94 lines
4.2 KiB
Markdown
94 lines
4.2 KiB
Markdown
# Linux firewalls, focusing on UFW (Uncomplicated Firewall) and firewalld(systemd):
|
|
|
|
## 1. Introduction to Linux Firewalls
|
|
Linux firewalls are essential security tools that control incoming and outgoing network traffic based on predetermined security rules. They act as a barrier between trusted internal networks and untrusted external networks, such as the Internet.
|
|
|
|
## 2. Iptables: The Foundation
|
|
At the core of most Linux firewall solutions is iptables, a command-line utility for configuring the Linux kernel firewall. It works by defining chains of rules that filter packets based on various criteria.
|
|
|
|
Key concepts:
|
|
- Tables: filter, nat, mangle, raw
|
|
- Chains: INPUT, OUTPUT, FORWARD
|
|
- Rules: match criteria and target actions
|
|
|
|
While powerful, iptables can be complex for beginners, which led to the development of more user-friendly front-ends like UFW and firewalld.
|
|
|
|
## 3. UFW (Uncomplicated Firewall)
|
|
|
|
UFW is a simplified interface for managing iptables. It's designed to be easy to use while still providing robust firewall capabilities.
|
|
|
|
Key features:
|
|
- Simple command-line syntax
|
|
- Application profiles
|
|
- IPv6 support
|
|
|
|
Basic UFW commands:
|
|
- `sudo ufw enable` # Enable the firewall
|
|
- `sudo ufw disable` # Disable the firewall
|
|
- `sudo ufw status` # Check firewall status
|
|
`sudo ufw status numbered` # List the current ufw rules and their associated rule number
|
|
`sudo ufw delete RULENUM` # Delete the firewall rule by number
|
|
- `sudo ufw allow 22` # Allow incoming traffic on port 22 (SSH)
|
|
- `sudo ufw deny 80` # Deny incoming traffic on port 80 (HTTP)
|
|
- `sudo ufw allow from 192.168.1.0/24` # Allow traffic from a specific subnet
|
|
- `sudo ufw allow 32400/tcp` # Open port for Plex Server - ONLY accepting TCP traffic.
|
|
|
|
|
|
Advanced usage:
|
|
- Rate limiting: `sudo ufw limit 22/tcp`
|
|
- Logging: `sudo ufw logging on`
|
|
- Application profiles: `sudo ufw allow 'Apache Full'`
|
|
|
|
## 4. firewalld
|
|
|
|
firewalld is a dynamic firewall manager, primarily used in Red Hat-based distributions. It introduces the concept of zones, making it easier to manage complex network environments.
|
|
|
|
Key features:
|
|
- Zone-based configuration
|
|
- Runtime and permanent configuration options
|
|
- D-Bus interface for easy integration with other applications
|
|
|
|
- Basic firewalld commands:
|
|
- `sudo systemctl start firewalld` # Start firewalld
|
|
- `sudo systemctl enable firewalld` # Enable firewalld to start on boot
|
|
- `sudo firewall-cmd --state` # Check firewalld status
|
|
- `sudo firewall-cmd --zone=public --add-service=http` # Allow HTTP traffic in the public zone
|
|
- `sudo firewall-cmd --zone=internal --add-source=192.168.1.0/24` # Add a source to the internal zone
|
|
|
|
Advanced usage:
|
|
- Custom services: `sudo firewall-cmd --new-service=myapp`
|
|
- Rich rules: `sudo firewall-cmd --add-rich-rule='rule family="ipv4" source address="192.168.1.0/24" port port="80" protocol="tcp" accept'`
|
|
- Direct interface (for complex iptables rules): `sudo firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -p tcp --dport 22 -j ACCEPT`
|
|
|
|
## 5. Comparing UFW and firewalld
|
|
|
|
### UFW:
|
|
- Simpler, more straightforward for basic setups
|
|
- Ideal for single-host systems or simple network configurations
|
|
- Easier to learn for beginners
|
|
- Has a GUI (gufw) that can be installed. `sudo apt update && sudo apt install gufw`
|
|
|
|
### firewalld:
|
|
- More flexible and powerful for complex network setups
|
|
- Better suited for enterprise environments with multiple network zones
|
|
- Offers runtime and permanent configuration options
|
|
|
|
## 6. Best Practices
|
|
- Use the principle of least privilege: only open ports that are necessary
|
|
- Regularly review and update firewall rules
|
|
- Use logging to monitor firewall activity
|
|
- Combine firewall rules with other security measures (e.g., fail2ban for intrusion prevention)
|
|
- Keep your firewall software updated
|
|
|
|
## 7. Troubleshooting
|
|
- Check firewall logs: `/var/log/ufw.log` for UFW, `journalctl -u firewalld` for firewalld
|
|
- Use `iptables -L -v` to view current rules (works for both UFW and firewalld)
|
|
- Test connections with tools like `netcat` or `telnet`
|
|
- Temporarily disable the firewall to isolate issues
|
|
|
|
## 8. Advanced Topics (Coming Soon)
|
|
- Stateful vs. stateless firewalls
|
|
- Network Address Translation (NAT) configuration
|
|
- Setting up DMZ (Demilitarized Zone)
|
|
- Integrating with intrusion detection/prevention systems (IDS/IPS)
|