Yes, You Need A Firewall On Linux - Here's Why And Which To Use

JuSun/Getty

ZDNET's cardinal takeaways

• Linux is highly secure, but you should still person a firewall.
• You should cognize if your ISP's hardware (gateway) uses a firewall.
• One of nan easiest Linux firewalls is UFW and its GUI sidekick, GUFW.

I've been utilizing Linux for astir 30 years. Over those years, I've knowledgeable only 1 information rumor (a rootkit connected a server I inherited). The logic for that is Linux's heightened security. Out of nan box, it includes a tight permissions strategy and information mechanisms (such arsenic AppArmor and SELinux) that do an astonishing occupation of locking down nan operating system.

But what astir nan firewall? You cognize astir firewalls, particularly if you've utilized Windows (because Microsoft's OS has ever depended connected them). And earlier you deliberation it, nary matter how unafraid your web browser is, it's not enough.

Also: Thinking astir switching to Linux? 9 things you request to know

Almost each Linux distribution ships pinch a firewall that is fresh to use. Oddly enough, however, immoderate distributions vessel pinch nan firewall disabled.

That seems counterintuitive for an operating strategy that hangs its chapeau connected security.

The large mobility you whitethorn inquire is, "Does Linux moreover request a firewall?"

Before answering that question, I'll inquire you immoderate questions:

• Is your Linux instrumentality connected a location network?
• Does your location web person a router that includes a firewall?
• Is your router regularly updated?
• If your location web has a router pinch a firewall, are location immoderate ports open?
• Do you person delicate information connected your computer?

You mightiness not cognize nan answers to those questions, which intends you mightiness person to interaction your ISP and inquire them astir nan hardware successful use. For example, AT&T Fiber does see a firewall connected its gateway hardware. Comcast's Xfinity gateways besides see a firewall.

Also: 8 things you tin do pinch Linux that you can't do pinch MacOS aliases Windows

If you cognize your ISP hardware includes a firewall, nan request for a firewall connected your Linux machines is little pressing than otherwise. 

But does that mean you should hide astir nan firewall?

I say, no.

I say, nan much security, nan better.

For example, your ISP's gateway goes without updates, which could time off it susceptible to attacks. Some ne'er-do-well figures retired what gateway you're using, breaks done its unpatched defenses, and has entree to your network. If your Linux instrumentality isn't protected via a firewall, that bad character could entree nan instrumentality done an unfastened larboard and person astatine nan information it contains.

You don't want that.

Ergo… firewall.

But which 1 should you use? 

Different distributions vessel pinch different firewalls. For example, Ubuntu (and those based connected Ubuntu) vessel pinch Uncomplicated Firewall (UFW), whereas Fedora (and those based connected Fedora) vessel pinch firewalld. Although some are coagulated options, I springiness nan motion to UFW because it's truthful easy to use. And if you don't want to usage nan bid line, location are GUI apps you tin instal to power UFW. 

Also: You tin effort Linux without ditching Windows first - here's how

Even from nan bid line, UFW is easy. To alteration it, rumor nan command:

sudo ufw enable

Once enabled, each ports are closed, and accessing your instrumentality is made exponentially much challenging. Let's say, however, that you regularly usage SSH to entree that instrumentality from your LAN. For that, you could rumor nan command:

sudo ufw let ssh

Or possibly you want to only let SSH from a azygous IP reside wrong your LAN, which tin beryllium done with:

sudo ufw let from IP_ADDRESS to immoderate larboard 22 proto tcp

Where IP_ADDRESS is nan reside of nan instrumentality you want to let in.

Those aforesaid actions pinch Firewalld look for illustration this:

sudo firewall-cmd --zone=public --permanent --add-service=ssh

Or

sudo firewall-cmd --permanent --add-source=IP_ADDRESS --zone=drop
sudo firewall-cmd --permanent --add-service=ssh
sudo firewall-cmd --reload
sudo firewall-cmd --list-all --zone=drop
sudo firewall-cmd --list-all

Where IP_ADDRESS is nan reside of nan instrumentality you want to let in.

Obviously, UFW is nan easier tool, and I would ever urge it complete firewalld for those who are conscionable getting into Linux.

And if you want a GUI for UFW, effort GUFW (which tin beryllium installed from your GUI app store).

In nan end, nan answers to nan questions are simple:

• Do you request a firewall connected Linux? - yes
• Which 1 should you use? - UFW

Understand that if you want to usage UFW connected Fedora-based systems, you must instal it. To do that, rumor nan pursuing commands:

sudo systemctl extremity firewalld
sudo systemctl disable firewalld
sudo dnf region firewalld
sudo dnf instal ufw
sudo ufw enable

You now person UFW moving connected your Fedora-based distribution.

With a firewall active, your Linux instrumentality will beryllium amended protected, should personification get astir nan defenses of your ISP's hardware. As always, it's amended to beryllium safe than sorry.

Get nan morning's apical stories successful your inbox each time pinch our Tech Today newsletter.