/etc/sysconfig/firewall.local is a shell script file for custom configurations that cannot be configured with the firewall GUI. The firewall.local file is a simple shell script and can be edited with a text editor. It is executed with root permissions every time when the firewall is loaded.
Example:
[root@ipfire ~]# /etc/sysconfig/firewall.local
Usage: /etc/sysconfig/firewall.local {start|stop|reload}
Common use cases
This is usually used for adding additional iptables rules. Those should be added in the "start" section and be removed correspondingly in the "stop" section.
Despite adding firewall rules, you may also start and stop system services or do anything else that can be done from a Linux shell.
iptables chains for custom rules
Instead of altering the default iptables chains (which can be very dangerous when the firewall ruleset does not work as intended), there are extra chains that MUST be used for this. Packets pass these chains BEFORE they go through the rest of the ruleset.
For Filter table
Use CUSTOMINPUT, CUSTOMFORWARD and CUSTOMOUTPUT for the filter table.
For NAT table
Use CUSTOMPREROUTING, CUSTOMPOSTROUTING and CUSTOMOUTPUT for the nat table.
Boot Phase Error Message
During the boot phase, the firewall follows a specific setup sequence that might lead to a harmless error message in iptables. This happens if an entry in the firewall.local script attempts to manipulate iptables, leading to the iptables: Bad rule (does a matching rule exist in that chain?) error.
The error emerges from the boot sequence where chains are first completely cleared and then reconstructed. When the firewall.local script executes a reload command, it runs the stop command first, followed by the start command. If a chain is empty, the stop command will not find a rule to remove, which triggers this benign error message in the log.
Despite its concerning appearance, this error is innocuous and does not affect the firewall's overall functionality.