Loading...

VONDS ©

Lab 94: Configuring the Linux Firewall

Back to Lab Index

Configure a host firewall to allow only required services while keeping a deny-by-default inbound posture. Apply policy with UFW (Debian/Ubuntu) or firewalld (RHEL/Fedora) and verify what is actually enforced.

security networking hardening

Scenario

You are standardizing host firewall configuration. The system must allow SSH for administration and HTTP for a web service, deny other unsolicited inbound traffic, and support quickly blocking a hostile IPv4 address. You will implement the policy using UFW or firewalld based on distro, then verify rules and startup behavior.

Operator context

Firewall changes can lock you out. Confirm you have console access or an out-of-band path before enforcing restrictive inbound defaults on remote hosts.

Objective

  • Install the firewall tooling for your distro.
  • Enable the firewall and ensure it persists at boot.
  • Allow inbound SSH and HTTP explicitly.
  • Set a restrictive inbound default policy.
  • Reload or apply rules and inspect the active ruleset.
  • Block a specific IPv4 address.
  • Remove a previously added rule and confirm state.

Concepts

  • Deny by default: allow only what you explicitly need on inbound traffic.
  • Runtime vs permanent state: firewalld can differ between what is active now and what persists across reboots.
  • Services and zones: firewalld services map to ports and protocols, and zones apply policy based on interface or source.
  • Safe change sequencing: add SSH allow rules before enabling strict inbound policy on remote systems.

Walkthrough

Step 1 : Install the firewall package.
Commands 
# UFW (Debian/Ubuntu)
sudo apt install ufw -y
# OR (Arch)
sudo pacman -S ufw

# firewalld (RHEL/Fedora)
sudo dnf install firewalld -y

Install the tooling that matches the host OS family. Do not run UFW commands on a host where you are standardizing on firewalld and vice versa. 

# Expected pattern:
Package installs successfully (or reports already installed).
Step 2 : Enable the firewall service.
Commands 
# UFW
sudo ufw enable

# firewalld
sudo systemctl enable --now firewalld

This turns on policy enforcement. On remote systems, it is safest to add SSH allow rules before enabling strict inbound defaults. 

# Expected pattern:
Firewall enables successfully.
Step 3 : Allow inbound SSH.
Commands 
# UFW
sudo ufw allow OpenSSH

# firewalld
sudo firewall-cmd --permanent --add-service=ssh

This is the do-not-lock-yourself-out rule. firewalld services map to ports and protocols using predefined service definitions. 

# Expected pattern:
Rule added successfully.
Step 4 : Allow inbound HTTP.
Commands 
# UFW
sudo ufw allow http

# firewalld
sudo firewall-cmd --permanent --add-service=http

This permits inbound traffic for the HTTP service. If you are serving HTTPS, you would also allow https . 

# Expected pattern:
Rule added successfully.
Step 5 : Set a deny-by-default inbound posture.
Commands 
# UFW
sudo ufw default deny incoming

# firewalld (set default zone example)
sudo firewall-cmd --set-default-zone=public

With UFW, you explicitly set inbound default behavior. With firewalld, zone choice affects how interfaces and sources are handled. Avoid setting a global default zone to drop unless you are confident your SSH access path is accounted for. 

# Expected pattern:
Default policy updated successfully.
Step 6 : Reload or apply changes.
Commands 
# UFW
sudo ufw reload

# firewalld
sudo firewall-cmd --reload

firewalld permanent changes require a reload to become active unless you also modify the runtime configuration. 

# Expected pattern:
Reload completes successfully.
Step 7 : Inspect the active ruleset.
Commands 
# UFW
sudo ufw status verbose

# firewalld
sudo firewall-cmd --list-all

Confirm SSH and HTTP are allowed and the default posture matches your intent.

Step 8 : Block a hostile IPv4 address.
Commands 
# UFW
sudo ufw deny from 203.0.113.10

# firewalld (rich rule)
sudo firewall-cmd --permanent --add-rich-rule="rule family=ipv4 source address=203.0.113.10 reject"

Use targeted blocks to stop abusive sources without changing overall service policy. Rich rules provide expressive match-and-action controls.

Step 9 : Remove a rule (example: HTTP allow).
Commands 
# UFW
sudo ufw delete allow http

# firewalld
sudo firewall-cmd --permanent --remove-service=http

After removal, reload and re-check active state to confirm the effective ruleset matches the new requirement.

Step 10 : Confirm service enablement at boot.
Commands 
sudo systemctl is-enabled ufw
# OR
sudo systemctl is-enabled firewalld

enabled means the firewall will start on boot. If disabled, policy may not be enforced after restart. 

# Expected pattern:
enabled

Common breakpoints

SSH lockout risk

If you enforce a deny-by-default inbound policy before allowing SSH, you can lose remote access. Add SSH allow rules first and confirm connectivity in another session before tightening defaults.

firewalld shows missing rules

If you added rules with --permanent but did not reload, they will not show in runtime state. Run firewall-cmd --reload and re-check.

Wrong zone assumptions

firewalld rules apply to a zone. If your interface is bound to a different zone than you expect, your service rules may not take effect. Verify with firewall-cmd --get-active-zones .

Rule order and expectations

Targeted blocks should be tested after adding allow rules. Confirm the blocked IP is actually the source you see in logs and that you are blocking in the correct zone or scope.

Cleanup

If this is a learning VM and you do not want firewall policy to persist, remove the rules you added and optionally disable the firewall service.

Commands 
# UFW (example rollback)
sudo ufw delete allow OpenSSH
sudo ufw delete allow http
sudo ufw delete deny from 203.0.113.10
sudo ufw disable

# firewalld (example rollback)
sudo firewall-cmd --permanent --remove-service=ssh
sudo firewall-cmd --permanent --remove-service=http
sudo firewall-cmd --permanent --remove-rich-rule="rule family=ipv4 source address=203.0.113.10 reject"
sudo firewall-cmd --reload
sudo systemctl disable --now firewalld

Reference

  • ufw : Host firewall management (simple front-end).
    • enable : Turns on enforcement.
    • allow <service> : Allows inbound traffic for a service.
    • default deny incoming : Sets inbound default policy.
    • status verbose : Shows active policy and rules.
    • delete : Removes a previously added rule.
    • reload : Reloads current policy.
  • firewall-cmd : firewalld management CLI.
    • --permanent : Writes changes to persistent configuration.
    • --add-service=<name> : Allows a predefined service in the active zone.
    • --remove-service=<name> : Removes a predefined service.
    • --reload : Applies permanent rules to runtime state.
    • --list-all : Shows active zone settings and rules.
    • --add-rich-rule="..." : Adds a rich rule (source matching, reject, etc).
    • --remove-rich-rule="..." : Removes a rich rule.
    • --get-active-zones : Lists zones in use and attached interfaces.
  • systemctl : Service manager for enabling and checking persistence.
    • enable --now <unit> : Enables at boot and starts immediately.
    • disable --now <unit> : Disables at boot and stops immediately.
    • is-enabled <unit> : Shows whether a service is enabled at boot.