Firewall (sec-firewall)
Checks firewall status, detects rule changes compared to a baseline, and monitors blocked connection attempts.
Configuration
| Parameter | Type | Default | Description |
|---|---|---|---|
enabled | bool | true | Enable/disable module |
firewall_type | string/null | null | Force firewall type (nftables, iptables, firewalld) or auto-detect |
inactive_firewall_severity | int | 2 | Severity when firewall is inactive |
baseline_path | string | "" | Path to ruleset baseline (empty = platform-specific default) |
blocked_connections_window_minutes | int | 60 | Time window for blocked connection counting |
blocked_connections_threshold | int | 100 | Threshold for blocked connections |
ignore_patterns | list | ["DOCKER", "docker0", "br-"] | Ignore firewall rules matching these patterns |
YAML Example
sec_firewall:
enabled: true
inactive_firewall_severity: 2
blocked_connections_threshold: 50
ignore_patterns:
- "DOCKER"
- "docker0"Diagnostic Codes
| Code | Severity | Meaning | Recommendation |
|---|---|---|---|
| 5000 | 0 | Firewall active, rules match baseline | — |
| 5001 | 1–2 | Many blocked connections | Investigate source, possible scan/attack |
| 5003 | 2 | Firewall not active or profile disabled | Enable firewall |
| 5090 | 1 | Firewall tool not available | Install a firewall (nftables, ufw, etc.) |
| 6003 | 1 | Firewall rules have changed since baseline | Review changes, update baseline if appropriate |
Platform Support
- Linux: Supports nftables, iptables, and firewalld. Automatic detection.
- Windows: Checks Windows Firewall profiles (Domain, Private, Public).