Configuring a firewall with ARM
The ARM module uses a firewall. To facilitate traffic interception and redirection:
- IPTables rules are configured during Content Gateway installation and upgrade.
- Forcepoint IPTables chains are inserted.
- Forcepoint IPTables rules are inserted into existing chains.
- Forcepoint chains and rules use “NC_” as a prefix for identification purposes.
- IPTables rules configured outside of the Content Gateway manager must:
- Be inserted after most Forcepoint rules.
Customized rules should, however, be added before the NC_RESERVED_FWD_DEF rule. This Forcepoint rule was added to the forward chain so that traffic that is not specifically handled by the proxy is dropped and not forwarded. This rule should always be the last rule in the forward chain
- Never be added to Forcepoint chains.
- Never be modified on Appliance platforms.
- Be inserted after most Forcepoint rules.
- Forcepoint chains and rules should never be edited.
- If customized chains or rules impact the Forcepoint configuration, navigate to the Content Gateway bin directory (/opt/WCG/bin) and run the following command:
netcontrol.sh -r
This re-establishes the Forcepoint IPTables chains and rules.