Firewall Rules
Firewall rules let Flowtriq automatically run commands on a node the moment an attack is detected - without waiting for a human to respond. Rules are evaluated in real time as each incident opens.
Scope: Firewall rules run commands on the monitored server via the agent (e.g.
iptables rules). For large volumetric floods that saturate your link, use Cloud Scrubbing integrations to auto-divert traffic to upstream providers like Cloudflare Magic Transit, OVH, Hetzner, AWS Shield, DigitalOcean, Vultr, or Linode.Configuring Rules
Go to Dashboard → Firewall Rules to create and manage rules. Each rule has:
- Trigger - what incident property fires the rule: attack family, severity level, PPS threshold, or any incident.
- Action - what the agent runs: a shell command (e.g.
iptables -A INPUT -p udp -j DROP), a script path, or a webhook call. - Target nodes - apply to all nodes or specific nodes only.
- Cooldown - minimum minutes between rule executions per node, to avoid repeated firing.
Example: Block UDP floods automatically
# Rule configuration
Name: Block UDP on attack
Trigger: Attack family = udp_flood
Action: iptables -A INPUT -p udp -j DROP
Nodes: All
Cooldown: 10 minutes
When the agent detects a UDP flood incident, it immediately runs the command, logs the result, and records the action in the audit log.
Supported Trigger Types
| Trigger | Description | Example value |
|---|---|---|
| attack_family | Matches incident attack classification | udp_flood, syn_flood, dns_flood |
| severity | Minimum severity level | critical, high, medium, low |
| pps_threshold | Peak PPS exceeds value | 100000 |
| any | Fires on every new incident |
Supported Actions
The agent accepts commands from 25+ action types across these firewall and traffic-shaping tools:
| Tool | Example actions |
|---|---|
| iptables / ip6tables | Drop source IP, drop port, reject protocol, hashlimit, connlimit, SYN rate limit, SYN cookies |
| ipset | Create blocklist set, add attacker IPs to set |
| nftables | Rate-limit protocol, block source IP/CIDR, rate limit all traffic |
| ufw | Deny protocol, deny source IP, deny port |
| tc (traffic control) | Police ingress bandwidth, shape egress with TBF |
| ip route | Blackhole source IP (null route), RTBH for destination IP |
| fail2ban | Immediate ban via fail2ban-client |
| nginx | Block User-Agent, block path, rate limit per IP, GeoIP country block |
| Apache | Block User-Agent, block path |
All commands are sanitized before execution. Shell metacharacters are stripped from field values to prevent injection. Each command execution result (applied/failed) is reported back to the dashboard.
Safety & Audit
- All executions are logged in the Audit Log with rule name, node, trigger, and result.
- Rules respect the cooldown period - a node won't fire the same rule twice within the cooldown window.
- Rules can be toggled active/inactive without deletion.
- Only admin and owner roles can create or delete rules. Analysts can view.
Tip: Combine firewall rules with alert channels - the rule handles the immediate response while your team gets notified through PagerDuty, Slack, or SMS to handle the longer-term mitigation with your upstream provider.