Custom firewall rules can be added by creating the files /etc/firewall-4.rules (for IPv4) and /etc/firewall-6.rules (for IPv6)
These files must be only writable by root, otherwise the Firewall service will not process them. You also need to enable them in Advanced Settings.
Each line that does NOT start with a '#' (comment) in the file should will be run by the firewall service as a param to 'iptables' (or 'ip6tables') on startup. For example, if you wanted to log all traffic before it entered the firewall, you could create the file containing this:
That will INSERT the rule '-j LOG' before the first entry in the INPUT chain.
You can validate these commands are running by watching /tmp/firewall.log, and you will see 'Custom Rules' being processed. If there are any errors, they will be displayed in that file.
To set the files to be writable only by root, execute the following commands: