{"id":1785,"date":"2026-07-01T17:46:35","date_gmt":"2026-07-01T17:46:35","guid":{"rendered":"https:\/\/kb.powercode.com\/?post_type=ht_kb&#038;p=1785"},"modified":"2026-07-01T18:02:05","modified_gmt":"2026-07-01T18:02:05","slug":"use-the-firewall-page","status":"publish","type":"ht_kb","link":"https:\/\/kb.powercode.com\/?ht_kb=use-the-firewall-page","title":{"rendered":"Use the Firewall page"},"content":{"rendered":"\n<p>The <strong>Firewall<\/strong> page edits the Link host firewall through a safe apply workflow. Changes must be confirmed after they are applied; otherwise they automatically roll back.<\/p>\n\n\n\n<h2>Open the Firewall page<\/h2>\n\n\n\n<ol>\n<li>Sign in to Powercode Link.<\/li>\n\n\n\n<li>Select <strong>Firewall<\/strong> in the page selector.<\/li>\n<\/ol>\n\n\n\n<p>You need configuration\/write access to use this page.<\/p>\n\n\n\n<h2>Understand the safety workflow<\/h2>\n\n\n\n<p>Firewall changes can disconnect your browser session. Link protects against lockout by using a confirmation timer:<\/p>\n\n\n\n<ol>\n<li>You edit a candidate firewall ruleset.<\/li>\n\n\n\n<li>You save and validate the candidate.<\/li>\n\n\n\n<li>You apply the candidate with a rollback timeout.<\/li>\n\n\n\n<li>Link starts a countdown.<\/li>\n\n\n\n<li>If the connection still works, you select <strong>Confirm Changes<\/strong>.<\/li>\n\n\n\n<li>If you do not confirm in time, Link automatically rolls back.<\/li>\n<\/ol>\n\n\n\n<p>If you know the change is wrong, select <strong>Rollback Now<\/strong> instead of waiting for the timer.<\/p>\n\n\n\n<h2>Read the status banner<\/h2>\n\n\n\n<p>The top banner shows the firewall daemon state:<\/p>\n\n\n\n<ul>\n<li><strong>Host firewall<\/strong>: the daemon is idle and ready.<\/li>\n\n\n\n<li><strong>Firewall Changes Pending Confirmation<\/strong>: a ruleset was applied and must be confirmed before the timer expires.<\/li>\n\n\n\n<li><strong>Connected<\/strong> or <strong>Connection Lost<\/strong>: whether the UI can currently reach the firewall daemon.<\/li>\n<\/ul>\n\n\n\n<h2>Edit rules<\/h2>\n\n\n\n<p>The <strong>Rule editor<\/strong> uses structured firewall JSON.<\/p>\n\n\n\n<p>Common fields in the default model include:<\/p>\n\n\n\n<ul>\n<li><code>default_policy<\/code>: default handling for unmatched traffic.<\/li>\n\n\n\n<li><code>rules<\/code>: ordered rule entries.<\/li>\n\n\n\n<li><code>description<\/code>: human-readable rule purpose.<\/li>\n\n\n\n<li><code>action<\/code>: usually <code>allow<\/code> or another supported firewall action.<\/li>\n\n\n\n<li><code>protocol<\/code>: for example <code>tcp<\/code> or <code>udp<\/code>.<\/li>\n\n\n\n<li><code>ports<\/code>: port list.<\/li>\n\n\n\n<li><code>source<\/code>: allowed source network or <code>any<\/code>.<\/li>\n\n\n\n<li><code>family<\/code>: <code>ipv4<\/code>, <code>ipv6<\/code>, or <code>both<\/code>.<\/li>\n<\/ul>\n\n\n\n<p>The default rules allow loopback, established sessions, SSH, HTTP, HTTPS, DHCPv4, and DHCPv6.<\/p>\n\n\n\n<h2>Configure SNAT for probe traffic<\/h2>\n\n\n\n<p>Use the top-level <code>nat_rules<\/code> array to configure managed source NAT. This is useful when Docker-based SNMP or ICMP probes must leave the Link host with a specific source IP.<\/p>\n\n\n\n<p>Example SNAT rules equivalent to Docker SNMP\/ICMP probe SNAT on <code>ens160<\/code>:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>{\n  \"version\": 1,\n  \"default_policy\": \"drop\",\n  \"rules\": &#91;\n    { \"description\": \"Loopback traffic\", \"action\": \"allow\", \"interface\": \"lo\" },\n    { \"description\": \"Established and related sessions\", \"action\": \"allow\", \"established\": true },\n    { \"description\": \"SSH access\", \"action\": \"allow\", \"protocol\": \"tcp\", \"ports\": &#91;22], \"source\": \"any\", \"family\": \"both\" },\n    { \"description\": \"HTTP access\", \"action\": \"allow\", \"protocol\": \"tcp\", \"ports\": &#91;80], \"source\": \"any\", \"family\": \"both\" },\n    { \"description\": \"HTTPS access\", \"action\": \"allow\", \"protocol\": \"tcp\", \"ports\": &#91;443], \"source\": \"any\", \"family\": \"both\" },\n    { \"description\": \"DHCPv4 server\", \"action\": \"allow\", \"protocol\": \"udp\", \"ports\": &#91;67], \"source\": \"any\", \"family\": \"ipv4\" },\n    { \"description\": \"DHCPv6 server\", \"action\": \"allow\", \"protocol\": \"udp\", \"ports\": &#91;547], \"source\": \"any\", \"family\": \"ipv6\" }\n  ],\n  \"nat_rules\": &#91;\n    {\n      \"description\": \"SNAT Docker SNMP probes\",\n      \"type\": \"snat\",\n      \"out_interface\": \"ens160\",\n      \"source\": \"172.19.0.0\/16\",\n      \"destinations\": &#91;\"10.0.0.0\/8\"],\n      \"protocol\": \"udp\",\n      \"ports\": &#91;161],\n      \"snat_to\": \"10.0.20.5\"\n    },\n    {\n      \"description\": \"SNAT Docker ICMP probes\",\n      \"type\": \"snat\",\n      \"out_interface\": \"ens160\",\n      \"source\": \"172.19.0.0\/16\",\n      \"destinations\": &#91;\"10.0.0.0\/8\"],\n      \"protocol\": \"icmp\",\n      \"snat_to\": \"10.0.20.5\"\n    }\n  ]\n}<\/code><\/pre>\n\n\n\n<p>SNAT fields:<\/p>\n\n\n\n<ul>\n<li><code>type<\/code>: currently <code>snat<\/code>.<\/li>\n\n\n\n<li><code>out_interface<\/code>: required outgoing interface name, such as <code>ens160<\/code>. <code>in_interface<\/code> is not supported for managed SNAT.<\/li>\n\n\n\n<li><code>source<\/code>: optional container CIDR or address, usually the Docker network subnet. Omit it or leave it empty to generate a destination\/interface\/protocol\/port-constrained SNAT rule with no source-address match.<\/li>\n\n\n\n<li><code>destinations<\/code>: required live-device CIDRs or addresses. Broad destinationless SNAT is rejected.<\/li>\n\n\n\n<li><code>protocol<\/code>: required explicit probe protocol: <code>tcp<\/code>, <code>udp<\/code>, or <code>icmp<\/code>.<\/li>\n\n\n\n<li><code>ports<\/code>: required destination ports for TCP\/UDP rules, such as SNMP UDP\/161. ICMP does not use ports.<\/li>\n\n\n\n<li><code>snat_to<\/code>: source IP to translate matching packets to. Use an address actually owned by the Link host on the outgoing path; do not spoof an unrelated Powercode server address.<\/li>\n<\/ul>\n\n\n\n<p>Confirm the Docker subnet, live-device destination CIDRs, outgoing interface, and local <code>snat_to<\/code> address before applying SNAT. The Docker subnet may differ from <code>172.19.0.0\/16<\/code> on some deployments.<\/p>\n\n\n\n<h2>Save, validate, and apply<\/h2>\n\n\n\n<ol>\n<li>Edit the JSON ruleset.<\/li>\n\n\n\n<li>Select <strong>Save Draft<\/strong>.<\/li>\n\n\n\n<li>Select <strong>Validate<\/strong>.<\/li>\n\n\n\n<li>Fix any validation errors.<\/li>\n\n\n\n<li>Set the <strong>Rollback timeout<\/strong>. The default is 60 seconds.<\/li>\n\n\n\n<li>Select <strong>Apply Changes<\/strong>.<\/li>\n\n\n\n<li>Confirm that you still have access.<\/li>\n\n\n\n<li>Select <strong>Confirm Changes<\/strong> before the countdown expires.<\/li>\n<\/ol>\n\n\n\n<blockquote class=\"wp-block-quote\">\n<p><strong>Caution:<\/strong> Always keep a management access path open. Be especially careful when editing SSH, HTTPS, and management-network rules.<\/p>\n<\/blockquote>\n\n\n\n<h2>Use version history<\/h2>\n\n\n\n<p>The page keeps saved firewall versions.<\/p>\n\n\n\n<p>To load an earlier version:<\/p>\n\n\n\n<ol>\n<li>Choose a version from <strong>Version history<\/strong>.<\/li>\n\n\n\n<li>Select <strong>Load Version<\/strong>.<\/li>\n\n\n\n<li>Review the loaded content.<\/li>\n\n\n\n<li>Save, validate, and apply it like any other candidate.<\/li>\n<\/ol>\n\n\n\n<p>Loading a version does not apply it immediately.<\/p>\n\n\n\n<h2>Troubleshooting<\/h2>\n\n\n\n<ul>\n<li>If the UI loses connection after applying a change, wait for automatic rollback or use out-of-band server access.<\/li>\n\n\n\n<li>If validation fails, fix the JSON syntax or unsupported rule fields and validate again.<\/li>\n\n\n\n<li>If the firewall daemon shows an error, contact Powercode support or check the Link host service logs.<\/li>\n\n\n\n<li>If you are not authorized, ask for <code>gateway:config:write<\/code> access.<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>The Firewall page edits the Link host firewall through a safe apply workflow. Changes must be confirmed after they are applied; otherwise they automatically roll back. Open the Firewall page You need configuration\/write access to use this page. Understand the safety workflow Firewall changes can disconnect your browser session. Link&#8230;<\/p>\n","protected":false},"author":20,"comment_status":"open","ping_status":"closed","template":"","format":"standard","meta":[],"ht-kb-category":[134],"ht-kb-tag":[],"_links":{"self":[{"href":"https:\/\/kb.powercode.com\/index.php?rest_route=\/wp\/v2\/ht-kb\/1785"}],"collection":[{"href":"https:\/\/kb.powercode.com\/index.php?rest_route=\/wp\/v2\/ht-kb"}],"about":[{"href":"https:\/\/kb.powercode.com\/index.php?rest_route=\/wp\/v2\/types\/ht_kb"}],"author":[{"embeddable":true,"href":"https:\/\/kb.powercode.com\/index.php?rest_route=\/wp\/v2\/users\/20"}],"replies":[{"embeddable":true,"href":"https:\/\/kb.powercode.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1785"}],"version-history":[{"count":1,"href":"https:\/\/kb.powercode.com\/index.php?rest_route=\/wp\/v2\/ht-kb\/1785\/revisions"}],"predecessor-version":[{"id":1786,"href":"https:\/\/kb.powercode.com\/index.php?rest_route=\/wp\/v2\/ht-kb\/1785\/revisions\/1786"}],"wp:attachment":[{"href":"https:\/\/kb.powercode.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1785"}],"wp:term":[{"taxonomy":"ht_kb_category","embeddable":true,"href":"https:\/\/kb.powercode.com\/index.php?rest_route=%2Fwp%2Fv2%2Fht-kb-category&post=1785"},{"taxonomy":"ht_kb_tag","embeddable":true,"href":"https:\/\/kb.powercode.com\/index.php?rest_route=%2Fwp%2Fv2%2Fht-kb-tag&post=1785"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}