SH
SHELL
AI Powered Learning Portal
The Digital Shield: UFW and Firewalld
·TechSoftware Development

The Digital Shield: UFW and Firewalld

Protect your server from the outside world. Master the basic of Linux firewalls. Learn the simple 'Uncomplicated Firewall' (UFW) for Ubuntu and the powerful 'Firewalld' for enterprise systems. Understand the philosophy of Default Deny.

linuxsecurityfirewallufwfirewalldiptablessysadmin

Firewall Management: Securing the Perimeter

Every second your Linux server is connected to the internet, it is being probed by automated bots looking for weaknesses. Even if you have strong SSH keys, you shouldn't leave unnecessary "Doors" (Ports) open.

A Firewall is a security gate that sits between your network card and your applications. In Linux, the real engine is called nftables (or the older iptables), but these are incredibly complex. Most administrators use "Frontends" to manage them: UFW (Ubuntu) or Firewalld (Red Hat).

In this lesson, we will learn the philosophy of the "Default Deny" and how to lock down your server.

1. The Philosophy: Default Deny

A professional firewall configuration follows one simple rule:

  1. Deny everything trying to come IN.
  2. Allow everything trying to go OUT.
  3. Selectively Open only the specific doors you need (e.g., SSH, HTTP).

2. UFW: The Uncomplicated Firewall (Ubuntu/Debian)

UFW is designed to be human-readable.

The Basic Workflow:

# 1. Check status
sudo ufw status

# 2. Set the default rules (Deny In, Allow Out)
sudo ufw default deny incoming
sudo ufw default allow outgoing

# 3. Open the doors you need
sudo ufw allow ssh             # Port 22
sudo ufw allow http            # Port 80
sudo ufw allow 8080/tcp        # Specific custom port

# 4. Turn it on
sudo ufw enable

3. Firewalld: The Enterprise Manager (Red Hat/Fedora)

Firewalld uses the concept of Zones. You can have different rules depending on whether you are on a "Public" (untrusted) network or a "Home" (trusted) network.

The Basic Workflow:

# 1. Start the service
sudo systemctl start firewalld

# 2. Open a service permanently
sudo firewall-cmd --permanent --add-service=http

# 3. Open a custom port
sudo firewall-cmd --permanent --add-port=3000/tcp

# 4. Reload to apply
sudo firewall-cmd --reload

4. Closing the Doors

If you realize a service is no longer needed, you must "Delete" the rule.

  • UFW: sudo ufw delete allow http
  • Firewalld: sudo firewall-cmd --permanent --remove-service=http

5. Practical: Locking Down by IP Address

Sometimes you want to open a port (like a sensitive database port), but you only want YOUR IP address to be allowed in.

# UFW: Only let Sudeep's IP (e.g., 1.2.3.4) access the database on 3306
sudo ufw allow from 1.2.3.4 to any port 3306

6. Example: A Firewall Security Auditor (Python)

If you are managing 50 servers, you need to be sure that no one accidentally ran ufw disable. Here is a Python script that checks the status of the firewall across different systems.

import subprocess
import os

def check_firewall_status():
    """
    Checks if UFW or Firewalld is active.
    """
    print("--- Firewall Security Audit ---")
    print("-" * 35)
    
    # Check for UFW
    if os.path.exists("/usr/sbin/ufw"):
        res = subprocess.run(['sudo', 'ufw', 'status'], capture_output=True, text=True)
        if "Status: active" in res.stdout:
            print("[OK] UFW is ACTIVE and protecting the system.")
        else:
            print("[!!!] WARNING: UFW is INSTALLED but INACTIVE!")
            
    # Check for Firewalld
    elif os.path.exists("/usr/bin/firewall-cmd"):
        res = subprocess.run(['firewall-cmd', '--state'], capture_output=True, text=True)
        if "running" in res.stdout:
            print("[OK] Firewalld is RUNNING and protecting the system.")
        else:
            print("[!!!] WARNING: Firewalld is STOPPED!")
            
    else:
        print("[DANGER] No friendly firewall manager (UFW/Firewalld) detected.")

if __name__ == "__main__":
    check_firewall_status()

7. Professional Tip: Don't Lock Yourself Out!

THE MOST COMMON MISTAKE: You run sudo ufw default deny incoming and then sudo ufw enable before you run sudo ufw allow ssh. The firewall will instantly disconnect your SSH session, and because you denied all incoming traffic, you can never get back in!

Always ensure SSH is allowed before enabling a firewall remotely.

8. Summary

Firewalls are your system's first and last line of network defense.

  • Default Deny is the only safe configuration.
  • UFW is simple and perfect for most developers.
  • Firewalld provides advanced zone-based security for enterprises.
  • Always test SSH before locking the gate.

This wraps up our final technical lesson. In the next section, we will have a Course Wrap-up to look at where to go next on your journey to Linux Mastery.

Quiz Questions

  1. Why do we set the "Default Incoming" rule to Deny?
  2. What happens if you enable UFW without allowing Port 22 (SSH)?
  3. How do you allow connection to a specific port (like 8000) from only one specific IP address?

Continue to Lesson 6: Course Wrap-up—Your Path to Senior Linux Engineer.

Previous LessonThe Road to Readiness: Boot Sequence and Targets
Next LessonThe Path Forward: Achieving Linux Mastery

Subscribe to our newsletter

Get the latest posts delivered right to your inbox.

Subscribe on LinkedIn