• We had to restore from a backup today after a failed software update. Backup was from 0000 EDT and restored it at 0800 EDT so we lost about 8hrs. Today is 07/20/2024. More info here.

Which Linux firewall do you use?

User740985915675054

New Member
Joined
Jul 10, 2024
Messages
18
Reaction score
7
Credits
145
Hi,

I'm new to this forum. Which firewall do use and why?

I'm currently using ufw because I have (or had up until a week ago) no experience setting up firewalls but I was able to do what I wanted to do with ufw that is block all outgoing traffic on my computer to ports 80 and 443 and then allow select ip addresses. This blacklists the whole internet on a web browser while allowing only whitelisted websites.
 


It doesn't matter which one you use as long as you have one installed and active. It's fine if you just use the one that was installed by default of the distribution you use. I use firewalld because I have more experience with that one because it was installed on most of the Linux distributions I have used so now I just use that one for my desktop or laptop systems.
 
Older versions of ufw and firewalld use iptables.
ufw and firewall-cmd are really just easier to use front-ends for iptables and nftables.
Most distro's are switching over to nftables. It's more powerful and flexible.

I haven't used ufw a lot, so I'm nor expert, but I am pretty familiar with firewall-cmd.
I use it because I'm familiar with it.

firewall-cmd does have a "zones" concept for interfaces and ports, I'm not aware of anything
like that in ufw, but as I said, I'm not an expert on ufw.
 
I think this isn't very intuitive for most people.

# Create an nftables rule to allow incoming HTTPS traffic from 192.168.1.100
Code:
sudo nft add rule ip filter input ip saddr 192.168.1.100 tcp dport 443 accept

For me, the syntax is easier to do it this way.

Code:
sudo firewall-cmd --zone=public --add-port=443/tcp --source=192.168.1.100 --perm

One advantage to ufw and nftables over firewall-cmd, is you don't have to "reload" the service
after adding or changing a rule. With firewall-cmd, you have to...

Code:
sudo firewall-cmd --reload

or reboot,
 
UFW for me as well
 
What are zones?

Mostly a way to "group" things.
I have a server with 5 interfaces, I only use two of them for https access.
So, I can put two interfaces in a group and put 3 in another group.
I can put source IPs, destination IPs, and services ports in a "zone" as well.

The advantage is, instead of trying to remember what interfaces go with services, and what ports and IPs I want to allow traffic to, I just put all that in a "zone" and assign the rule to the zone.

There is a GUI for firewall-cmd, but I think maybe it's just called "firewall".

1720632362748.png
 
Last edited:
Mostly a way to "group" things.
I have a server with 5 interfaces, I only use two of them for https access.
So, I can put two interfaces in a group and put 3 in another group.
I can put source IPs, destination IPs, and services ports in a "zone" as well.

The advantage is, instead of trying to remember what interfaces go with services, and what IPs I want to allow traffic to, I
just put all that in a "zone" and assign the rule to the zone.

There is a GUI for firewall-cmd, but I think maybe it's just called "firewall".
That sounds useful. Is firewall-cmd the same as firewalld? From looking it up online it looks like firewalld is the GUI for firewall-cmd?
 
That sounds useful. Is firewall-cmd the same as firewalld? From looking it up online it looks like firewalld is the GUI for firewall-cmd?

firewalld is the service, that firewall-cmd is the CLI front end for.
The firewall GUI is the GUI that runs firewall-cmd commands in the background.

I'm pretty sure gufw works the same way, it just runs ufw commands in the background.
 
I'm never entirely sure WHAT we use in Puppy. I believe it's a Puppy-modified version of a finer-grained build that Eric Hameleers ('AlienBob') put together for Slackware a few years ago, based on the older linux-firewall.

I know it definitely uses iptables as its backend, though.


Mike. ;)
 
Last edited:
sudo firewall-cmd --reload
After changing or adding a rule "sudo ufw reload" does the same thing. The command "sudo ufw status verbose" will let you see he changes made.

Will look into firewall -cmd though. For the sake of trying new things since that is what the freedom of Linux is all about.
 
I'm never entirely sure WHAT we use in Puppy. I believe it's a Puppy-modified version of a finer-grained build that Eric Hameleers ('AlienBob') put together for Slackware a few years ago, based on the older linux-firewall.

I know it definitely uses iptables as its backend, though.


Mike. ;)
Yeah, I always wondered about that too. :D
 
After changing or adding a rule "sudo ufw reload" does the same thing. The command "sudo ufw status verbose" will let you see he changes made.

Will look into firewall -cmd though. For the sake of trying new things since that is what the freedom of Linux is all about.
Also looks like firewall-cmd has good documentation.

 
I'm never entirely sure WHAT we use in Puppy. I believe it's a Puppy-modified version of a finer-grained build that Eric Hameleers ('AlienBob') put together for Slackware a few years ago, based on the older linux-firewall.

I know it definitely uses iptables as its backend, though.


Mike. ;)
That's the one used in Easy OS also and it's never let anything in.
 
I Enable the Firewall that comes with Mint Cinnamon.
1720658837817.gif
 
That's the one used in Easy OS also and it's never let anything in.
I've had 10+ yrs of safe computing with Puppy, so it shows there's something to be said for it. And the Puppy model is that all incoming ports are closed by default; if you want to set up exceptions for anything, you have to actually make the effort to do so.

Setting-up the firewall is a built-in part of the first-run set-up routine anyway, so you can't really avoid it. By running the firewall set-up routine - even if you accept the default configuration as-is - it then permits internet usage. If you don't follow it through, internet usage is blocked.....unless you go into it later, and THEN set it up.

It's never given me any problems, either. Anybody coming to Puppy from other distros, who has only ever used ufw/gufw, will find it "different" for sure.....but it's not hard to get used to, and the GUI is pretty straightforward.


Mike. ;)
 


Top