A comprehensive guide to managing firewalls
- A firewall is a network security device that monitors and controls incoming and outgoing network traffic
- Firewalls act as a barrier between trusted internal networks and untrusted external networks
- For VPS, firewalls are crucial in protecting against unauthorized access and potential cyber threats
- Operate at the network level
- Filter traffic between networks
- Installed on individual servers or devices
- Control traffic in and out of a single host
Examines packets and allows/blocks based on predefined rules
Monitors the state of active connections and makes decisions based on context
Analyzes specific application-level protocols
Controls access to your VPS from external sources
Manages connections initiated from your VPS to external destinations
Permit specific types of traffic
Block specific types of traffic
Block all traffic by default, then allow only necessary connections
Grant minimal access required for each service or user
Review rules periodically and keep firewall software up-to-date
Simple, user-friendly firewall for Ubuntu and Debian-based systems
Dynamic firewall manager for CentOS, Fedora, and RHEL systems
Powerful, low-level firewall tool available on most Linux distributions
- Simple command-line interface
- Easy to configure and manage
- Suitable for both beginners and advanced users
sudo apt install ufwsudo ufw enablesudo ufw disablesudo ufw status
# or
sudo ufw status verbosesudo ufw allow PORT/PROTOCOL # protocol is optional
sudo ufw deny PORT/PROTOCOL # protocol is optionalsudo ufw delete <rule>sudo ufw status numbered# Enable UFW
sudo ufw enable
# Allow SSH (port 22)
sudo ufw allow 22/tcp
# Allow HTTP (port 80)
sudo ufw allow 80/tcp
# Allow HTTPS (port 443)
sudo ufw allow 443/tcp
# Check status
sudo ufw status# Allow specific IP address
sudo ufw allow from 192.168.1.100
# Allow specific IP range
sudo ufw allow from 192.168.1.0/24 to any port 3306
# Rate limiting
sudo ufw limit 22/tcp
# Deny outgoing traffic to a specific IP
sudo ufw deny out to 203.0.113.0/24 - Runtime and permanent configuration options
- Support for network zones
- Dynamic rule updates without breaking existing connections
- Zones: Sets of rules that specify the traffic allowed based on the level of trust
- Services: Predefined rules for allowing traffic for specific network services
- Ports: Individual port or port range configurations
sudo firewall-cmd --add-service=<service> # https/ssh/http/ftp etcsudo firewall-cmd --remove-service=<service>sudo firewall-cmd --add-port=<port>/<protocol>sudo firewall-cmd --remove-port=<port>/<protocol>`sudo firewall-cmd --zone=<zone> --add-service=<service>`# Start and enable FirewallD
sudo systemctl start firewalld
sudo systemctl enable firewalld
# Allow SSH
sudo firewall-cmd --add-service=ssh --permanent
# Allow HTTP and HTTPS
sudo firewall-cmd --add-service=http --permanent
sudo firewall-cmd --add-service=https --permanent
# Reload to apply changes
sudo firewall-cmd --reload# Create a new zone
sudo firewall-cmd --new-zone=myzone --permanent
# Add a specific IP to the zone
sudo firewall-cmd --zone=myzone --add-source=192.168.1.100 --permanent
# Allow MySQL in the new zone
sudo firewall-cmd --zone=myzone --add-port=3306/tcp --permanent
# Set up port forwarding
sudo firewall-cmd --add-forward-port=port=80:proto=tcp:toport=8080 --permanent
# Reload to apply changes
sudo firewall-cmd --reload- UFW: Simpler syntax, easier for beginners
- FirewallD: More complex, but offers greater flexibility
- UFW: Straightforward rule management
- FirewallD: Advanced features like zones and runtime configurations
- Both offer good performance, with FirewallD having a slight edge in complex setups
- Choose the right firewall based on your VPS distribution and needs
- Regularly maintain and update your firewall rules
- Implement logging and monitoring to detect potential security issues
- Always use the principle of least privilege when configuring firewall rules
- Combine firewall protection with other security measures for comprehensive VPS security