Do I need a Firewall in Linux?
What is a firewall? Do I need a firewall in Linux? How to set up and configure a firewall in Linux. All these questions are answered in this post.
What is a firewall in Linux?
Firewall is a set of software filters that controls incoming and outgoings traffic in your computer. In simple words, it is a sort of wall between your computer and the outside world.
Do you need a firewall in Linux?
Many new users ask me this question almost every day. A short answer, you do not need it but it is better to have. Let me explain why.
Almost all Linux distributions come without a firewall by default. To be more correct, they have an inactive firewall. Because the Linux kernel has a built-in firewall and technically all Linux distros have a firewall but it is not configured and activated. I believe it is because using a firewall require some expertise.
But don’t worry, your Linux is still secure even without an active firewall. By default, most of the distributions such as Ubuntu and Linux Mint have no open ports so your computer cannot be accessed by intruders.
Nevertheless, I recommend to activate a firewall. It is better to be safe than sorry. A firewall does not use many resources, but it adds an extra layer of security. An inexperienced user can accidentally open some ports without knowing it, for example, by installing samba, ssh, apache. In this case, the firewall will still protect the system from outside access.
How to set up a firewall in Linux?
There are several programs you can use to configure and run a firewall in Linux. But I will show you only two programs which I believe are the most worthy.
- UFW – it is probably the most user-friendly firewall available in Linux. If you are a complete newbie or you just want to use your Linux without going to deep into its settings, use UFW.
- iptables - which is a more advanced but probably a proper way to configure the Linux Firewall. If you really want to learn Linux and you aim to become a Linux expert, you need to learn iptables.
UFW - the uncomplicated firewall
As I said above, UFW is the most simple and the most user-friendly way to get firewall running in Linux. It can be used with a graphical front end as well as from the command line only. In the first case, you need to install the program GUFW from your software manager. In the latter case, install only UFW, that is without G and thus without GUI.
GUFW
So, let’s start with the graphical interface. Simply install GUFW, open it, and enable.
That’s it. Your firewall is active and the default settings to deny incoming and allow outgoing connections is fine for most of the users. No one will be able to connect to your computer, while any application in your computer would be able to reach the outside world.
If you need to open some ports to be able to connect to your computer from the outside, you go to the rules tab and open ports for a specific application.
For example, if you need to access your computer remotely through ssh, you select ssh in the Application option. You can also define the firewall rules for an application in this window. If you are unsure, keep the default settings. Just make sure you ssh is secured with at least with a password.
UFW
GUFW is a very simple and effective firewall application. However, it may not always work well in some distros. For example, I encountered problems in GUFW in Manjaro. So, if you are not afraid of the command line, I recommend the command line UFW. It is as simple and it never failed in any Linux distro I tried.
Install UFW from the terminal or the software manager. In Debian or Debian-based distros such as Ubuntu, Linux Mint, elementary etc, you would run this command to install it:
sudo apt install ufw
To activate the UFW firewall, run:
sudo ufw enable
Next, check its status:
sudo ufw status verbose
By default, it has the same rules to deny incoming and allow outgoing.
If you need to open some ports, you just need to run one command. For example, to open ssh port, run:
sudo ufw allow ssh
If you check the status again:
You will see the ssh port 22 is open.
You can read more about settings of UFW in its man page, simply run man ufw
.
I believe 99% of users will be happy with using GUFW or UFW because this uncomplicated firewall provides a reliable security layer with easy configuration. However, if you want some hardcore Linux experience, you need to try to configure the iptables.
Iptables - advanced Linux firewall
Iptables is rather aimed for server use where one need to configure complicated network routing. For a regular desktop user, the iptables firewall is not easy to understand. Honestly, I tried to use iptables many times on my system, and I always come back to UFW. You need to read a lot to understand how iptables works and how to configure it for your needs. For example, this is the iptables process flow.
Quite complicated, isn’t it?
Without going too deep into this chart, I will just say that for beginners it is important to know that the input filter is used to control the behavior for incoming connections. This is where you mostly deny connections. The output filter controls the chain for outgoing connections. It is used to access the internet, so you mostly keep the filter open. There is also a forward chain, but unless you are doing some kind of routing or something else on your system that requires forwarding, you w ll not even use this chain.
But I will keep things simple for iptables too and I will show you only a Simple stateful firewall configuration I learned from the Arch Linux wiki. I believe it is a good start to learn iptables.
First, create the necessary chains
sudo iptables -N TCPsudo iptables -N UDP
Next, if you use Arch Linux, enable iptables in the systemd, so it starts automatically with your system:
sudo systemctl enable iptables.service
Next, according to the Arch wiki, you need to add these rules:
iptables -P FORWARD DROPiptables -P OUTPUT ACCEPTiptables -P INPUT DROPiptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPTiptables -A INPUT -i lo -j ACCEPTiptables -A INPUT -m conntrack --ctstate INVALID -j DROPiptables -A INPUT -p icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPTiptables -A INPUT -p udp -m conntrack --ctstate NEW -j UDPiptables -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCPiptables -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachableiptables -A INPUT -p tcp -j REJECT --reject-with tcp-resetiptables -A INPUT -j REJECT --reject-with icmp-proto-unreachableiptables -t raw -I PREROUTING -m rpfilter --invert -j DROPiptables -I TCP -p tcp -m recent --update --seconds 60 --name TCP-PORTSCAN -j REJECT --reject-with tcp-resetiptables -D INPUT -p tcp -j REJECT --reject-with tcp-resetiptables -A INPUT -p tcp -m recent --set --name TCP-PORTSCAN -j REJECT --reject-with tcp-resetiptables -I UDP -p udp -m recent --update --seconds 60 --name UDP-PORTSCAN -j REJECT --reject-with icmp-port-unreachableiptables -D INPUT -p udp -j REJECT --reject-with icmp-port-unreachableiptables -A INPUT -p udp -m recent --set --name UDP-PORTSCAN -j REJECT --reject-with icmp-port-unreachable
To help you a bit, I have copied all these commands to a shell script iptables_ArchLinux.sh. So, you only need to download it, extract, and make it executable:
wget http://averagelinuxuser.com/wp-content/uploads/2019/02/iptables_ArchLinux.zipunzip iptables_ArchLinux.zipchmod +x iptables_ArchLinux.sh
Finally, run it to apply all the rules of a simple stateful firewall:
sudo ./iptables_ArchLinux.sh
After the script is executed, a Simple stateful firewall is configured. Again, I recommend you to go to the Arch Linux wiki page and read more about it there.
Conclusion
If you have not used a firewall in your Linux, I recommend you to start using it. You can at least install and configure the UFW firewall. And if you are too serious about learning Linux, you can go with configuring iptables, but be ready to struggle with it sometimes :-)
If you like this article, you may also like a similar post about Linux swap.
Comments
John McLeod
Iptables changed and the change is joining up with nf_tables. Let me assure you that iptables and iptables-nft is two different things. Me as a novice deleted iptables and going for nftables. Spare you lots of hours on Google.
franehr
if someone is determined to hack u he/she will hack u anyway , with or without your firewall and antivirus. But we common people are not target for hackers i guess..
iamseeyou
Yes, but having a firewall or an antivirus makes their job much harder, making it more tiring, boring and making most common hackers quit. I will use a metaphor: It’s like robbing a bank, if it had no security at all, no guards, no cameras, no protected vaults, nothing, just the money hidden behind a wall, there would be lots and lots of robberies everyday, but with all the security that there is, it gets much harder, to the point that a bank robbery hardly is done, and when it is done, half of the time it isn’t successful, a few robbers will still be able to rob it but that’s far less than what it would be without any security.
Average Linux User
Nice metaphor, @iamseeyou!
Professor Moriarty
A Linux desktop needs a firewall. A Linux desktop is a very insecure system. Linux as in the kernel firewall performs a basic function and that is all that is required of it. A Windows desktop with a two-way firewall understands their system and what is going on far better than a Linux desktop user who has no knowledge of what is on the system and what data is leaving the system.
iamseeyou
“far better than a Linux desktop user who has no knowledge of what is on the system and what data is leaving the system.” I can assure you that, given the Linux userbase, the Linux desktop users knows much more about their computers, system, network and cybersecurity than the average Windows user, which are much more casual people.
I’m mostly sure that the amount of non-tech-savvy people using Linux is as low as the amount of tech-savvy people using Windows…
cicerferreira
estao invadindo o /etc/cups e mudando as permissoes das pasta com usuario root lp como deletar esse usuario
Saber
Looking at this question: https://askubuntu.com/questions/9206/is-there-a-preinstalled-or-automatic-firewall, it seems that the firewall is activated by default. Is this true?
Average Linux User
There is a firewall (iptables) but it accepts all connections by default. To have protection, you need to configure it. I have checked it: