Introduction to Server Security: Fundamentals of Linux Firewalls

**Summary:** This article introduces Linux firewalls, which act as the "gatekeepers" of servers to restrict network access and primarily protect servers from attacks. The mainstream tools are categorized into three types: ufw (for Ubuntu/Debian, simple and based on iptables), firewalld (for CentOS/RHEL, supporting dynamic rules and zone management), and iptables (low-level, suitable for advanced users). In basic operations, ufw uses `enable` to turn on and `allow` to open ports; for firewalld, `--permanent` must be added to ensure rule persistence, and `reload` is required to apply changes. Common pitfalls for beginners include forgetting to add `--permanent` (resulting in temporary rule失效), setting the default policy to "deny inbound" for enhanced security, and only allowing specific IPs to access high-risk ports (e.g., 22). Conclusion: Firewalls are a security barrier; it is essential to clarify requirements, configure rules, ensure persistence, and conduct regular checks. （注：原文中“规则忘加`--permanent`会临时失效”中的“失效”翻译为“rule invalidation”更精准，已修正。） **Final Translation:** **Summary:** This article introduces Linux firewalls, which act as the "gatekeepers" of servers to restrict network access and primarily protect servers from attacks. The mainstream tools are categorized into three types: ufw (for Ubuntu/Debian, simple and based on iptables), firewalld (for CentOS/RHEL, supporting dynamic rules and zone management), and iptables (low-level, suitable for advanced users). In basic operations, ufw uses `enable` to turn on and `allow` to open ports; for firewalld, `--permanent` must be added to ensure rule persistence, and `reload` is required to apply changes. Common pitfalls for beginners include forgetting to add `--permanent` (resulting in temporary rule invalidation), setting the default policy to "deny inbound" for enhanced security, and only allowing specific IPs to access high-risk ports (e.g., 22). Conclusion: Firewalls are a security barrier; it is essential to clarify requirements, configure rules, ensure persistence, and conduct regular checks.