---
title: "Manage Chains"
slug: "manage-chains"
tags: ["Nodegrid 6.0"]
updated: 2026-05-20T14:31:45Z
published: 2026-05-20T14:31:45Z
canonical: "docs.zpesystems.com/manage-chains"
---

> ## Documentation Index
> Fetch the complete documentation index at: https://docs.zpesystems.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Manage Chains

The Firewall table displays all the firewall rules configured for different interfaces.

Note: If you import a configuration for a chain through CLI, the rules defined for the specified chain(s) will be overridden by the imported configuration. For example, if you are importing configuration For the INPUT and OUTPUT chains, the FORWARD chain will not be changed, only the INPUT and OUTPUT chains are updated.

### Add a Chain

1. Go to the *Security :: Firewall* page
2. Click **Add** (displays dialog)

![](https://cdn.document360.io/763c5fb1-b9af-4ccd-9ad6-cf28ae4cd5a3/Images/Documentation/image-1678896281392.png)
3. On ***Type*****menu, select one:
  - **IPv4** radio button
  - **IPv6** radio button
4. Enter **Chain** (name of this chain)
5. Click **Save**

### Delete a Chain

1. Go to the *Security :: Firewall*page
2. Select the checkbox next to the name to be deleted
3. Click **Delete**
4. On the confirmation dialog, click **OK**

### Change Chain Policy

NOTE

The policy cannot be changed for user custom chains. The policy can only be changed for default chains.

1. Go to the *Security :: Firewall* page
2. In the *Chain* column, select the checkbox of Chain
3. Click **Change Policy** (displays dialog). On **Policy** drop-down, select one (ACCEPT, DROP)

![](https://cdn.document360.io/763c5fb1-b9af-4ccd-9ad6-cf28ae4cd5a3/Images/Documentation/image-1678896324423.png)
4. Click **Save**.

### Manage a Chain

To manage chain functions/settings, click on the name in the *Chain* column (displays dialog).

![](https://cdn.document360.io/763c5fb1-b9af-4ccd-9ad6-cf28ae4cd5a3/Images/Documentation/image-1680111868817.png)

### Add Rule

1. Go to the *Security :: Firewall* page
2. In the *Chain* column, locate and click on the name (displays dialog)
3. Click **Add** (displays dialog)

![](https://cdn.document360.io/763c5fb1-b9af-4ccd-9ad6-cf28ae4cd5a3/Images/Documentation/image-1708010090780.png)
4. On the *Target* menu, on the **Target** drop-down, select one (ACCEPT, DROP, REJECT, LOG, RETURN). Enter the **Rule Number** and **Description.**
  - If **REJECT** is selected, the *Reject Options* menu displays:

![](https://cdn.document360.io/763c5fb1-b9af-4ccd-9ad6-cf28ae4cd5a3/Images/Documentation/image-1678898815755.png)
    - On **Reject With** drop-down, select one (Network Unreachable, Host Unreachable, Port Unreachable, Protocol Unreachable, Network Prohibited, Host Prohibited, Administratively Prohibited, TCP Reset).
5. On the *Match Options*menu:
  1. Enter **Source IP/Mask**
  2. Select **Reverse match for source IP/mask**checkbox
    1. Enter **Destination IP/Mask**
  3. Select **Reverse match for destination IP/mask** checkbox
  4. Enter **Source MAC Address**
  5. Select **Reverse match for source MAC address** checkbox

Note: The Source MAC Address and Reverse Match for the source MAC Address fields are applicable only for Input, PREROUTING, and FORWARD chains.
  6. From the **Input Interface**drop-down list, select one. The list contains all the available interfaces such as eth0, eth1, loopback1, custom, etc.

![](https://cdn.document360.io/763c5fb1-b9af-4ccd-9ad6-cf28ae4cd5a3/Images/Documentation/image-1701331873405.png)

Note: The Source MAC Address and Reverse Match for the source MAC Address fields are applicable only for Input, PREROUTING, and FORWARD chains.
    1. If you want to add an interface that is not listed, select **Custom**. You can create any custom interface.
    2. In the **Custom Input Interface** field, specify the name of the interface.

![](https://cdn.document360.io/763c5fb1-b9af-4ccd-9ad6-cf28ae4cd5a3/Images/Documentation/image-1697650473598.png)

The user can later go to **Network**::**Connections** and click **Add**, to add the **Custom Input Interface** mentioned under the **Custom Input Interface**
  7. Select **Reverse match for the input interface** checkbox
  8. On the **Output Interface** drop-down, select the required interface. If an interface is not listed or does not exist, you can use the **Custom** option from the drop-down list to specify the name of the interface:

![](https://cdn.document360.io/763c5fb1-b9af-4ccd-9ad6-cf28ae4cd5a3/Images/Documentation/image-1697694499513.png)

Note: The Source MAC Address and Reverse Match for the source MAC Address fields are applicable only for Output, POSTROUTING, and FORWARD chains.
  9. In the **Custom Output Interface** field, specify the name of the interface.

![](https://cdn.document360.io/763c5fb1-b9af-4ccd-9ad6-cf28ae4cd5a3/Images/Documentation/image-1697650736209.png)

The user can later go to **Network**::**Connections** and click **Add**, to add the Interface mentioned under the **Custom Output Interface**.
  10. Select **Reverse match for the output interface** checkbox
  11. Select **Enable State Match** checkbox (displays options – one or more can be selected):

![](https://cdn.document360.io/763c5fb1-b9af-4ccd-9ad6-cf28ae4cd5a3/Images/Documentation/image-1678898979057.png)
    - **NEW** checkbox
    - **ESTABLISHED** checkbox
    - **RELATED** checkbox
    - **INVALID** checkbox
    - **Reverse state match** checkbox
  12. On **Fragments** drop-down, select one (All packets and fragments, Unfragmented packets and 1st packets, 2nd and further packets)
6. On the *Protocol*menu, select one:
  1. **Numeric** radio button (expands dialog). Enter the **Protocol Number**.

![](https://cdn.document360.io/763c5fb1-b9af-4ccd-9ad6-cf28ae4cd5a3/Images/Documentation/image-1678899056480.png)
  2. **TCP** radio button (expands dialog).

![](https://cdn.document360.io/763c5fb1-b9af-4ccd-9ad6-cf28ae4cd5a3/Images/Documentation/image-1678899218756.png)
    - Enter **Source Port.**
    - Enter **Destination Port.**
    - **TCP Flag SYN**drop-down, select one (Any, Set, Unset)
    - **TCP Flag ACK** drop-down, select one (Any, Set, Unset)
    - **TCP Flag FIN** drop-down, select one (Any, Set, Unset)
    - **TCP Flag RST** drop-down, select one (Any, Set, Unset)
    - **TCP Flag URG** drop-down, select one (Any, Set, Unset)
    - **TCP Flag PSH** drop-down, select one (Any, Set, Unset)
    - **Reverse Match for TCP Flags** checkbox
  3. **UDP** radio button (expands dialog)

![](https://cdn.document360.io/763c5fb1-b9af-4ccd-9ad6-cf28ae4cd5a3/Images/Documentation/image-1678899291645.png)
    - Enter **Source Port**
    - Enter **Destination Port**
  4. **ICMP** radio button (expands dialog)

![](https://cdn.document360.io/763c5fb1-b9af-4ccd-9ad6-cf28ae4cd5a3/Images/Documentation/image-1678899328753.png)
    - On **ICMP Type** drop-down, select one (Any, Echo-Reply, Destination Unreachable, Network Unreachable, Host Unreachable, Protocol Unreachable, Port Unreachable, Fragmentation Needed, Source Route Failed, Network Unknown, Host Unknown, Network Prohibited, Host Prohibited, TOS Network Unreachable, TOS Host Unreachable, Communication Prohibited, Host Precedence Violation, Precedence Cutoff, Source Quench, Redirect, Network Redirect, Host Redirect, TOS Network Redirect, TOS Host Redirect, Echo Request, Router Advertisement, Router Solicitation, Time Exceeded, TTL Zero During Transit, TTL Zero During Reassembly, Parameter Problem, Bad IP Header, Required Option Missing, Timestamp Request, Timestamp Reply, Address Mask Request, Address Mask Reply)
    - Select **Reverse match for ICMP type** checkbox
    - Select **Reverse match for the protocol** checkbox
    - Select **Reverse match for source port** checkbox
    - Select**Reverse match for destination port** checkbox
7. From the ***Log Options*****menu:
  1. From the**Log Level** drop-down list, select one (Debug, Info, Notice, Warning, Error, Critical, Alert, Emergency)
  2. Enter **Log Prefix**
  3. Select the **Log TCP Sequence Numbers** checkbox
  4. Select the **Log Options from the TCP Packet Header** checkbox
  5. Select the **Log Options from the IP Packet Header** checkbox
8. Click **Save**.

### Edit Chain

1. Go to the *Security :: Firewall*page
2. In the *Chain* column, locate and click on the checkbox
3. Click **Edit** (displays dialog)
4. Make changes, as needed
5. Click **Save**

### Delete Chain

1. Go to the *Security :: Firewall* page
2. In the *Chain* column, locate and select the checkbox on the name
3. Click **Delete**
4. On the confirmation dialog, click **OK**

### Move Chain Up

1. Go to the *Security :: Firewall* page
2. In the *Chain* column, locate and select the checkbox on the name
3. Click **Up** to move up

### Move Chain Down

1. Go to the *Security :: Firewall* page
2. In the *Chain* column, locate and select the checkbox on the name
3. Click **Down** to move down