network address of the remote device. You can specify the name of a predefined network zone as the remote address.
• --local <local address[:<port range>]> is the network address of the device with Kaspersky Embedded Systems Security installed.
• --at <index> is the index of rules in the list of network packet rules. If the --at option is not specified or its value is larger than the number of rules in the list, the new rule is added to the end of the list.

Parameters that you do not specify values for in the command are set to their default values.

To delete a network packet rule, execute one of the following commands:

• kess-control --del-rule --name <rule name>
• kess-control --del-rule --index <index>

where:

• --name <rule name> is the name of the network packet rule.
• --index <index> is the current index of rules in the list of network packet rules.

If the list of network packet rules contains multiple rules with an identical name or does not contain a rule with a specified name or index, an error occurs.

To change a network packet rule's execution priority, execute one of the following commands:

• kess-control --move-rule --name <rule name> --at <index>
• kess-control --move-rule --index <index> --at <index>

where:

• --name <rule name> is the name of the network packet rule.
• --index <index> is the current index of rules in the list of network packet rules.
• --at <index> is the new index of rules in the list of network packet rules.

Page top

Configuring network zones in the command line

To add a network address to the zone, execute the following command:

kess-control --add-zone --zone <zone> --address <address>

where:

• --zone <zone> is the predefined name of the network zone. Possible values: Public, Local, Trusted.
• --address <address> is the network address or subnet.

To delete a network address from a zone, execute one of the following commands:

• kess-control --del-zone --zone <zone> --address <address>
• kess-control --del-zone --zone <zone> --index <address index in the zone>

If a zone contains several items with the same network address, the --del-zone command will not be executed.

If the specified network address or index does not exist, an error message is generated.

Page top