A Practical Guide to Linux Firewalls: UFW vs. Firewalld
A properly configured firewall is the first and most critical line of defense for any Linux server. It acts as a gatekeeper, inspecting incoming and outgoing network traffic and deciding what to allow and what to block based on a set of security rules. Without a firewall, your server’s services are exposed to the entire internet, making them vulnerable to attacks.
Two of the most popular and powerful firewall management tools in the Linux ecosystem are UFW (Uncomplicated Firewall), found primarily in Ubuntu and other Debian-based distributions, and Firewalld, the default in RHEL, CentOS, and Fedora. While both ultimately manage the same underlying kernel technology (netfilter/iptables), they offer different approaches to configuration and management.
This guide will walk you through the essentials of configuring both UFW and Firewalld to secure your server effectively.
Securing Your Server with UFW: The Uncomplicated Firewall
As its name suggests, UFW is designed to simplify the process of firewall management. It provides a user-friendly command-line interface for common firewall tasks, making it an excellent choice for single servers and straightforward security policies.
Getting Started: Checking Status and Enabling UFW
Before making any changes, it’s wise to check the current status of UFW.
sudo ufw status
By default, UFW is often inactive. When you’re ready to enable it, there is one critically important first step: you must allow SSH traffic. If you enable the firewall without allowing SSH, you will be immediately locked out of your server.
Allow SSH Connections:
sudo ufw allow sshThis command intelligently uses the standard port for SSH (port 22).
Enable UFW:
bash
sudo ufw enable
You will see a warning that this may disrupt existing connections. Typeyand press Enter to proceed. Your firewall is now active.
Managing Common Firewall Rules
The foundation of a secure firewall is a “deny by default” policy. UFW is typically configured this way, meaning it will block all incoming traffic unless you explicitly create a rule to allow it.
To allow traffic for a specific service or port:
You can allow services by name (like http, https) or by port number.
- Allow HTTP and HTTPS traffic:
bash
sudo ufw allow http
sudo ufw allow https
- Allow traffic on a custom port (e.g., 8080):
bash
sudo ufw allow 8080/tcp
To deny or delete rules:
If you need to block a service or remove an existing rule, the commands are just as simple.
- Deny a service:
bash
sudo ufw deny http
- Delete an existing rule:
bash
sudo ufw delete allow http
By mastering these basic commands, you can build a robust security policy for your Ubuntu or Debian server.
Dynamic Firewall Management with Firewalld
Firewalld is the default firewall management tool for the RHEL family of distributions. Its key feature is the concept of network zones. A zone is a predefined set of rules that dictates the level of trust for a network connection. This makes Firewalld incredibly flexible, especially for systems that may connect to different networks (like a laptop moving from a public coffee shop to a trusted home network).
For servers, you will most often work with the public zone.
Checking the Status and Default Zone
First, ensure Firewalld is running and check its status.
sudo systemctl status firewalld
You can also see its simple state and find your default zone.
sudo firewall-cmd --state
sudo firewall-cmd --get-default-zone
To see all the rules currently applied to your default zone, use the --list-all command.
sudo firewall-cmd --list-all
Working with Zones and Permanent Rules
A crucial concept in Firewalld is the difference between runtime and permanent configurations. Changes you make are, by default, only applied to the current runtime session and will be lost on reboot. To make a rule persistent, you must add the --permanent flag.
After adding a permanent rule, you must reload the firewall for it to take effect.
Add a permanent rule for HTTP:
sudo firewall-cmd --zone=public --add-service=http --permanentReload the firewall to apply the change:
bash
sudo firewall-cmd --reload
You will see a “success” message once the reload is complete.
Adding and Removing Services and Ports
Just like with UFW, you can manage services by name or by port number.
Allow a custom TCP port (e.g., 8080) permanently:
sudo firewall-cmd --zone=public --add-port=8080/tcp --permanentRemove a service permanently:
bash
sudo firewall-cmd --zone=public --remove-service=http --permanent
Remember to run sudo firewall-cmd --reload after making any permanent changes. Firewalld’s zone-based system provides a powerful and organized way to manage complex network security policies.
Firewall Best Practices for Enhanced Security
Regardless of which tool you use, following these security principles is essential for protecting your server.
- Apply the Principle of Least Privilege: Only open the ports that are absolutely necessary for your applications to function. Every open port is a potential entry point for an attacker.
- Start with a “Deny All” Incoming Policy: This is the default for both UFW and Firewalld for a reason. It ensures that no traffic is allowed unless you have explicitly approved it.
- Regularly Audit Your Rules: Periodically review your firewall rules with
sudo ufw statusorsudo firewall-cmd --list-all. Remove any rules for services you no longer use. - Use Services Instead of Port Numbers When Possible: Using
allow httpis more readable and less error-prone thanallow 80/tcp, as it reduces the chance of typos.
By implementing and maintaining a well-configured firewall, you establish a strong foundation for your server’s overall security posture.
Source: https://infotechys.com/configure-a-firewall-using-ufw-and-firewalld/
