# Key features - restrictions based on services - restrictions based on zones - different sets of rules for different scenarios: work, home, guest - feature of `firewalld` - stateful keeps session/conversation context - requires more memory/resoruces - stateless no session context and based only on port/service # Common FW technologies - `iptables` - kernel level tool that specific what traffic can and cannot pass - `nftables` - kernel level tool that specific what traffic can and cannot pass - newer version of `iptables` - `firewalld` and `ufw` - wrappers that are easier ways to manipulate `iptables` or `nftables` - create FW rules in the background # `firewalld` - `firewalld` is default in red hat - `firewall-cmd --get-default-zones` shows default zone, typically public - `firewall-cmd --get-zones` to show all zones - `/usr/lib/firewalld/zones` stores zone config files in XML - `firewall-cmd --get-actives` to show actives zones - `firewall-cmd --list-services` shows allowed services - `sudo firewall-cmd --add-service=service_name --zone=zone_name` adds service to specified zone - `firewall-cmd --permanent --add-service=http` to allow http across reboot # `ufw` - `ufw` is default in debian - `/etc/ufw` stores overall config for `ufw` - `/etc/ufw/applications.d/` stores ufw profiles - `sudo ufw status` shows active/inactive state and open ports - `sudo status numbered` to show numbered rules - `sudo ufw enable` to activate and enable on reboot - `sudo ufw allow 22/tcp` - `sudo ufw allow http` to open port 80 - can provide specific well-known services or specific ports