Skip to main content

Getting started with Linux firewalls

A firewall is your computer's first line of defense against network intrusion

A sensible firewall is your computer's first line of defense against network intrusion. When you're at home, you're probably behind a firewall built into the router supplied by your internet service provider. When you're away from home, though, the only firewall you have is the one running on your computer, so it's important to configure and control the firewall on your Linux computer. If you run a Linux server, it's just as important to know how to manage your firewall so that you can protect it from unwanted traffic both locally and remotely.

Install a firewall

Many Linux distributions ship with a firewall already installed, and traditionally that was iptables. It is extremely effective and customizable, but it can be complex to configure. Luckily, developers have produced several frontends to help users control their firewall without writing lengthy iptables rules.
On Fedora, CentOS, Red Hat, and similar distributions, the firewall software installed by default is firewalld, which is configured and controlled with the firewall-cmd command. On Debian and most other distributions, firewalld is available to install from your software repository. Ubuntu ships with the Uncomplicated Firewall (ufw), so to use firewalld, you must enable the universe repository:


sudo add-apt-repository universe
$ sudo apt install firewalld
You must also deactivate ufw:
sudo systemctl disable ufw
There's no reason not to use ufw. It's an excellent firewall frontend. However, this article focuses on firewalld because of its wide availability and integration into systemd, which is shipped with nearly every distribution.
Regardless of your distribution, for a firewall to be effective, it must be active, and it should be loaded at boot time:
sudo systemctl enable --now firewalld

Understanding firewall zones

Firewalld aims to make firewall configuration as simple as possible. It does this by establishing zones. A zone is a set of sensible, common rules that suit the everyday needs of most users. There are nine by default:
  • trusted: All network connections are accepted. This is the least paranoid firewall setting and should only be used in a trusted environment, such as a test lab or in a family home where everyone on the local network is known to be friendly.
  • home, work, internal: In these three zones, most incoming connections are accepted. They each exclude traffic on ports that usually expect no activity. Any of them is a reasonable setting for use in a home setting where there is no reason to expect network traffic to obscure ports, and you generally trust the other users on the network.
  • public: For use in public areas. This is a paranoid setting, intended for times when you do not trust other computers on the network. Only selected common and mostly safe incoming connections are accepted.
  • dmz: DMZ stands for demilitarized zone. This zone is intended for computers that are publically accessible, located on an organization's external network with limited access to the internal network. For personal computers, this is usually not a useful zone, but it is an important option for certain types of servers.
  • external: For use on external networks with masquerading enabled (meaning the addresses of your private network are mapped to and hidden behind a public IP address). Similar to the dmz zone, only selected incoming connections are accepted, including SSH.
  • block: Only network connections initiated within this system are possible, and all incoming network connections are rejected with an icmp-host-prohibited message. This is an extremely paranoid setting and is an important option for certain types of servers or personal computers in an untrusted or hostile environment.
  • drop: Any and all incoming network packets are dropped with no reply. Only outgoing network connections are possible. The only setting more paranoid than this one is turning off your WiFi and unplugging your Ethernet cable.
You can read about each zone and any other zones defined by your distribution or sysadmin by looking at the configuration files in /usr/lib/firewalld/zones. For instance, here's the FedoraWorkstation zone that ships with Fedora 31:


cat /usr/lib/firewalld/zones/FedoraWorkstation.xml 
<?xml version="1.0" encoding="utf-8"?>
<zone>
  <short>Fedora Workstation</short>
  <description>Unsolicited incoming network packets are rejected from port 1 to 1024, except for select network services. Incoming packets that are related to outgoing network connections are accepted. Outgoing network connections are allowed.</description>
  <service name="dhcpv6-client"/>
  <service name="ssh"/>
  <service name="samba-client"/>
  <port protocol="udp" port="1025-65535"/>
  <port protocol="tcp" port="1025-65535"/>
</zone>

Getting your current zone

You can see what zone you're in at any time with the --get-active-zones option:
sudo firewall-cmd --get-active-zones
In response, you receive the name of the active zone along with the network interface assigned to it. On a laptop, that usually means you have a WiFi card in the default zone:



FedoraWorkstation
  interfaces: wlp61s0

Change your current zone

To change your zone, reassign your network interface to a different zone. For instance, to change the example wlp61s0 card to the public zone:


sudo firewall-cmd --change-interface=wlp61s0 \
--zone=public















You can change the active zone for an interface any time you please and for any reason—whether you're going out to a café and feel the need to increase your laptop's security policy, or you're going to work and need to open up some ports to get on the intranet, or for any other reason. The options for firewall-cmd auto-complete when you press the Tab key, so as long as you remember the keywords "change" and "zone," you can stumble through the command until you learn it by memory.

Comments

Post a Comment

Popular posts from this blog

How to use Ngx-Charts in Angular ?

Charts helps us to visualize large amount of data in an easy to understand and interactive way. This helps businesses to grow more by taking important decisions from the data. For example, e-commerce can have charts or reports for product sales, with various categories like product type, year, etc. In angular, we have various charting libraries to create charts.  Ngx-charts  is one of them. Check out the list of  best angular chart libraries .  In this article, we will see data visualization with ngx-charts and how to use ngx-charts in angular application ? We will see, How to install ngx-charts in angular ? Create a vertical bar chart Create a pie chart, advanced pie chart and pie chart grid Introduction ngx-charts  is an open-source and declarative charting framework for angular2+. It is maintained by  Swimlane . It is using Angular to render and animate the SVG elements with all of its binding and speed goodness and uses d3 for the excellent math functio...
Post a Comment
Read more

Understand Angular’s forRoot and forChild

  forRoot   /   forChild   is a pattern for singleton services that most of us know from routing. Routing is actually the main use case for it and as it is not commonly used outside of it, I wouldn’t be surprised if most Angular developers haven’t given it a second thought. However, as the official Angular documentation puts it: “Understanding how  forRoot()  works to make sure a service is a singleton will inform your development at a deeper level.” So let’s go. Providers & Injectors Angular comes with a dependency injection (DI) mechanism. When a component depends on a service, you don’t manually create an instance of the service. You  inject  the service and the dependency injection system takes care of providing an instance. import { Component, OnInit } from '@angular/core'; import { TestService } from 'src/app/services/test.service'; @Component({ selector: 'app-test', templateUrl: './test.component.html', styleUrls: ['./test.compon...
Post a Comment
Read more

How to solve Puppeteer TimeoutError: Navigation timeout of 30000 ms exceeded

During the automation of multiple tasks on my job and personal projects, i decided to move on  Puppeteer  instead of the old school PhantomJS. One of the most usual problems with pages that contain a lot of content, because of the ads, images etc. is the load time, an exception is thrown (specifically the TimeoutError) after a page takes more than 30000ms (30 seconds) to load totally. To solve this problem, you will have 2 options, either to increase this timeout in the configuration or remove it at all. Personally, i prefer to remove the limit as i know that the pages that i work with will end up loading someday. In this article, i'll explain you briefly 2 ways to bypass this limitation. A. Globally on the tab The option that i prefer, as i browse multiple pages in the same tab, is to remove the timeout limit on the tab that i use to browse. For example, to remove the limit you should add: await page . setDefaultNavigationTimeout ( 0 ) ;  COPY SNIPPET The setDefaultNav...
Post a Comment
Read more