Avamar: How to add or remove custom Avamar firewall rules with edit-firewall-rules.sh

Summary: This article describes how to add or remove custom Avamar firewall rules using the edit-firewall-rules.sh script. This is available from Avamar v7.3 and later.

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.
Check out other resources

Instructions

From Avamar v7.3 and later, a tool is available that allows the adding or removal of custom iptables rules.

Features: 

  • Part of the standard Avamar Firewall RPM shipping with v7.3.
  • Custom iptables rules can be added or removed.
  • Custom rules survive Avamar version upgrades.
  • Custom rules survive firewall package updates.
 

The following new files are installed onto Avamar grids by the avfwb security RPM. The files are located here: /usr/local/avamar/lib/admin/security.

  • edit-firewall-rules.sh
    • This file is an interactive script which takes input from the command line and formats it into iptables format
    • This file presents the information in a clear and easy-to-read format.
  • manage-custom-rules.sh
    • This file is the engine behind the edit-firewall-rules.sh interactive script
    • This file creates the iptables rules and commands that are based on the saved custom rule-set in the configuration file
    • This file restarts avfirewall service to apply the new rules
  • avfwb_custom_config.txt
    • Custom rules are stored inavfwb_custom_config.txt file as pipe-delimited lines.
 

Available fields can be selected to create the required rule:

  • Rule Type: IPv4 or IPv6
  • Chain: Output, Input, Logdrop, or Forward
  • Protocol: TCP, UDP, or ICMP
  • Source IP
  • Source Port
  • Destination IP
  • Destination Port
  • Target: Accept, Reject, Drop, or Forward
  • Node Type: All, Data, or Utility


Format: 
Source IP | Source Port | Destination IP | Destination Port | Protocol | ICMP-type | Target | Chain | Node type

Custom rules are stored in avfwb_custom_config.txt file as pipe-delimited lines.

 
 

Running the script:

1. Log in to the Avamar Utility Node as admin.

2. Elevate to root privilege.

3. Load the keys per Avamar: How to Log in to an Avamar Server and Load Various Keys.

4. Run the script:

/usr/local/avamar/lib/admin/security/edit-firewall-rules.sh
Choose an Action
----------------
1) Add a custom rule
2) Remove a custom rule
3) List Current Custom Rules
4) Exit
5) Save Changes
Enter desired action:
 
 

Usage Examples:

  • Adding a Custom Rule example:
Choose an Action
----------------
1) Add a custom rule
2) Remove a custom rule
3) List Current Custom Rules
4) Exit
5) Save Changes
Enter desired action:

Select 1.

Firewall Rule Types
-------------------
1) IPv4 Rule
2) IPv6 Rule
Enter Firewall Rule Type:
Firewall Chains
---------------
1) OUTPUT
2) INPUT
3) LOGDROP
4) FORWARD
Select Chain:
Protocol
--------
1) TCP
2) UDP
3) ICMP
Enter Protocol:
Enter source IP (leave blank for none):
Enter source port (leave blank for none):
Enter destination IP (leave blank for none):
Enter destination port (leave blank for none):
Note: At least one of the above (source IP, source port, destination IP, or destination port) must be entered.
  
Select the desired target action
Targets
-------
1) ACCEPT
2) REJECT
3) DROP
4) LOGDROP
Select Target:
Node Types
----------
1) ALL
2) DATA
3) UTILITY
Select node type to apply rule to:
Run Order
---------
I) Insert (Inserts rule before default AV Firewall rules are applied)
A) Append (Standard behavior. Rule is appended, with default AV Firewall rules taking precedent)

Select run order for this rule [A]:
 

The script then prompts to confirm that the new rule should be added to the avfwb_custom_config.txt file:

Add rule ||||tcp||ACCEPT|OUTPUT|ALL to file? (Y/N):

 

If confirmed, the rule add is added to pending actions:

Adding ||||tcp||ACCEPT|OUTPUT|ALL to pending actions...
 

If another rule is required, select Y at the following prompt:

Add another rule? (Y/N):

Once all rules have been added, respond N to the "Add another rule?" prompt. 

 

The "Return to the main menu?" prompt appears:

Return to main menu? (Y/N):
Select Y.
 
 
  • Remove a rule example:
Choose an Action
----------------
1) Add a custom rule
2) Remove a custom rule
3) List Current Custom Rules
4) Exit
5) Save Changes
Enter desired action:

Select 2.

Example output:

Rules in configuration file:
     1  10.10.10.10||10.10.10.11||tcp||ACCEPT|OUTPUT|ALL|A
     2  211||311||tcp||ACCEPT|OUTPUT|ALL|I
     3  223||332||TCP||REJECT|INPUT|DATA|A

Select line to remove (ENTER to go back):

Select the appropriate rule to remove.  

If a rule is selected, the script briefly displays a confirmation similar to the following, and returns to the main menu.

Line 10.10.10.10||10.10.10.11||tcp||ACCEPT|OUTPUT|ALL|A will be flagged for removal from custom configuration file.

 

 
 
  • List Current Custom Rules:
Choose an Action
----------------
1) Add a custom rule
2) Remove a custom rule
3) List Current Custom Rules
4) Exit
5) Save Changes
Enter desired action:

Select 3.

Note: This option can be used to check for existing rules and any pending rules.
 
 

This example shows no custom rules and no pending rules:

Custom Rules Currently in Place:
--------------------------------

Custom Rule Changes Pending:
-----------------------------
No changes have been made

Press any key to return to menu...

 

This example shows one custom rule in place, and a pending rule add:

Custom Rules Currently in Place:
--------------------------------
     1  1.1.1.1||||udp||ACCEPT|OUTPUT|ALL|a

Custom Rule Changes Pending:
-----------------------------
     1  (Add) |10.10.10.10|||udp||DROP|INPUT|ACCELERATOR|A

Press any key to return to menu...

 

This example shows one custom rule in place, one pending rule removal, and one pending rule add:

Custom Rules Currently in Place:
--------------------------------
     1  1.1.1.1||||udp||ACCEPT|OUTPUT|ALL|a

Custom Rule Changes Pending:
-----------------------------
     1  (Remove) 1.1.1.1||||udp||ACCEPT|OUTPUT|ALL|a
     2  (Add) 10.10.10.11||||icmp|22|LOGDROP|LOGDROP|ACCELERATOR|I
 
 
  • To save and apply the rules:
Choose an Action
----------------
1) Add a custom rule
2) Remove a custom rule
3) List Current Custom Rules
4) Exit
5) Save Changes
Enter desired action:

Select 5.

Rules have been saved to /usr/local/avamar/lib/admin/security/avfwb_custom_config.txt

Once applied, the "Return to the main menu?" prompt appears:

Return to main menu? (Y/N):
 
 
  • To exit only:
Warning: Selecting option 4 (Exit) from the menu results in the following:
  
Are you sure you want to exit without saving? (Y/N):

Selecting Y will exit, and cause all changes to be lost.

 

Additional Information

Caution: Be careful not to create any firewall rules which could impact Avamar application functionality. For example, rejecting traffic to, or from, an Avamar server port.
 

See the latest release of the Avamar Product Security Guide for information about Avamar required ports.

The Product Security Guide also has a similar non-interactive tool: manage-custom-rules.sh.

Affected Products

Avamar

Products

Avamar, Avamar Server
Article Properties
Article Number: 000019911
Article Type: How To
Last Modified: 03 Apr 2025
Version:  8
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.