Firewall (computing)

A firewall in computing is a network security system that monitors and controls incoming and outgoing network traffic based on predetermined security rules. Think of it as a barrier between a trusted network (like your computer or local network) and an untrusted network (like the internet). Its primary purpose is to block malicious or unauthorized traffic while allowing legitimate traffic to pass.

In the context of Linux, the firewall functionality is typically handled by the Netfilter framework within the Linux kernel. User-space tools are then used to interact with Netfilter and configure the firewall rules.

Core Concepts

• Packet Filtering: Firewalls work by inspecting individual data packets that travel across the network. They examine information within the packet headers, such as the source and destination IP addresses, source and destination ports, and the protocol being used (e.g., TCP, UDP, ICMP).
• Rules and Policies: Firewall behavior is dictated by a set of rules. These rules define criteria for matching packets and specify an action to take when a packet matches a rule (e.g., ACCEPT, DROP, REJECT, LOG). A policy is a default action applied to traffic that doesn't match any specific rule in a chain. Common policies include:
  • ACCEPT: Allow the packet to pass.
  • DROP: Silently discard the packet. The sender does not receive a notification.
  • REJECT: Discard the packet and send an error message back to the sender (e.g., ICMP port unreachable).
• Chains: In Linux's Netfilter, rules are organized into chains. The most common built-in chains are:
  • INPUT: Handles packets destined for the local system.
  • OUTPUT: Handles packets originating from the local system.
  • FORWARD: Handles packets being routed through the system to another destination.
• Tables: Chains are further organized into tables, each designed for a specific type of packet processing. The most common tables are:
  • filter: The default table, used for filtering packets (allowing or denying them).
  • nat (Network Address Translation): Used for modifying the source or destination IP addresses and ports of packets, commonly used for sharing a single public IP address among multiple devices on a private network.
  • mangle: Used for modifying packet headers, such as the Time To Live (TTL) value or quality of service (QoS) bits.
• Ports: Ports are numerical labels (0-65535) that identify specific applications or services running on a host. Firewalls can filter traffic based on destination or source port numbers, allowing control over which services are accessible.

Linux Firewall Tools

Several tools are used to configure the Netfilter framework in Linux. The two most common are:

• iptables: A traditional command-line utility for configuring Netfilter rules. It provides fine-grained control but can be complex to manage for extensive rule sets. Rules configured with `iptables` are typically static and need to be explicitly saved to persist across reboots.
• firewalld: A more dynamic and user-friendly firewall management tool that uses zones and services. It is the default firewall management tool on many modern Linux distributions (like Fedora, CentOS/RHEL 7+, and openSUSE). `firewalld` can modify rules without interrupting existing connections and uses a D-Bus interface for management. It can use either `iptables` or `nftables` (a newer packet filtering framework) on the backend.
• ufw (Uncomplicated Firewall): A simpler frontend for `iptables` (or `nftables`) primarily used on Ubuntu and Debian-based distributions. It aims to make firewall configuration easier for users.

While `iptables` is still widely used, `firewalld` and `nftables` are becoming more prevalent in newer distributions. This guide will focus on `iptables` and `firewalld` as they are the most commonly encountered on a wide range of Linux systems.

Activating and Managing Firewall in Linux

The method for activating and managing your firewall depends on which tool is installed and active on your system. Most modern distributions use either `firewalld` or `ufw` by default. Some server environments might still primarily use `iptables`.

You should avoid running multiple firewall management services simultaneously as they can conflict.

Checking Firewall Status

To see if `firewalld` is running:

 sudo systemctl status firewalld

To see the current `iptables` rules (requires root privileges):

 sudo iptables -L

To see the status of `ufw`:

 sudo ufw status

Using firewalld

`firewalld` manages rules using zones, which define different trust levels for network connections. Common zones include `public`, `home`, `internal`, and `external`.

Activating firewalld

If `firewalld` is not running, you can start and enable it to start on boot:

 sudo systemctl start firewalld
 sudo systemctl enable firewalld

Managing Ports with firewalld

`firewalld` allows opening and closing ports for specific services or port numbers within zones.

• List active zones and their configurations:

 sudo firewall-cmd --get-active-zones
 sudo firewall-cmd --list-all --zone=public  # Replace 'public' with your active zone

• Allow a service (e.g., SSH) in the public zone (temporary):

 sudo firewall-cmd --zone=public --add-service=ssh

This rule will be active immediately but will be lost on firewall reload or system reboot.

• Allow a service (e.g., SSH) in the public zone (permanent):

 sudo firewall-cmd --zone=public --add-service=ssh --permanent
 sudo firewall-cmd --reload  # Reload firewalld to apply permanent changes

• Allow a specific port (e.g., TCP port 80 for HTTP) in the public zone (temporary):

 sudo firewall-cmd --zone=public --add-port=80/tcp

• Allow a specific port (e.g., TCP port 80 for HTTP) in the public zone (permanent):

 sudo firewall-cmd --zone=public --add-port=80/tcp --permanent
 sudo firewall-cmd --reload

• Allow a range of ports (e.g., TCP ports 5000-6000) in the public zone (permanent):

 sudo firewall-cmd --zone=public --add-port=5000-6000/tcp --permanent
 sudo firewall-cmd --reload

• Remove a service (e.g., SSH) from the public zone (permanent):

 sudo firewall-cmd --zone=public --remove-service=ssh --permanent
 sudo firewall-cmd --reload

• Remove a port (e.g., TCP port 80) from the public zone (permanent):

 sudo firewall-cmd --zone=public --remove-port=80/tcp --permanent
 sudo firewall-cmd --reload

Using iptables

`iptables` works by defining rules in chains within tables.

Activating iptables

`iptables` itself is a command-line tool, not a service that is started or stopped in the same way as `firewalld`. The Netfilter framework is part of the kernel and is always active. Activating the firewall with `iptables` means adding rules that define the desired filtering behavior.

To ensure `iptables` rules persist across reboots, you typically need to install a separate package like `iptables-persistent` (on Debian/Ubuntu) or use `iptables-save` and `iptables-restore` in startup scripts.

Managing Ports with iptables

`iptables` commands directly manipulate the Netfilter rule sets. Be cautious when using `iptables` as incorrect rules can lock you out of your system.

• List current rules:

 sudo iptables -L -v -n

`-L` lists rules, `-v` provides verbose output (packet counts), and `-n` shows IP addresses and port numbers numerically.

• Set default policy for the INPUT chain to DROP (a common secure practice):

 sudo iptables -P INPUT DROP

WARNING: Setting the default policy to DROP before adding rules to allow necessary traffic will immediately block all incoming connections, including SSH. Ensure you have a way to access your system (e.g., through a console) before doing this on a remote server.

• Allow incoming SSH connections (TCP port 22):

 sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT

`-A INPUT` appends the rule to the INPUT chain, `-p tcp` specifies the TCP protocol, `--dport 22` matches destination port 22, and `-j ACCEPT` specifies the action to accept the packet.

• Allow incoming HTTP connections (TCP port 80):

 sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT

• Allow incoming HTTPS connections (TCP port 443):

 sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT

• Allow incoming connections on a range of ports (e.g., TCP ports 5000-6000) using the `multiport` module:

 sudo iptables -A INPUT -p tcp -m multiport --dports 5000:6000 -j ACCEPT

• Allow established and related connections (important for allowing responses to outgoing traffic):

sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

This rule should typically be added before specific port-opening rules.

• Drop incoming traffic from a specific IP address:

 sudo iptables -A INPUT -s 192.168.1.100 -j DROP

`-s` specifies the source IP address.

• Reject incoming traffic on a specific port from a specific IP address:

 sudo iptables -A INPUT -s 192.168.1.100 -p tcp --dport 25 -j REJECT

• Saving iptables rules (using `iptables-persistent`):

If you have `iptables-persistent` installed, you can save the current rules:

 sudo netfilter-persistent save

The rules are typically saved to `/etc/iptables/rules.v4` and `/etc/iptables/rules.v6`.

• Clearing all iptables rules:

 sudo iptables -F  # Flush all rules in all chains in the filter table
 sudo iptables -X  # Delete all non-default chains
 sudo iptables -Z  # Zero out packet and byte counters

WARNING: Flushing rules will immediately remove all firewall protection.

Best Practices for Linux Firewalls

• Deny by Default: Adopt a default policy of denying all incoming traffic and explicitly allow only what is necessary. This minimizes the attack surface.
• Only Open Necessary Ports: Identify the specific services running on your system and only open the corresponding ports. Close all other ports.
• Use Stateful Inspection: Allow established and related connections to ensure that responses to your outgoing traffic are permitted.
• Use Zones (firewalld): Leverage zones to apply different security policies to different network interfaces or trusted networks.
• Use Aliases (firewalld): Define aliases for frequently used IP addresses or ports to make rules more readable and easier to manage.
• Log Dropped or Rejected Traffic: Configure logging for packets that are dropped or rejected by the firewall. This helps in monitoring for malicious activity and troubleshooting.
• Regularly Review Rules: Periodically review your firewall rules to ensure they are still necessary and correctly configured.
• Test Thoroughly: After making changes to your firewall rules, test them thoroughly to ensure they are working as expected and that you haven't inadvertently blocked necessary services or locked yourself out.
• Use a Management Tool: For complex environments, consider using a higher-level firewall management tool or a configuration management system (like Ansible, Puppet, or Chef) to manage firewall rules consistently across multiple systems.

See Also

• Netfilter
• Iptables
• Firewalld
• Ufw
• Network security
• Port forwarding