Imagine your computer is a house with 65,535 doors (ports). Without a firewall, every single one of them is unlocked and wide open to the internet.
Introduction
A Firewall is a network security device (hardware or software) that monitors incoming and outgoing network traffic. It decides whether to allow or block specific traffic based on a defined set of security rules.
- How firewalls filter traffic (Stateless vs Stateful vs App-Layer)
- The difference between iptables and UFW
- Setting up UFW rules on an Ubuntu server
- Reading and writing iptables rules manually
- Firewall debugging: Why your service is still blocked
Think of a Firewall as a Bouncer at a club:
- The List (Rules): The bouncer has a list of who is allowed in (VIPs) and who is banned.
- Checking IDs (Packet Headers): He checks every person’s ID (IP address and Port) against the list.
- Deny/Allow: If you’re on the list, you enter. If not, you’re blocked.
How It Works
Firewalls sit between a trusted network (your home/office) and an untrusted network (the internet).
Different Types of Firewalls
1. Packet Filtering (Stateless)
The most basic type. It looks at the header of a packet (Source IP, Dest IP, Port) and says Yes or No. It doesn’t remember previous packets.
- Analogy: bouncer checks ID but forgets you the moment you walk inside.
2. Stateful Inspection
Smarter. It remembers the state of active connections. If you send a request OUT to a website, it automatically allows the reply IN.
- Analogy: The bouncer remembers you went out for a smoke and lets you back in without checking ID again.
3. Application Layer (Next-Gen)
The smartest. It looks inside the packet payload. It can block “Facebook Games” while allowing “Facebook Chat”.
Configuring ufw (Uncomplicated Firewall)
On Ubuntu/Debian, ufw is the standard tool. It’s much easier than the old iptables.
Check if the firewall is active
sudo ufw statussudo ufw status verboseAllow SSH connections (DO THIS FIRST!)
sudo ufw allow [port]sudo ufw allow 22/tcpTurn on the firewall
sudo ufw enablesudo ufw enableAlways allow SSH (Port 22) before enabling the firewall on a remote server. Otherwise, you will disconnect yourself forever.
More Essential UFW Commands
Explicitly block Telnet (insecure — always block this)
- •Use deny to drop silently, reject to notify the sender
Allow all connections from your local network only
- •Replace 192.168.1.0/24 with your actual LAN subnet
- •Great for allowing DB access from app servers only
View all active rules with their actions and routing details
Status: active\n\nTo Action From\n-- ------ ----\n22/tcp ALLOW IN Anywhere\n80/tcp ALLOW IN AnywhereRemove a specific rule (the reverse of how you added it)
- •Or: sudo ufw status numbered, then sudo ufw delete [N]
Under the Hood: iptables
UFW is a friendly wrapper around the real firewall engine: iptables. Understanding it helps you debug.
| UFW | iptables | |
|---|---|---|
| Complexity | Simple (human-readable) | Complex (chains and tables) |
| Use Case | Personal servers, Ubuntu | Enterprise, advanced configs |
| Persistence | Auto-saved | Requires saving manually |
| Speed | Fine for most workloads | Direct kernel interface |
List all current iptables rules with packet counts
- •-L lists, -n shows IPs (not hostnames), -v shows packet counts
- •Three chains: INPUT (inbound), OUTPUT (outbound), FORWARD (routing)
Block all traffic from a specific attacker IP address
Block IP 203.0.113.5 from reaching your server- •-A = Append (add to end), -s = source, -j = jump to action (DROP/ACCEPT)
Allow HTTPS traffic on port 443
- •-p tcp = protocol, --dport = destination port
- •Always add an ACCEPT rule before a default DROP policy
Modern Linux kernels (5.x+) include nftables, the successor to iptables. It uses a more consistent syntax and is faster. Ubuntu 20.04+ uses nftables under the hood. UFW still works on top of it transparently.
Common Issues
| Problem | Cause | Solution |
|---|---|---|
| Website not loading | Port 80/443 blocked | sudo ufw allow 80 & sudo ufw allow 443 |
| Cannot SSH in | Port 22 blocked | Access console, run sudo ufw allow 22 |
| Ping not working | ICMP blocked | Edit /etc/ufw/before.rules to allow ICMP |
🧠 Check Your Understanding
Firewall Mastery Check
Take a quick 3-question quiz to check your understanding.
Key Takeaways
- Firewalls filter traffic based on IP, Port, and Protocol.
- Stateless checks packets individually; Stateful tracks full connections (smarter).
- Application-layer firewalls (WAF) understand HTTP/DNS — they see attacks, not just ports.
- UFW is the friendly wrapper. iptables is the real engine underneath.
- Default policy = Deny All incoming. Allow only what you need.
- Always allow SSH before enabling UFW on a remote server — or you lock yourself out.
The firewall is your first line of defense. You know how to act like a Bouncer for your network using ufw.
Next Steps
- What is a VPN? — The other key privacy tool
- How SSH Works — Secure access through your firewall
- TCP vs UDP — The protocols your firewall controls
Found this helpful? Explore more in the Security Hub!