Yes, you need a firewall on Linux - here's why and which to use

JuSun/Getty ZDNET's key takeaways Linux is highly secure, but you should still have a firewall. You should know if your ISP's hardware (gateway) uses a firewall. One of the easiest Linux firewalls is UFW and its GUI sidekick, GUFW. I've been using Linux for nearly 30 years. Over those years, I've experienced only one security issue (a rootkit on a server I inherited). The reason for that is Linux's heightened security. Out of the box, it includes a tight permissions system and security mechanisms (such as AppArmor and SELinux) that do an amazing job of locking down the operating system. But what about the firewall? You know about firewalls, especially if you've used Windows (because Microsoft's OS has always depended on them). And before you think it, no matter how secure your web browser is, it's not enough. Also: Thinking about switching to Linux? 9 things you need to know Almost every Linux distribution ships with a firewall that is ready to use. Oddly enough, however, some distributions ship with the firewall disabled. That seems counterintuitive for an operating system that hangs its hat on security. The big question you may ask is, "Does Linux even need a firewall?" Before answering that question, I'll ask you some questions: Is your Linux machine on a home network? Does your home network have a router that includes a firewall? Is your router regularly updated? If your home network has a router with a firewall, are there any ports open? Do you have sensitive data on your computer? You might not know the answers to those questions, which means you might have to contact your ISP and ask them about the hardware in use. For example, AT&T Fiber does include a firewall on its gateway hardware. Comcast's Xfinity gateways also include a firewall. Also: 8 things you can do with Linux that you can't do with MacOS or Windows If you know your ISP hardware includes a firewall, the need for a firewall on your Linux machines is less pressing than otherwise. But does that mean you should forget about the firewall? I say, no. I say, the more security, the better. For example, your ISP's gateway goes without updates, which could leave it vulnerable to attacks. Some ne'er-do-well figures out what gateway you're using, breaks through its unpatched defenses, and has access to your network. If your Linux machine isn't protected via a firewall, that bad actor could access the machine through an open port and have at the data it contains. You don't want that. Ergo… firewall. But which one should you use? Different distributions ship with different firewalls. For example, Ubuntu (and those based on Ubuntu) ship with Uncomplicated Firewall (UFW), whereas Fedora (and those based on Fedora) ship with firewalld. Although both are solid options, I give the nod to UFW because it's so easy to use. And if you don't want to use the command line, there are GUI apps you can install to control UFW. Also: You can try Linux without ditching Windows first - here's how Even from the command line, UFW is easy. To enable it, issue the command: sudo ufw enable Once enabled, all ports are closed, and accessing your machine is made exponentially more challenging. Let's say, however, that you regularly use SSH to access that machine from your LAN. For that, you could issue the command: sudo ufw allow ssh Or maybe you want to only allow SSH from a single IP address within your LAN, which can be done with: sudo ufw allow from IP_ADDRESS to any port 22 proto tcp Where IP_ADDRESS is the address of the machine you want to allow in. Those same actions with Firewalld look like this: sudo firewall-cmd --zone=public --permanent --add-service=ssh Or sudo firewall-cmd --permanent --add-source=IP_ADDRESS --zone=drop sudo firewall-cmd --permanent --add-service=ssh sudo firewall-cmd --reload sudo firewall-cmd --list-all --zone=drop sudo firewall-cmd --list-all Where IP_ADDRESS is the address of the machine you want to allow in. Obviously, UFW is the easier tool, and I would always recommend it over firewalld for those who are just getting into Linux. And if you want a GUI for UFW, try GUFW (which can be installed from your GUI app store). In the end, the answers to the questions are simple: Do you need a firewall on Linux? - yes Which one should you use? - UFW Understand that if you want to use UFW on Fedora-based systems, you must install it. To do that, issue the following commands: sudo systemctl stop firewalld sudo systemctl disable firewalld sudo dnf remove firewalld sudo dnf install ufw sudo ufw enable You now have UFW running on your Fedora-based distribution. With a firewall active, your Linux machine will be better protected, should someone get around the defenses of your ISP's hardware. As always, it's better to be safe than sorry. Get the morning's top stories in your inbox each day with our Tech Today newsletter.