Picture this: Your Linux server is like a nightclub, and every network packet is someone trying to get in. Without a proper firewall, you’re basically running a club with no bouncer — anyone can waltz in, trash the place, and steal your drinks. That’s exactly what hackers are counting on.
Most admins think firewalls are “set it and forget it” — until they wake up to find their server mining cryptocurrency for someone in Eastern Europe. Here’s the brutal truth: your default firewall settings are about as secure as leaving your front door wide open with a “Welcome Hackers” doormat.
Why Should You Care?
- Sleep Like a Baby: No more 3 AM calls about compromised servers
- Compliance Gold Star: Auditors love properly configured firewalls
- Performance Boost: Block junk traffic before it wastes your resources
- Career Insurance: Being the admin who never gets breached is priceless
Firewall Zones: The Trust Bucket System
Think of firewall zones like different security levels at an airport. You’ve got the public area (anyone can enter), the departure lounge (ticket holders only), and the cockpit (crew only). Each zone has different rules about who gets in and what they can do.
Understanding Zone Basics
Every network interface on your system belongs to exactly one zone at a time — it’s like assigning each network card a security clearance level.
firewall-cmd --get-zones # See available zones
firewall-cmd --get-active-zones # See zones with active interfaces
firewall-cmd --get-default-zone # Check default zoneCommon Zones Explained
Public Zone: This is like the hotel lobby — assume everyone’s a potential threat Home Zone: Your trusted home network — like your living room Work Zone: Corporate network with moderate trust DMZ Zone: The “demilitarized zone” — for servers that need public access but limited trust Trusted Zone: VIP access — like giving someone your house key
Creating Custom Zones
# Create a new zone for your special applications
firewall-cmd --permanent --new-zone=webapp-servers
firewall-cmd --reload
# Set up the zone with specific rules
firewall-cmd --zone=webapp-servers --add-service=http --permanent
firewall-cmd --zone=webapp-servers --add-service=https --permanentRuntime vs Permanent Changes: The Golden Rule
This is where most admins shoot themselves in the foot. Understanding the difference between runtime and permanent changes is like knowing the difference between a temporary tattoo and the real deal.
Runtime Changes (Immediate but Temporary)
# Takes effect immediately but disappears after reboot
firewall-cmd --zone=public --add-port=8080/tcpPermanent Changes (Survives Reboots)
# Saved to config but needs reload to take effect
firewall-cmd --zone=public --add-port=8080/tcp --permanent
firewall-cmd --reloadThe Smart Admin’s Approach
# Best practice: Test runtime first, then make permanent
firewall-cmd --zone=dmz --add-service=http
# Test your application works
firewall-cmd --zone=dmz --add-service=http --permanent
firewall-cmd --reloadFirewall Rules: Ports vs Services
Working with Ports (The Manual Approach)
# Allow specific port
firewall-cmd --zone=public --add-port=443/tcp --permanent
# Allow port range
firewall-cmd --zone=internal --add-port=8000-8080/tcp --permanent
# Remove port access
firewall-cmd --zone=public --remove-port=80/tcp --permanentWorking with Services (The Smart Approach)
# Much cleaner than remembering port numbers
firewall-cmd --zone=internal --add-service=https --permanent
firewall-cmd --zone=dmz --add-service=ssh --permanent
firewall-cmd --zone=public --add-service=dns --permanent
# List available services
firewall-cmd --get-servicesServices are pre-configured bundles that include the right ports and protocols. It’s like ordering a combo meal instead of listing every ingredient.
Rich Rules: The Swiss Army Knife
Rich rules are where firewalld gets really powerful — they let you create “if-then” logic for your firewall.
Advanced Access Control
# Allow SSH only from your office network
firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.1.0/24" service name="ssh" accept' --permanent
# Block specific troublemaker IP
firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source address="bad.hacker.ip" reject' --permanent
# Allow HTTP but limit connections per minute
firewall-cmd --zone=public --add-rich-rule='rule service name="http" accept limit value="25/m"' --permanentUFW: The User-Friendly Alternative
Ubuntu’s Uncomplicated Firewall (UFW) is like the automatic transmission of firewalls — less control, but much easier to drive.
UFW Basic Commands
sudo ufw enable # Turn on the firewall
sudo ufw status # Check current rules
sudo ufw allow 22/tcp # Allow SSH
sudo ufw allow from 192.168.1.0/24 # Allow from specific network
sudo ufw deny out 25 # Block outgoing SMTP
sudo ufw delete allow 80 # Remove a ruleUFW Application Profiles
sudo ufw app list # See available app profiles
sudo ufw allow 'Apache Full' # Allow HTTP and HTTPS
sudo ufw allow 'OpenSSH' # Allow SSH with proper profileTraditional Firewall Tools: The Hardcore Options
iptables: The OG Firewall
# Accept SSH connections
sudo iptables -t filter -A INPUT -p tcp --dport 22 -j ACCEPT
# Drop everything else
sudo iptables -t filter -A INPUT -j DROP
# Save rules (varies by distribution)
sudo iptables-save > /etc/iptables/rules.v4iptables breakdown:
-t filter: The table (filter for basic allow/deny)-A INPUT: Append to INPUT chain (incoming traffic)-p tcp: Protocol (TCP in this case)--dport 22: Destination port 22 (SSH)-j ACCEPT: Jump to ACCEPT (allow the traffic)
nftables: The Modern Replacement
# Add SSH rule
sudo nft add rule inet filter input tcp dport 22 ct state new accept
# List current rules
sudo nft list table inet filter
# Make rules persistent
sudo nft list ruleset > /etc/nftables.confnftables combines IPv4, IPv6, and other protocols into one unified system — it’s like having one remote control for all your devices instead of a coffee table full of them.
ipset: The Address Book
# Create a set of blocked IPs
sudo ipset create blocklist hash:ip
# Add IPs to the blocklist
sudo ipset add blocklist 192.168.1.100
sudo ipset add blocklist 10.0.0.50
# Use the set in iptables
sudo iptables -A INPUT -m set --match-set blocklist src -j DROPPractical Firewall Scenarios
Web Server Setup
# DMZ zone for web servers
firewall-cmd --zone=dmz --add-service=http --permanent
firewall-cmd --zone=dmz --add-service=https --permanent
firewall-cmd --zone=dmz --add-service=ssh --permanent
firewall-cmd --reloadDatabase Server Hardening
# Only allow database access from application servers
firewall-cmd --zone=internal --add-port=3306/tcp --permanent
firewall-cmd --zone=internal --add-rich-rule='rule family="ipv4" source address="10.0.1.0/24" port protocol="tcp" port="3306" accept' --permanentEmergency Lockdown
# Temporarily block all traffic except SSH (runtime only)
firewall-cmd --panic-on # EMERGENCY: Block everything
firewall-cmd --panic-off # Turn off panic modeTroubleshooting Firewall Issues
Common Commands for Debugging
# Check what's actually running
firewall-cmd --list-all-zones
firewall-cmd --zone=public --list-all
# Monitor firewall logs
sudo journalctl -f -u firewalld
# Test port connectivity
telnet your-server.com 80
nc -zv your-server.com 22When Things Go Wrong
- Can’t SSH in? Check if SSH service is allowed in your zone
- Application not accessible? Verify the port/service is open
- Changes not working? Did you reload after permanent changes?
- Locked out completely? Physical/console access needed to fix
TLDR Cheat Sheet 🚀
Essential firewalld Commands:
firewall-cmd --get-zones # List available zones
firewall-cmd --zone=public --add-service=http --permanent # Add service
firewall-cmd --zone=public --add-port=8080/tcp --permanent # Add port
firewall-cmd --reload # Apply permanent changes
firewall-cmd --list-all-zones # Show all zone configsUFW Essentials:
sudo ufw enable # Enable firewall
sudo ufw allow 22/tcp # Allow SSH
sudo ufw status numbered # Show rules with numbers
sudo ufw delete 3 # Delete rule number 3Emergency Commands:
firewall-cmd --panic-on # Block everything (emergency)
firewall-cmd --panic-off # Restore normal operation
sudo ufw --force reset # Reset UFW to defaultsQuick Security Rules:
- Test runtime changes before making them permanent
- Always keep SSH access open (unless you enjoy long drives to the datacenter)
- Use services instead of raw ports when possible
- Document your firewall rules — your future self will thank you
- Regular backups of working configurations are your safety net