1. Home
  2. BMU
  3. Powercode Link
  4. Use the Firewall page

Use the Firewall page

The Firewall page edits the Link host firewall through a safe apply workflow. Changes must be confirmed after they are applied; otherwise they automatically roll back.

Open the Firewall page

  1. Sign in to Powercode Link.
  2. Select Firewall in the page selector.

You need configuration/write access to use this page.

Understand the safety workflow

Firewall changes can disconnect your browser session. Link protects against lockout by using a confirmation timer:

  1. You edit a candidate firewall ruleset.
  2. You save and validate the candidate.
  3. You apply the candidate with a rollback timeout.
  4. Link starts a countdown.
  5. If the connection still works, you select Confirm Changes.
  6. If you do not confirm in time, Link automatically rolls back.

If you know the change is wrong, select Rollback Now instead of waiting for the timer.

Read the status banner

The top banner shows the firewall daemon state:

  • Host firewall: the daemon is idle and ready.
  • Firewall Changes Pending Confirmation: a ruleset was applied and must be confirmed before the timer expires.
  • Connected or Connection Lost: whether the UI can currently reach the firewall daemon.

Edit rules

The Rule editor uses structured firewall JSON.

Common fields in the default model include:

  • default_policy: default handling for unmatched traffic.
  • rules: ordered rule entries.
  • description: human-readable rule purpose.
  • action: usually allow or another supported firewall action.
  • protocol: for example tcp or udp.
  • ports: port list.
  • source: allowed source network or any.
  • family: ipv4, ipv6, or both.

The default rules allow loopback, established sessions, SSH, HTTP, HTTPS, DHCPv4, and DHCPv6.

Configure SNAT for probe traffic

Use the top-level nat_rules array to configure managed source NAT. This is useful when Docker-based SNMP or ICMP probes must leave the Link host with a specific source IP.

Example SNAT rules equivalent to Docker SNMP/ICMP probe SNAT on ens160:

{
  "version": 1,
  "default_policy": "drop",
  "rules": [
    { "description": "Loopback traffic", "action": "allow", "interface": "lo" },
    { "description": "Established and related sessions", "action": "allow", "established": true },
    { "description": "SSH access", "action": "allow", "protocol": "tcp", "ports": [22], "source": "any", "family": "both" },
    { "description": "HTTP access", "action": "allow", "protocol": "tcp", "ports": [80], "source": "any", "family": "both" },
    { "description": "HTTPS access", "action": "allow", "protocol": "tcp", "ports": [443], "source": "any", "family": "both" },
    { "description": "DHCPv4 server", "action": "allow", "protocol": "udp", "ports": [67], "source": "any", "family": "ipv4" },
    { "description": "DHCPv6 server", "action": "allow", "protocol": "udp", "ports": [547], "source": "any", "family": "ipv6" }
  ],
  "nat_rules": [
    {
      "description": "SNAT Docker SNMP probes",
      "type": "snat",
      "out_interface": "ens160",
      "source": "172.19.0.0/16",
      "destinations": ["10.0.0.0/8"],
      "protocol": "udp",
      "ports": [161],
      "snat_to": "10.0.20.5"
    },
    {
      "description": "SNAT Docker ICMP probes",
      "type": "snat",
      "out_interface": "ens160",
      "source": "172.19.0.0/16",
      "destinations": ["10.0.0.0/8"],
      "protocol": "icmp",
      "snat_to": "10.0.20.5"
    }
  ]
}

SNAT fields:

  • type: currently snat.
  • out_interface: required outgoing interface name, such as ens160. in_interface is not supported for managed SNAT.
  • source: optional container CIDR or address, usually the Docker network subnet. Omit it or leave it empty to generate a destination/interface/protocol/port-constrained SNAT rule with no source-address match.
  • destinations: required live-device CIDRs or addresses. Broad destinationless SNAT is rejected.
  • protocol: required explicit probe protocol: tcp, udp, or icmp.
  • ports: required destination ports for TCP/UDP rules, such as SNMP UDP/161. ICMP does not use ports.
  • snat_to: source IP to translate matching packets to. Use an address actually owned by the Link host on the outgoing path; do not spoof an unrelated Powercode server address.

Confirm the Docker subnet, live-device destination CIDRs, outgoing interface, and local snat_to address before applying SNAT. The Docker subnet may differ from 172.19.0.0/16 on some deployments.

Save, validate, and apply

  1. Edit the JSON ruleset.
  2. Select Save Draft.
  3. Select Validate.
  4. Fix any validation errors.
  5. Set the Rollback timeout. The default is 60 seconds.
  6. Select Apply Changes.
  7. Confirm that you still have access.
  8. Select Confirm Changes before the countdown expires.

Caution: Always keep a management access path open. Be especially careful when editing SSH, HTTPS, and management-network rules.

Use version history

The page keeps saved firewall versions.

To load an earlier version:

  1. Choose a version from Version history.
  2. Select Load Version.
  3. Review the loaded content.
  4. Save, validate, and apply it like any other candidate.

Loading a version does not apply it immediately.

Troubleshooting

  • If the UI loses connection after applying a change, wait for automatic rollback or use out-of-band server access.
  • If validation fails, fix the JSON syntax or unsupported rule fields and validate again.
  • If the firewall daemon shows an error, contact Powercode support or check the Link host service logs.
  • If you are not authorized, ask for gateway:config:write access.
Updated on July 1, 2026

Was this article helpful?

Related Articles