Firewall has become an essential piece of software in the modern world of interconnected devices. It sits between your device and the internet, controlling traffic that goes in and out.
Linux has its own default robust firewall implementation built into the Linux kernel named Netfilter. Netfilter offers various functions and operations for packet filtering, network address translation, and port translation, which in turn, power a firewall software.
Linux has only one firewall –
iptables, which is a part of Netfilter. You won’t find any other firewall to replace iptables, just different applications and GUIs to make it easier to work with it. One can safely say that iptables is the Linux firewall.
Becoming proficient in
iptables takes time, and getting started with netfilter firewalling using only iptables can be a daunting task. Ubuntu, which is one of the popular Linux distributions, included iptables (of course) and ufw (Uncomplicated Firewall) configuration tool right out of the box. By default,
ufw is disabled.
In this article, we will show you a few firewall configuration tools for Ubuntu, besides
firewalld is a netfilter front-end that uses
nftables instead of
iptables as the underlying engine.
nftables replaces the legacy
iptables portions of Netfilter. Among the advantages of
iptables is less code duplication and easier extension to new protocols.
Previously, firewalld depends on
iptables for most of its functionalities.
firewalld is written in Python and shipped by default on most RHEL-based distribution, included Fedora, Red Hat Enterprise Linux, OpenSUSE and SUSE Linux Enterprise. Ubuntu/Debian users can also install firewalld as an additional package using
sudo apt-get install firewalld
Shorewall is an open source firewall tool for Linux that leverage the power of
iptables and making it easier to create and manage complex configuration with a high level of abstraction for describing rules using text files.
Shorewall is one of the well-designed, well-documented programs that lets you implement a robust firewall solution without ever touching
iptables. If you’re looking for a network firewall, using Shorewall will save you hours of configuring iptables. But if you’re hoping to find a personal computer firewall,
gufw may be a better solution.
Shorewall was written in Perl by Thomas M. Eastep, which spent over 20 years developing and maintaining it.
I personally had gone from no prior knowledge whatsoever to implementing the final solution seamlessly after follow along with the documentation, not much trial and error happened.
All I can say is it’s a mature and production-ready piece of software that makes network firewall seems to be easier.
Gufw (Graphical UFW) is a graphical user interface of UFW. It is intended to be an intuitive and a simple user-friend application.
Gufw supports common tasks such as allowing or blocking pre-configured, common P2P, or individual ports.
Gufw has been created specifically for Ubuntu, but is also available in Debian-based distributions and Arch Linux or any other distro that runs Python, GTK and UFW.
FireHOL is a firewall configuration tool for generating iptables rules. It allows users to build secure, stateful firewalls from easy to understand, human-readable configurations through its abstract, extensible configuration language. The configurations stay readable even for very complex setups.
FireHOL handles firewalls protecting one host on all its interfaces and any combination of stateful firewalls routing traffic from one interface to another. There are no limitations on the number of interfaces or on the number of routing routes.
FireHOL supports a bunch of single socket protocols, such as HTTP, NNTP, SMTP, POP3, IMAP4, RADIUS, SSH, LDAP, MySQL, Telnet, NTP, DNS, etc. If something’s not supported, you can even add a service and define it.
Users who need QoS for traffic shaping can use FireQOS, a simple companion tool of FireHOL. FireQOS is not a daemon and does not need to run always to apply traffic shaping
ferm – for Easy Rule Making
ferm is a tool to maintain complex firewalls, without having the trouble to rewrite the complex rules over and over again.
ferm allows the entire firewall rule set to be stored in a separate file, and to be loaded with one command. The firewall configuration resembles structured programming-like language, which can contain levels and lists.
fwbuilder, short for Firewall Builder, is a graphical firewall management and configuration program for
iptables. In addition to that, it also supports a wide range of other platforms, such as PF, Cisco ASA/PIX/FWSM, Cisco router ACL, FreeBSD ipfw and ipfilter, etc.
Instead of having to type firewall commands, Firewall Builder allows you to create firewall rules with user-defined objects. After an object is created, for example an IP address to represent an E-mail server, that object can be used in rules on all your firewalls. And the search function makes it easy to find everywhere an object is being used.
fwbuilder’s Rules Validation feature allows you to analyze configured firewall rules to identify possible compatibility problems and conflicts in the rules and warn you ahead of time.
The built-in rules compiler generates platform specific firewall commands. The compiler understands the differences between types of firewalls and software versions, ensuring it generates the right commands for each type of firewall platform. In addition to that, firewall configuration data is stored in a central file that can scale to hundreds of firewalls managed from a single UI.