Linux Firewall Administration: Firewalld and UFW
Want to learn how to set up a Linux Firewall? Here are the technologies available in Linux, and how to configure and evaluate them.
Aug 7, 2024 • 7 Minute Read
Mastering Linux firewalls can feel like deciphering a complex code, with myriad techniques and subtle nuances that often leave administrators scratching their heads. Fear not! This article is here to illuminate the path, providing you with the essential knowledge and skills to confidently navigate the Linux firewall landscape. Let's dive straight into the basics and transform confusion into clarity!.
What is a firewall?
A firewall is a network security device or software that monitors and controls incoming and outgoing network traffic based on predetermined security rules. Think of it as a barrier between your computer (or network) and the internet, allowing only authorized traffic to pass through while blocking or filtering out potentially harmful or unauthorized traffic.
Firewalls can operate at various levels of a network, including the network layer (e.g., filtering based on IP addresses), transport layer (e.g., filtering based on port numbers), and application layer (e.g., filtering based on specific applications or protocols).
In simpler terms, a firewall acts as a gatekeeper, determining what data can enter or leave your computer or network. It helps prevent unauthorized access, malicious attacks, and data breaches, thereby enhancing security and protecting sensitive information.
What firewalling technologies do we have available in Linux?
In Linux, there are four commonly used technologies for firewalling: iptables, nftables, Firwalld, and UFW.
Iptables
In Linux, iptables is a widely-used firewall administration tool for IPv4 packet filtering. It allows users to define rules for controlling network traffic, making it a crucial component for network security.
Nftables
Nftables is a newer framework available in many distributions, providing enhanced performance and flexibility over iptables. It offers support for both IPv4 and IPv6 filtering, along with more advanced features such as sets and maps. While iptables remains prevalent, nftables is gradually gaining traction for its modernized approach to firewall management and configuration.
Firewalld
Firewalld is a dynamic firewall management tool that serves as a front-end for iptables or nftables. It provides a high-level interface for managing firewall rules and supports network zones, services, and rich rules. Firewalld is designed to be more user-friendly and is the default firewall solution in many Linux distributions, including RHEL/CentOS 7 and later.
UFW
UFW (Uncomplicated Firewall) is a user-friendly interface for managing iptables rules on Ubuntu and Debian-based systems. It simplifies the process of configuring the firewall by providing easy-to-use command-line tools and a straightforward configuration syntax. UFW is aimed at simplifying firewall management for users who may not be familiar with the complexities of iptable.
How do we configure and evaluate the modern firewalls?
Within the realm of firewall administration on CentOS and Ubuntu systems, the spotlight falls on Firewalld and UFW, being the two modern ways of configuring firewalling on these respective Linux vendors.
In this exploration, we delve into the configuration intricacies and assessment methodologies for firewall rules pertinent to these solutions. The examples showcased merely scratch the surface of the robust capabilities these technologies offer, underscoring the imperative for practitioners to dedicate ample time to configuring, testing, and evaluating the technologies to become truly efficient and skilled practitioners.
CentOS - Configuring and evaluating Firewalld
Setting up a lab for Firewalld on CentOS is a great way to understand how to manage network traffic using a firewall on a Linux system, which is precisely what we are going to do now.
Ensure that Firewalld is installed and active
To check if Firewalld is already installed and enabled on your CentOS or RHEL system, run the command systemctl status firewalld, which should return a prompt stating that the service is active.
Check the default zone assigned
By default, Firewalld assigns the public zone. You can verify this by running firewall-cmd --get-default-zone. Which, by default, returns the value “public” to your screen.
Check the list of available zones available to use
To check the list of available zones you can assign use the command firewall-cmd --get-zones, which will return a list of available zones which can be used, such as block, dmz, drop, external, home, and more.
Check which zones are currently used by the interface(s)
To see what zone is assigned to the interface(s), use the command firewall-cmd --get-active-zones. As you can see, our interface ens192 is assigned to the public zone.
Check which rules are currently applied to a zone
To evaluate the rules applied to a zone you use the command firewall-cmd --zone=public --list-all (replace the zone with the correct zone you wish to see). This will display the firewall rules applied to this zone.
Add or change the zone assigned to an interface
Adding a zone to an interface is straight forward. We use the command firewall-cmd --zone=public --add-interface=lo --permanent (replacing lo with the correct interface you wish to target). This will add this firewall zone to this interface for protection, but only after a reload of the firewalld service. We will now use the command firewall-cmd --reload to reload the firewall. Rerun the command firewall-cmd --get-active-zones and you will now see the additional interface listed within your zone.bb
Add and remove a rule from a zone
To allow a service through the firewall is easy, we simply use the command firewall-cmd --add-service=name, with name being the name of the service we wish to permit. In this example we are going to allow HTTP to the service as we are running a simple web server for testing. Use the command firewall-cmd --add-service=http. Next, use the command firewall-cmd --list-services to check that this service is allowed through the firewall. To remove the service simply use the command firewall-cmd --remove-service=http which will deny HTTP through the firewall. A final point to note is this added rule will not survive a reboot or reload of the firewalld service. To make it permanent, add the option --permanent to your rule.
Ubuntu - Configuring and evaluating UFW
Much like setting up a lab for Firewalld on CentOS to learn, we are going to do the same for UFW on Ubuntu 22. This is a great way to learn and understand how to use UFW for your systems.
Ensure that UFW is installed and active
To check if UFW is already installed and enabled on your Ubuntu system, run the command systemctl status ufw, which should return a prompt stating that the service is active.
Check the status of UFW
By default, the UFW is inactive. To check this use the command sudo ufw status. This is a good thing as the firewall on Ubuntu is not active until we have configured it, thus preventing us from locking ourselves out.
Permit SSH to the Ubuntu from our local subnet
To permit SSH to the Ubuntu machine when we enable the UFW we want to permit this. To do this, use the command sudo ufw allow from 192.168.1.0/24 to any port 22. This will allow SSH (port 22/TCP, and also UDP), from the subnet 192.168.1.0/24 to our host machine.
Permit HTTP and HTTPS to the Ubuntu machine
Next, if the Ubuntu machine was a web server then we want to allow TCP port 80 and 443 to our machine. To do this, use the commands sudo ufw allow 80 and sudo ufw allow 443
Enable UFW to permit and deny traffic
When you’ve configured the relevant firewall rules for the UFW we must enable it. We will use the command sudo ufw enable, followed by sudo ufw status to ensure that the firewall is now enabled.
Summary
Firewalling on Linux is a crucial aspect of system security that has evolved significantly over the years. At its core, a firewall is a traffic filter mechanism designed to protect systems by controlling the data that enters and exits. For production environments, it is essential to have a firewall enabled on host systems, permitting only authorized traffic to communicate with your system.
Tools like iptables and the more modern nftables offer robust protection for Linux systems, though they can be complex to manage. Fortunately, front-end tools such as firewalld have greatly simplified the process for administrators, offering a straightforward command structure to configure and manage firewalls on CentOS and RHEL machines. Similarly, UFW provides an extremely user-friendly interface for Ubuntu machines, with syntax that is almost human-readable.
I would encourage you to check out these courses on Pluralsight to learn more about managing firewalling on Linux systems, but also many other Linux topics that administrators should know: