Follow ZDNET: Add us as a preferred source on Google.
ZDNET key takeaways
- Linux firewalls can be very complicated.
- With the help of a GUI, firewall configuration is easier.
- These GUIs are easy to install and free to use.
A firewall is often the heart and soul of desktop security.
With a firewall, you can block or allow traffic in and/or out of your computer. Of course, it’s the incoming traffic that you need to be most concerned about. You don’t want some ne’er-do-well to see port 25 open on your PC and use it as a way to get into your system and do bad things. To that end, your firewall is the way you shut those ports down.
Also: 6 simple cybersecurity rules to live by
Back in the old days, the Linux firewall was a very complicated piece of the puzzle. To use a Linux firewall in those early days, you had to learn the very complicated iptables system. Suffice it to say, that was not easy. I always had to keep copious notes on how to use iptables, and sometimes it even stumped me.
Fortunately, as Linux evolved, firewalls became considerably easier. With the likes of UFW (Uncommon Firewall) and firewalld, there’s no reason to even bother with iptables on the desktop Both of those modern takes on the firewall (which actually act as intermediaries for iptables) offer simplified command-line usage.
Oh, wait… did I just say “command-line” like it’s a good thing? Let me walk that back a bit. Both of those modern takes on the firewall also have GUI apps that make using them even easier.
Also: Thinking about switching to Linux? 9 things you need to know
I want to introduce you to two different firewall GUIs, one for UFW (the default firewall for Ubuntu-based distributions) and firewalld (the default firewall for Fedora-based distributions).
GUFW
GUFW is the most popular GUI for the UFW and is the ideal option for beginners. Although GUFW isn’t always installed by default, it can be found in your distribution’s app store, so it can be added with a single click. Once you’ve installed it, you might even find that your firewall is disabled (gasp!).
Yikes! The Ubuntu firewall is disabled by default. Enable it asap.
Jack Wallen/ZDNET
Thankfully, GUFW makes managing your firewall very easy. To enable the firewall, click the On/Off slider for Status, type your user password when prompted, and the firewall is enabled.
As you can see, once you enable the firewall, there are no rules, which means nothing can get in. That’s a good thing. If you were to try and secure shell into that firewall-enabled desktop, you wouldn’t be allowed. But what if you want to allow SSH traffic through? If that’s the case, you need to add a rule to the firewall, and GUFW makes that easy.
Also: 8 things you can do with Linux that you can’t do with MacOS or Windows
Click + at the bottom left of the window. In the resulting window, leave all of the defaults, type SSH in the field under Application, and make sure to select the SSH option. Click Add, and you’re done. The default SSH port (22) is now open to allow traffic into the machine.
The Advanced tab doesn’t take advanced skills to use.
Jack Wallen/ZDNET
You can further customize those rules by selecting the Advanced tab in the Add a Firewall Rule window. In this tab, you can select an interface, define an alternative port for SSH (if you’ve configured SSH to use a non-standard port), specify a From IP address (or range of addresses) the rule will apply to, and enable logging.
GUFW is easy enough for anyone to be able to control their firewall.
Firewall-Config
Firewall-Config is the GUI for firewalld on Fedora-based distributions. Like GUFW, this app isn’t installed by default, but you can add it from within your distribution’s app store by searching for firewall-config.
Now, Firewall-Config isn’t nearly as easy to use as GUFW, but it’s certainly easier than learning the ins and outs of the firewall-cmd command. Once installed, open Firewall-Config. You’ll be prompted for your user’s password before it opens.
Also: You can try Linux without ditching Windows first – here’s how
From the main window, you’ll see a lot of tabs, including Zones, Services, IPSets, Ports, Protocols, etc. That could certainly be intimidating to users who aren’t accustomed to dealing with firewalls.
Let me simplify it for you. Say you want to permanently allow SSH traffic into the desktop machine. For that, do the following:
- Select Permanent from the Configuration drop-down.
- Click the Services tab (the upper one).
- Scroll down until you find SSH and double-click the entry.
- Click Options > Reload Firewall.
The Firewalld GUI is a bit more challenging than GUFW.
Jack Wallen/ZDNET
At this point, you should be able to SSH into that machine for the current zone.
As I mentioned, Firewalld is a bit more complicated than UFW because you have to deal with so many more options, such as Zones. A zone defines a level of trust for a network connection, an interface, and a source address. For example, you can configure the home zone (your internal LAN) to allow incoming traffic from a specific IP address or range of IP addresses, and then you can configure specific services to be allowed. At the same time, you can configure the public zone to not allow any traffic in.
You can select a default zone from the list and even set the default zone. Out of the box, the default zone is FedoraWorkstation, which rejects unsolicited incoming packets from ports 1 to 1024 (except for select services that you can add).
It can get very complicated. If you’d like an easier means of managing the firewall on Fedora-based distributions, turn to…
Cockpit
Cockpit is a web-based GUI and is available for Fedora and Ubuntu-based distributions. On Fedora distributions, Cockpit is typically installed by default and includes a Network module that allows you to edit firewall rules.
Also: How Cockpit can help you more easily manage your Linux machines
Before you do this, you have to first enable Cockpit with the command:
sudo systemctl enable –now cockpit
Once you’ve done that, point your browser to http://localhost:9090. You’ll be prompted to log in with your user/password. Once you’ve done that, give yourself admin access by clicking the Administrative Access button near the top.
Cockpit makes working with your firewall a bit easier.
Jack Wallen/ZDNET
With admin access, click Networking and then click “Edit rules and zones.” You can then add services (such as SSH) by clicking “Add services” associated with a specific zone.
You don’t have all the bells & whistles found in Firewall-Config, but Cockpit should be less intimidating.
Jack Wallen/ZDNET
The Cockpit take on Firewalld isn’t nearly as flexible as Firewall-Config, but it’s also somewhat easier to use.
Although the firewalld (and its associated GUIs) might not be nearly as easy as UFW (and its associated GUIs), once you get the hang of zones, you shouldn’t have any trouble using these tools.