# Firewall cheatsheet intro
by Seth Kenlon

A sensible firewall is your computer's first line of defense against network intrusion.
When you're at home, you're probably behind a firewall built into the router supplied to you by your Internet service provider.
When you're away from home, though, the only firewall you have is the one running on your computer, so it's important to configure and control the firewall on your Linux computer.
If you run a Linux server, it's just as important to know how to manage your firewall so you can effectively protect it from unwanted traffic both locally and remotely.

## Install a firewall

Many Linux distributions ship with a firewall already installed.
Traditionally, the default firewall was called ``iptables``.
It was extremely effective and customizable, but it can be complex to configure.
Luckily, there have been several front-ends developed to help users control their firewall without writing lengthy ``iptables`` rules.

On Fedora, CentOS, Red Hat, and similar distributions, the firewall software installed by default is ``firewalld``, which is configured and controlled with the ``firewall-cmd`` command.
On Debian and most other distributions, ``firewalld`` is available to install from your software repository.
Ubuntu ships with the Uncomplicated Firewall (``ufw``), so to use firewalld, you must enable the ``universe`` repository:

```
$ sudo add-apt-repository universe
$ sudo apt install firewalld
```

You must also deactivate ``ufw``:

```
$ sudo systemctl disable ufw
```

There's no reason *not* to use ``ufw``.
It's an excellent firewall front-end.
However, this article is written for ``firewalld`` because of its wide availability and integration into systemd, which is shipped with nearly every distribution.

Regardless of your distribution, for a firewall to be effective, it must be active, and it should be loaded at boot time:

```
$ sudo systemctl enable --now firewalld
```

## Understanding firewall zones

``Firewalld`` aims to make firewall configuration as simple as possible.
It does this by establishing *zones*.
A zone is a set of sensible, common rules that suit the everyday needs of most users.
There are nine by default:

### trusted

All network connections are accepted.
This is the least paranoid firewall setting and should only be used in a trusted environment, such as a test lab or in a family home where everyone on the local network is known to be friendly.

### home, work, internal

In these three zones, most incoming connections are accepted.
They each exclude traffic on ports that usually expect no activity.
Any one of them is a reasonable setting for use in a home setting where there is no reason to expect network traffic to obscure ports, and you generally trust the other users on the network.

### public

For use in public areas.
This is a paranoid setting, intended for times when you do not trust other computers on the network.
Only selected common and mostly safe incoming connections are accepted.

### dmz

"DMZ" stands for "demilitarized zone".
This zone is intended for computers that are publically accessible, located on the external network of an organization, with limited access to your internal network.
For personal computers, this is usually not a useful zone, but it is an important option for certain types of servers.

### external

For use on external networks with masquerading enabled (meaning that the addresses of your private network are mapped to and hidden behind a public IP address).
Similar to the dmz zone, only selected incoming connections are accepted, including SSH.

### block

All incoming network connections are rejected with an ``icmp-host-prohibited`` message.
Only network connections initiated within this system are possible.
This is an extremely paranoid setting and is an important option for certain types of servers or for personal computers in an untrusted or hostile environment.

### drop

Any and all incoming network packets are dropped with no reply.
Only outgoing network connections are possible.
The only setting more paranoid than this one is turning off your wifi and unplugging your ethernet cable.

You can read about each zone, and any more zones defined by your distribution or sysadmin, by looking at the conifguration files in ``/usr/lib/firewalld/zones``.
For instance, here's the ``FedoraWorkstation`` zone that shipped with Fedora 31:

```
$ cat /usr/lib/firewalld/zones/FedoraWorkstation.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
 <short>Fedora Workstation</short>
 <description>Unsolicited incoming network packets are rejected from port 1 to 1024, except for select network services. Incoming packets that are related to outgoing network connections are accepted. Outgoing network connections are allowed.</description>
 <service name="dhcpv6-client"/>
 <service name="ssh"/>
 <service name="samba-client"/>
 <port protocol="udp" port="1025-65535"/>
 <port protocol="tcp" port="1025-65535"/>
</zone>
```

## Getting your current zone

You can see what zone you're in at any time with the ``--get-active-zones`` option:

```
$ sudo firewall-cmd --get-active-zones
```

In response, you receive the name of the active zone along with the network interface assigned to it.
On a laptop, that usually means you have a wifi card in the default zone.

```
FedoraWorkstation
 interfaces: wlp61s0
```

## Change your current zone

To change your zone, you reassign your network interface to a different zone.
For instance, to change the example ``wlp61s0`` card to the public zone:

```
$ sudo firewall-cmd --change-interface=wlp61s0 \
--zone=public
```

You can change the active zone for an interface any time you please, and for any reason.
Whether you're going out to a café and feel the need to increase the security policy of your laptop, or you're going to work and need to open up some ports to get on the intranet, or any other reason.
The options for ``firewall-cmd`` auto-complete when you press the **Tab** key, so as long as you remember the key words "change" and "zone", you can stumble through the command until you learn it by memory.

## Download the cheatsheet

There's a lot more you can do with your firewall, including customizing existing zones, setting a default zone, and more.
The more comfortable with firewalls you get, the more secure your online activities are, so we've created a cheatsheet for quick and easy reference.
Download it today!

You are viewing proxied material from sdf.org. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.