1. What is a Firewall? Why Do You Need It?¶

Imagine your Linux server is a “castle,” and the firewall is like the castle’s “gatekeeper”—it checks every “visitor” (network request) trying to enter, allowing only legitimate visitors and rejecting suspicious access. Without a firewall, your server is like an open gate, making it vulnerable to external attacks (e.g., malicious port scans, intrusion scripts), which could lead to data loss or service outages.

Core Role: Restrict network access (only allow necessary connections) and protect the server from unauthorized attacks.

2. What Firewall Tools Are Available in Linux?¶

Linux firewalls are broadly categorized into two types, suitable for different distributions. Beginners should start with user-friendly tools:

1. ufw (Uncomplicated Firewall)
   - Characteristics: Default firewall for Ubuntu/Debian, with simple commands, ideal for beginners.
   - Essence: A simplified tool built on iptables, hiding underlying complex rules.

2. firewalld
   - Characteristics: Default firewall for CentOS/RHEL/Rocky Linux, supports dynamic rules (no restart required), suitable for flexible configurations.
   - Essence: Built on the netfilter framework, with a “zone” concept (e.g., public, trusted), making rule management more intuitive.

3. iptables
   - Characteristics: The lowest-level firewall tool, powerful but with complex rules, ideal for advanced users or precise control.
   - Tip: Both ufw and firewalld are “upper-layer tools” for iptables. Beginners should prioritize ufw or firewalld.

3. Basic Operations: Examples with ufw and firewalld¶

Below are core operations for different scenarios. Choose the tool based on your system.

Scenario 1: Manage Firewall with ufw (Ubuntu/Debian)¶

1. Check ufw Status

   sudo ufw status  # View current rules (default: inactive)

Example output: Status: inactive (not enabled) or Status: active (enabled).

2. Enable Firewall

   sudo ufw enable  # Enable firewall (default policy: deny all inbound, allow all outbound)

Note: After enabling, the server blocks all external connections by default; only pre-configured ports are allowed.

3. Open Common Ports/Services
   - Open SSH (22 port, for remote login):

     sudo ufw allow ssh  # Use service name (maps to port 22)
     # Or manually open port: sudo ufw allow 22/tcp

• Open HTTP (80 port, web service):

     sudo ufw allow 80/tcp  # Allow TCP connections on port 80

• Allow specific IP access:

     sudo ufw allow from 192.168.1.100  # Allow all connections from IP 192.168.1.100
     sudo ufw allow from 10.0.0.0/24 to any port 3306  # Allow MySQL (3306) access from 10.0.0.0/24

4. View Open Rules

   sudo ufw status numbered  # View rules with line numbers

5. Delete Rules

   sudo ufw delete 1  # Delete the first rule (check numbers with status numbered)

6. Set Default Policies (Critical!)
   - Deny all inbound connections (most secure):

     sudo ufw default deny incoming

• Allow all outbound connections (server-initiated requests are unrestricted):

     sudo ufw default allow outgoing

Scenario 2: Manage Firewall with firewalld (CentOS/RHEL/Rocky Linux)¶

1. Check firewalld Status

   sudo systemctl status firewalld  # Check service status
   sudo firewall-cmd --state  # Check firewall status (output: running/inactive)

2. Open Ports/Services
   - Open HTTP service (80 port; firewalld maps “http” to 80):

     sudo firewall-cmd --add-service=http --permanent  # Temporary addition (reboot-safe)
     # For permanent rules, reload after adding:
     sudo firewall-cmd --add-service=http --permanent
     sudo firewall-cmd --reload  # Apply permanent rules

• Manually open a port (e.g., 3306 for MySQL):

     sudo firewall-cmd --add-port=3306/tcp --permanent

3. Allow Specific IP Access

   sudo firewall-cmd --add-rich-rule='rule family="ipv4" source address="192.168.1.100" port protocol="tcp" port="22" accept' --permanent

Explanation: --add-rich-rule adds complex rules to allow IP 192.168.1.100 to access port 22 (SSH).

4. View Open Rules

   sudo firewall-cmd --list-all  # List all rules (services, ports, IP restrictions)

5. Set Default Policies
   - Deny all inbound connections (most secure):

     sudo firewall-cmd --set-default-zone=deny  # Temporarily set default zone to "deny all"

• Permanently set default zone (recommended):

     sudo firewall-cmd --set-default-zone=public  # Public zone defaults to deny inbound

4. 3 Must-Know Pitfalls for Beginners¶

1. Forgetting --permanent
   Firewall rules are temporary by default (lost after reboot). Always use --permanent to save rules permanently:

   # Incorrect: Temporary open port 80 (lost after reboot)
   sudo firewall-cmd --add-service=http  

   # Correct: Permanent open port 80
   sudo firewall-cmd --add-service=http --permanent  
   sudo firewall-cmd --reload  # Apply changes

2. Default Policy Causes “Port Configured but Unreachable”
   - If the default policy denies all inbound connections, even open ports won’t work externally (e.g., 80 port open but denied by default).
   - Recommendation: Set default policy to “deny all inbound” and only open necessary ports.

3. Avoid Opening High-Risk Ports Publicly
   - Ports like 22 (SSH), 3306 (MySQL), 5900 (VNC) should never be exposed directly to the internet!
   - Correct Practice: Only allow access from specific IPs (e.g., corporate IPs) or via VPN/跳板机.

5. Summary¶

A firewall is the “first line of defense” for server security. Linux provides tools like ufw and firewalld, enabling configuration without deep system knowledge. Key steps:
1. Define requirements (which ports/services to open? which IPs to allow?).
2. Use allow/deny rules to restrict access.
3. Persist rules with --permanent and apply with --reload/restart.
4. Regularly check rules (e.g., ufw status or firewall-cmd --list-all) and remove unused rules.

Action Plan: Open your Linux server now, try configuring a secure port (e.g., 22, restricted to your IP), and experience the firewall’s basic functionality!