dotlinux guide

Linux Security for Beginners: Understanding Firewalls

In an era where cyber threats grow more sophisticated by the day, securing your Linux system is no longer optional—it’s essential. Among the first lines of defense in any security strategy is the firewall. A firewall acts as a gatekeeper, controlling incoming and outgoing network traffic based on predefined rules, ensuring only authorized connections reach your system. For beginners, understanding firewalls can seem daunting, but with the right guidance, it becomes an accessible and powerful tool. This blog will demystify Linux firewalls, starting with core concepts, moving through practical usage, and concluding with best practices. By the end, you’ll be equipped to configure, manage, and maintain a firewall that protects your Linux system effectively.

Table of Contents

  1. What is a Firewall?
  2. How Linux Firewalls Work
  3. Fundamental Firewall Concepts
  4. Common Linux Firewall Tools
  5. Usage Methods: Getting Started with ufw
  6. Usage Methods: Getting Started with firewalld
  7. Common Practices for Linux Firewalls
  8. Best Practices for Firewall Security
  9. Conclusion
  10. References

What is a Firewall?

A firewall is a network security device or software that monitors and filters incoming/outgoing network traffic based on a set of security rules. Its primary goal is to block unauthorized access while permitting legitimate communication. Think of it as a bouncer at a club: it checks every “guest” (network packet) against a list of rules to decide who gets in or out.

On Linux, firewalls are typically software-based and integrated into the kernel, making them lightweight and efficient. They protect against threats like unauthorized SSH access, port scanning, and malicious incoming connections.

How Linux Firewalls Work

Linux firewalls rely on a kernel-level framework called netfilter, which provides hooks to inspect and manipulate network packets as they traverse the system. User-space tools (like ufw, firewalld, or iptables) interact with netfilter to define rules that control packet flow.

Key Workflow:

  1. Packet Arrival: A network packet reaches the Linux system.
  2. Netfilter Inspection: The packet is passed through netfilter hooks, where rules are applied.
  3. Rule Matching: The packet is checked against firewall rules (e.g., source IP, destination port, protocol).
  4. Action Taken: Based on the first matching rule, the packet is allowed (ACCEPT), blocked (DROP/REJECT), or modified (e.g., forwarded).

Fundamental Firewall Concepts

Before diving into tools, let’s clarify core terms:

Inbound vs. Outbound Traffic

  • Inbound: Traffic coming into your system (e.g., a user trying to SSH into your server).
  • Outbound: Traffic leaving your system (e.g., your browser accessing a website).

Ports and Protocols

  • Ports: Numerical identifiers (1-65535) that specify which service a packet targets (e.g., port 22 = SSH, port 80 = HTTP).
  • Protocols: Rules for data transmission. Common ones:
    • TCP: Connection-oriented (reliable, used for SSH/HTTP).
    • UDP: Connectionless (faster, used for DNS/streaming).

Rules and Policies

  • Rules: Specific conditions (e.g., “Allow TCP port 22 from 192.168.1.100”).
  • Default Policy: Action taken when no rules match (e.g., “Deny all inbound traffic by default”).

Common Linux Firewall Tools

Linux offers several firewall tools, each with its own use case. Here’s a comparison to help you choose:

ToolEase of UseDefault on DistrosKey FeaturesBest For
ufwHighUbuntu, DebianSimple CLI, rule prioritization, app profilesBeginners, small servers
firewalldMediumRHEL, CentOS, FedoraZones, dynamic rules, service-based managementEnterprise, multi-zone setups
iptablesLowN/A (used by ufw/firewalld)Raw netfilter control, granular rulesAdvanced users, scripting

For beginners, ufw (Uncomplicated Firewall) or firewalld are recommended due to their simplicity. We’ll focus on these two.

Usage Methods: Getting Started with ufw

ufw is a frontend for iptables designed for simplicity. It’s preinstalled on Ubuntu but can be installed on other distros.

Step 1: Install ufw (if missing)

sudo apt update && sudo apt install ufw -y  # Debian/Ubuntu
sudo dnf install ufw -y                    # Fedora/RHEL (if needed)

Step 2: Enable ufw and Set Default Policies

Default policies define behavior when no rules match. Deny inbound, allow outbound is a secure starting point:

sudo ufw default deny incoming   # Block all unsolicited inbound traffic
sudo ufw default allow outgoing  # Allow all outbound traffic (safe for most users)
sudo ufw enable                  # Start ufw and enable on boot

Step 3: Basic Rule Management

Allow Essential Services:

sudo ufw allow ssh              # Allow SSH (port 22, TCP)
sudo ufw allow http             # Allow HTTP (port 80, TCP)
sudo ufw allow 443/tcp          # Allow HTTPS (port 443, TCP)
sudo ufw allow 53/udp           # Allow DNS (port 53, UDP)

Allow Specific IPs/Ports:

sudo ufw allow from 192.168.1.100 to any port 22  # Allow SSH only from 192.168.1.100
sudo ufw allow 1000:2000/tcp                      # Allow TCP ports 1000-2000

Deny Traffic:

sudo ufw deny from 203.0.113.5   # Block all traffic from 203.0.113.5
sudo ufw deny 3306/tcp           # Block MySQL port (if unused)

Step 4: Check Status and Rules

sudo ufw status                # Show active rules (brief)
sudo ufw status verbose        # Show detailed status (including policies)
sudo ufw status numbered       # Show rules with numbers (for deletion)

Step 5: Delete Rules

sudo ufw delete allow http     # Delete by rule description
sudo ufw delete 3              # Delete by rule number (from `status numbered`)

Step 6: Disable ufw (Temporarily)

sudo ufw disable  # Stops ufw and disables on boot

Usage Methods: Getting Started with firewalld

firewalld uses zones (predefined rule sets for network environments like “public” or “home”) and services (predefined port/protocol combinations).

Step 1: Check if firewalld is Running

sudo systemctl status firewalld  # Check status
sudo systemctl start firewalld   # Start if stopped
sudo systemctl enable firewalld  # Enable on boot

Step 2: Understand Zones

Zones define traffic rules based on network trust. Common zones:

  • public: Default for untrusted networks (e.g., public Wi-Fi).
  • home: Trusted networks (e.g., home LAN).
  • dmz: For public-facing services (e.g., web servers).

View and set the default zone:

sudo firewall-cmd --get-zones          # List all zones
sudo firewall-cmd --get-default-zone   # Show current default (usually public)
sudo firewall-cmd --set-default-zone=home  # Switch to home zone (if trusted)

Step 3: Manage Services/Ports

Allow Services (Predefined):

sudo firewall-cmd --add-service=ssh --permanent   # Allow SSH (permanent rule)
sudo firewall-cmd --add-service=http --permanent  # Allow HTTP
sudo firewall-cmd --reload                        # Apply changes (required for --permanent)

Allow Custom Ports:

sudo firewall-cmd --add-port=8080/tcp --permanent  # Allow TCP port 8080
sudo firewall-cmd --reload

Limit Access by IP:

sudo firewall-cmd --add-rich-rule='rule family="ipv4" source address="192.168.1.100" service name="ssh" accept' --permanent
sudo firewall-cmd --reload

Step 4: Check Configuration

sudo firewall-cmd --list-all          # Show rules for default zone
sudo firewall-cmd --zone=public --list-all  # Show rules for a specific zone

Step 5: Remove Rules

sudo firewall-cmd --remove-service=ssh --permanent  # Remove SSH service
sudo firewall-cmd --remove-port=8080/tcp --permanent  # Remove port 8080
sudo firewall-cmd --reload

Common Practices for Linux Firewalls

1. Allow Only What You Need

Avoid “allow all” rules. Only open ports/services required for your use case (e.g., SSH, HTTP).

2. Block Unused Ports

Close ports like 3306 (MySQL), 5432 (PostgreSQL), or 21 (FTP) unless actively used.

3. Limit SSH Access

Restrict SSH to trusted IPs (e.g., sudo ufw allow from 192.168.1.0/24 to any port 22 for home networks).

4. Avoid Common Mistakes:

  • Don’t leave default policies as “allow” (inbound traffic should default to deny).
  • Test rules before relying on them (e.g., after allowing SSH, log out and try reconnecting).
  • Don’t mix tools (e.g., use ufw or firewalld, not both).

Best Practices for Firewall Security

1. Use Application Profiles

ufw and firewalld support app profiles (e.g., ssh, nginx) that auto-configure ports. Use them instead of raw port numbers:

# ufw example
sudo ufw app list                 # List available profiles
sudo ufw allow 'Nginx Full'       # Allow HTTP/HTTPS via Nginx profile

2. Audit Rules Regularly

Review rules monthly to remove obsolete entries:

# ufw
sudo ufw status numbered
# firewalld
sudo firewall-cmd --list-all-zones

3. Backup Rules

Save rules to restore after system upgrades:

# ufw
sudo ufw export > ufw_backup.rules
sudo ufw reset  # Wipe rules (if needed)
sudo ufw import ufw_backup.rules  # Restore

# firewalld
sudo cp /etc/firewalld/zones/public.xml ~/firewalld_backup.xml  # Backup zone

4. Combine with Other Tools

Firewalls work best with:

  • fail2ban: Blocks IPs after repeated failed login attempts.
  • SELinux/AppArmor: Restrict app permissions (for advanced users).
  • Network Scanners: Use nmap to test firewall rules: 
    nmap -p 22,80 your-server-ip  # Check if ports 22/80 are open

Conclusion

Firewalls are a cornerstone of Linux security, and tools like ufw and firewalld make them accessible even to beginners. By following the steps outlined—setting strict default policies, allowing only essential services, and auditing rules—you can significantly reduce your attack surface.

Remember: Security is a journey, not a destination. Regularly update your firewall rules, stay informed about new threats, and combine firewalls with other security tools to build a robust defense.

References