Linux servers and desktops are frequently exposed to public networks, making a properly configured firewall essential for controlling access and reducing security risks. UFW (Uncomplicated Firewall) and Firewalld are two primary tools for managing firewall rules on Linux, each offering different approaches to setup and administration. Selecting the right tool and configuring it effectively ensures only authorized traffic reaches your system, while unnecessary or potentially harmful connections are blocked.

Configuring a Firewall with UFW

UFW is the default firewall management tool for Ubuntu and Debian-based systems. It provides a straightforward command-line interface that simplifies the process of defining firewall rules, making it accessible even for users new to Linux security.

Step 1: Confirm UFW is installed and available on your system. On most Ubuntu and Debian systems, UFW is pre-installed. To verify its presence or install it, use:

sudo apt update
sudo apt install ufw

Step 2: Before enabling UFW, allow incoming SSH connections to avoid losing remote access. This precaution is vital for servers managed over SSH. To permit SSH, run:

sudo ufw allow ssh

Or, if your SSH daemon uses a custom port, replace ssh with the correct port number:

sudo ufw allow 2222

Step 3: Set the default policies to deny incoming connections and allow outgoing traffic. This configuration blocks unsolicited access while letting the system initiate outbound connections:

sudo ufw default deny incoming
sudo ufw default allow outgoing

Step 4: Add rules for other required services. For example, to allow web traffic, permit HTTP and HTTPS:

sudo ufw allow http
sudo ufw allow https

Or, specify port numbers directly:

sudo ufw allow 80
sudo ufw allow 443

Step 5: Enable UFW to activate your rules. The firewall will now enforce the defined policies:

sudo ufw enable

Respond y if warned about potential disruption to SSH connections (as long as the proper rule is in place).

Step 6: Check the current firewall status and rules at any time to verify active configurations:

sudo ufw status verbose

Step 7: Manage advanced rules as needed. UFW supports specifying rules for particular IP addresses, subnets, or network interfaces. For example, to only allow SSH from a specific IP:

sudo ufw allow from 203.0.113.4 to any port 22

To allow HTTP traffic only on a specific interface (e.g., eth0):

sudo ufw allow in on eth0 to any port 80

Step 8: Delete or modify rules as your requirements change. List rules with numbers:

sudo ufw status numbered

Then remove a rule by its number:

sudo ufw delete 2

Step 9: Disable or reset UFW if you need to start over or temporarily suspend firewall protections:

sudo ufw disable
sudo ufw reset

Configuring a Firewall with Firewalld

Firewalld is the standard firewall manager for Red Hat-based distributions, such as CentOS, Fedora, and RHEL. It introduces the concept of zones, allowing administrators to define different trust levels and rules for various network interfaces or sources. Firewalld uses the firewall-cmd command for all interactions.

Step 1: Ensure Firewalld is installed and running. To check its status and start it if necessary, use:

sudo systemctl status firewalld
sudo systemctl enable --now firewalld

Step 2: Check the default zone and view all available zones. The default is typically public, which rejects most incoming traffic except essential services like SSH and DHCP:

sudo firewall-cmd --get-default-zone
sudo firewall-cmd --get-zones

Step 3: Assign interfaces to the desired zone. For example, to assign ens192 to the public zone:

sudo firewall-cmd --zone=public --add-interface=ens192 --permanent
sudo firewall-cmd --reload

Step 4: Allow specific services or ports through the firewall. Firewalld supports predefined services and custom port rules. To allow HTTP and HTTPS:

sudo firewall-cmd --add-service=http --permanent
sudo firewall-cmd --add-service=https --permanent
sudo firewall-cmd --reload

To open a custom port (e.g., 8080/tcp):

sudo firewall-cmd --add-port=8080/tcp --permanent
sudo firewall-cmd --reload

Step 5: Assign rules by source address or subnet for granular control. For example, to allow the subnet 172.16.1.0/24 in the internal zone:

sudo firewall-cmd --zone=internal --add-source=172.16.1.0/24 --permanent
sudo firewall-cmd --reload

Step 6: Review and audit current rules. List all allowed services and ports in the default zone:

sudo firewall-cmd --list-all

For a comprehensive overview of all zones:

sudo firewall-cmd --list-all-zones

Step 7: Remove services or ports as requirements change. To remove HTTP from the public zone:

sudo firewall-cmd --zone=public --remove-service=http --permanent
sudo firewall-cmd --reload

Choosing Between UFW and Firewalld

Both UFW and Firewalld serve as user-friendly front-ends to more complex firewall systems (iptables or nftables). UFW is well-suited for straightforward, host-based rules on Ubuntu and Debian systems, with a focus on simplicity and quick setup. Firewalld, by contrast, is designed for scenarios requiring more dynamic or granular control, especially where multiple network interfaces or varying trust levels are involved. It is the standard for Red Hat-based distributions.

For most users, selecting the default firewall tool for their distribution is the most efficient approach. UFW is ideal for single-purpose servers or desktops with simple requirements, while Firewalld is preferred for servers with complex networking needs or multiple zones.

Maintaining a properly configured firewall with UFW or Firewalld significantly reduces unauthorized access and improves system resilience. Regularly review your firewall rules to ensure they align with current operational requirements and security best practices.