# Linux - Firewall Management Firewalls are crucial for maintaining the security of a Linux system. They act as barriers that filter incoming and outgoing network traffic based on predefined security rules. In Linux, there are several tools available to manage firewall rules, including `ufw`, `firewalld`, and `iptables`. ### What is a Firewall? A firewall is a network security device that monitors and controls incoming and outgoing network traffic based on predetermined security rules. It acts as a barrier between trusted internal networks and untrusted external networks, such as the internet. Firewalls are essential for: * Protecting against unauthorized access. * Preventing malicious attacks. * Controlling traffic flow based on security policies. ### Comparative Summary | Feature | `ufw` | `firewalld` | `iptables` | | --- | --- | --- | --- | | **Overview** | Simplified firewall management | Dynamic firewall management with zones and services | Advanced, detailed firewall control | | **Primary Use Case** | Basic firewall management for beginners | Dynamic rule management, flexible and adaptable | Granular control over firewall rules | | **Ease of Use** | Very user-friendly | Moderate; requires understanding of zones and services | Complex; steep learning curve | | **Installation** | Pre-installed on Ubuntu; easy to install on other distros | Available on CentOS, Fedora, RHEL; easy to install | Usually pre-installed; manual configuration needed | | **Configuration** | Simple command-line interface | Command-line and graphical tools available | Command-line only; detailed syntax | | **Rule Management** | Simple rules (allow/deny services) | Zones and services with dynamic updates | Detailed rules and chains; requires knowledge of iptables syntax | | **Commands** | `ufw enable`, `ufw allow`, `ufw deny` | `firewall-cmd --add-service`, `firewall-cmd --zone` | `iptables -A INPUT -p tcp --dport 22 -j ACCEPT` | | **Logging** | Basic logging capabilities | More advanced logging options available | Detailed logging, but requires manual configuration | | **Dynamic Updates** | Static; requires manual updates | Dynamic; supports runtime changes without reload | Static; changes require reloading rules | | **Zones Support** | No zones | Supports zones for different network interfaces | No zone concept | | **Persistence** | Configuration saved in `/etc/ufw` | Configuration saved in `/etc/firewalld` | Configuration typically managed with scripts | | **Default Policy** | Deny all incoming, allow outgoing | Configurable; default is usually to allow all incoming unless specified otherwise | Requires manual setup; default is to allow all if not specified | ### **1\. ufw (Uncomplicated Firewall)** `ufw` is designed to simplify firewall configuration. It’s commonly used on Debian-based distributions like Ubuntu and provides an easy-to-use command-line interface. ### **Key Features:** * **Ease of Use:** Simple syntax for configuring firewall rules. * **Status Overview:** Easy to view current rules and status. * **Profiles:** Supports application profiles for common services. **Basic Commands:** **Check Firewall Status:** ```plaintext sudo ufw status ``` ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1726737081100/b7bddc56-8b32-4c19-8db6-f67dc3ec5cf5.png align="center") **Enable Firewall:** ```plaintext sudo ufw enable ``` ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1726737108995/96590f86-1207-42af-a3e8-b8c3ce07d4cc.png align="center") **Allow a Port:** ```plaintext sudo ufw allow 80/tcp ``` ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1726737138387/dbc939fe-5867-43a8-b2c8-de886c0e4d89.png align="center") **Allow a Service by Name:** ```plaintext sudo ufw allow http ``` ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1726737202042/1b4766f4-4a3f-4f1f-bfd5-628d74562253.png align="center") **Deny a Port:** ```plaintext sudo ufw deny 80/tcp ``` ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1726737311950/70022c28-ba9d-4626-9b04-87e9968f7e99.png align="center") **Delete a Rule:** ```plaintext sudo ufw delete allow 80/tcp ``` ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1726737241645/f74251cb-3b2e-4298-8c1b-8c70a8dd159f.png align="center") **Disable Firewall:** ```plaintext sudo ufw disable ``` ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1726737267673/7b975043-5336-4727-9411-bdce80955d9e.png align="center") ### **2\. firewalld** `firewalld` is a dynamic firewall management tool that provides an easier way to manage firewall rules compared to `iptables`. It uses zones and services to simplify configuration. `firewalld` is a dynamic firewall management tool available in many Linux distributions, including Fedora, CentOS, and RHEL. It provides a flexible way to manage firewall rules, utilizing zones and services. ### **Key Features:** * **Dynamic Configuration:** Allows changes to the firewall rules without restarting the firewall service. * **Zones:** Different zones for different network interfaces, each with its own set of rules. * **Rich Language:** Supports rich language for complex rule definitions. * **Integration:** Works well with other tools like `NetworkManager`. **Basic Commands:** Check the status of the `firewalld` service to ensure it's running: ```plaintext sudo systemctl status firewalld ``` ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1726735524260/1911f456-0db5-4d4b-8dbd-a49652c82fed.png align="center") #### **List All Active firewalld Rules** To view the current firewall rules, use the following command: ```plaintext sudo firewall-cmd --list-all ``` ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1726736215556/0162adc2-6ef4-4e4d-8b5a-a2c829ff1162.png align="center") **Check Firewall Status:** ```plaintext sudo firewall-cmd --state ``` ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1726735572177/5b251ba4-e41c-4dfa-86af-85be70e377cc.png align="center") View the default zone: ```plaintext sudo firewall-cmd --get-default-zone ``` ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1726735825354/10a9eda7-b6f7-4fb8-a237-fd58fee6aa5e.png align="center") **List Available Zones:** To see all zones, run: ```plaintext sudo firewall-cmd --get-zones ``` ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1726735970193/3dd9faa5-31bd-4f02-94b3-998b77346c02.png align="center") **List All Active Zones:** ```plaintext sudo firewall-cmd --get-active-zones ``` **Add a Service to a Zone:** ```plaintext sudo firewall-cmd --zone=public --add-service=http ``` ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1726735659212/3117b486-6cd4-401d-bcde-f5ca29dbdf84.png align="center") **Reload Firewall:** ```plaintext sudo firewall-cmd --reload ``` ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1726736301120/98841764-858e-455c-a560-39a9e1c632f6.png align="center") **Permanent Changes:** ```plaintext sudo firewall-cmd --zone=public --add-service=http --permanent ``` ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1726736530865/e3b86a88-4c1f-4136-88e2-1f0867e40dd5.png align="center") **Remove a Service from a Zone:** ```plaintext sudo firewall-cmd --zone=public --remove-service=http --permanent ``` ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1726736582947/9fd6e13c-05c3-4c50-92d8-ab3c6a00810c.png align="center") #### Adding a Specific Port (e.g., 8080) to the Firewall To open a specific port like 8080 for TCP traffic in the permanent mode, use this command: ```plaintext sudo firewall-cmd --permanent --zone=public --add-port=8080/tcp ``` ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1726736801120/fa05ae34-d7da-46ef-976b-8e834aa0334d.png align="center") Once added, reload the firewall to activate the rule: ```plaintext sudo firewall-cmd --reload ``` ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1726736821903/beafe494-5b27-4fae-a32a-45b4e167c8d6.png align="center") Now, Check the port ```plaintext sudo firewall-cmd --list-all ``` ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1726736858875/8e873571-0fbb-4199-9e40-677705473b1e.png align="center") ### **3\. iptables** `iptables` is a traditional Linux firewall tool that provides a robust set of features for managing network traffic. It allows you to set up complex filtering rules, but its syntax can be complex. #### **Basic Commands:** **List Rules:** ```plaintext sudo iptables -L ``` **Allow a Port:** ```plaintext sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT ``` **Drop All Incoming Traffic:** ```plaintext sudo iptables -P INPUT DROP ``` **Save Rules:** ```plaintext sudo iptables-save > /etc/iptables/rules.v4 ``` **Restore Rules:** ```plaintext sudo iptables-restore < /etc/iptables/rules.v4 ``` ## **Conclusion** Understanding and configuring Linux firewalls is essential for securing your systems. Whether you choose `ufw`, `firewalld`, or `iptables`, each tool has its strengths and use cases. `ufw` offers simplicity, `firewalld` provides flexibility, and `iptables` delivers detailed control. By choosing the right tool for your needs, you can ensure that your Linux system remains secure and well-managed.