Firewall Management

VistoShield manages your server firewall through nftables or iptables, providing port filtering, flood protection, and country-based blocking.

Firewall Backends

nftables (Preferred)

The nftables backend is the default on modern distributions. VistoShield creates a dedicated table with optimized sets for blocked IPs:

# VistoShield nftables structure
table inet vistoshield {
    set blocklist   { type ipv4_addr; flags timeout; }
    set blocklist6  { type ipv6_addr; flags timeout; }
    chain input     { type filter hook input priority -1; policy accept; }
}

Key advantages: native dual-stack IPv4/IPv6, efficient set-based lookups, and timeout support for automatic block expiration.

iptables (Legacy Fallback)

On systems without nftables, VistoShield falls back to iptables. It creates dedicated chains:

VS_BLOCK — IPv4 block chain (iptables)
VS_BLOCK6 — IPv6 block chain (ip6tables)

To force a specific backend, set FW_BACKEND="nftables" or FW_BACKEND="iptables" in the configuration.

Port Filtering

Control which ports are open for inbound and outbound traffic:

# Inbound ports
TCP_IN=22,80,443,2222
UDP_IN=53

# Outbound ports
TCP_OUT=22,80,443
UDP_OUT=53,123

Important: Always include your SSH port (default 22 or custom) in TCP_IN and TCP_OUT. Omitting it will lock you out of your server.

After changing port settings, restart the firewall to apply:

vistoshield restart

SYN Flood Protection

SYN flood protection limits the rate of incoming SYN packets to prevent resource exhaustion attacks:

SYNFLOOD=1
SYNFLOOD_RATE=100/s
SYNFLOOD_BURST=150

When enabled, the firewall uses rate limiting to drop excessive SYN packets before they reach the TCP stack. Legitimate connections are unaffected under normal traffic conditions.

Port Flood Protection (PORTFLOOD)

PORTFLOOD provides granular per-port rate limiting. The format is:

PORTFLOOD=port;protocol;hits;seconds[,port;protocol;hits;seconds,...]

Example configuration:

# 5 SSH connections per 300s, 30 HTTP connections per 5s
PORTFLOOD=22;tcp;5;300,80;tcp;30;5,443;tcp;30;5

Field	Description
port	The port number to protect
protocol	`tcp` or `udp`
hits	Number of new connections allowed within the time window
seconds	Time window in seconds

ICMP Control

Control whether the server responds to ping requests:

ICMP_IN=1    # Allow inbound ICMP (ping)
ICMP_OUT=1   # Allow outbound ICMP

Setting ICMP_IN=0 makes your server invisible to ping scans but may interfere with monitoring tools that rely on ICMP.

Country Blocking

Block or allow traffic based on geographic origin using GeoIP data:

# Block traffic from specific countries (ISO 3166-1 alpha-2)
CC_DENY=CN,RU,KP

# Always allow these countries regardless of other rules
CC_ALLOW=US,GB,DE,NL

# Apply port filtering to allowed countries too
CC_ALLOW_FILTER=0

Tip: Country blocking uses MaxMind GeoLite2 data. Run vistoshield update-geoip periodically to keep the database current.

IPv6 Support

IPv6 protection is enabled by default:

IPV6=1

When enabled, all rules (port filtering, blocks, rate limits) are applied to both IPv4 and IPv6 traffic. With nftables, this uses the inet family for unified rule management. With iptables, separate ip6tables chains are maintained.

Viewing Active Rules

Inspect the current firewall state:

# nftables
nft list table inet vistoshield

# iptables
iptables -L VS_BLOCK -n --line-numbers
ip6tables -L VS_BLOCK6 -n --line-numbers

# VistoShield CLI
vistoshield status

Allow & Deny Lists

Manage permanent IP rules via configuration files:

# /etc/vistoshield/allow.list — IPs that are never blocked
# One IP or CIDR per line, optional comment after #
192.168.1.0/24    # Office network
10.0.0.1          # Monitoring server

# /etc/vistoshield/deny.list — Permanently blocked IPs
45.33.32.156      # Known attacker

Changes to these files take effect after restarting the daemon or running vistoshield reload-lists.