Find the Right Firewall Tool
This guide covers the functions, installation, and deployment scenarios for the most popular Linux firewall tools. Use the sections below to compare your options and find detailed setup instructions for your specific system.
Which tool is for me?
Recommendation:
Tool Comparison
Compare the tools at a glance. The chart visualizes complexity vs. OS preference, with bubble size representing flexibility. Use the filters to narrow the list, or click a bubble on the chart to learn more. p>
UFW / GUFW
Uncomplicated Firewall
- Best For: Personal desktops, single-interface servers, beginners.
- Primary OS: Debian/Ubuntu
- Interface: CLI / Desktop App
- Logic: Global Rules
- Complexity: Low
Firewalld / firewall-config
Dynamic Firewall Manager
- Best For: Laptops (roaming), complex servers, enterprise.
- Primary OS: RHEL/Fedora
- Interface: CLI / Desktop App
- Logic: Zones (Network Trust)
- Complexity: High
Cockpit
Web-based Server Management
- Best For: Remote server management via Web Browser.
- Primary OS: RHEL (works on Debian)
- Interface: Web Browser
- Logic: Zones (via Firewalld)
- Complexity: Medium
Webmin
Full System Administration UI
- Best For: System Administrators wanting a "cPanel-like" experience.
- Primary OS: Any Linux
- Interface: Web Browser
- Logic: Module-based (UFW, Firewalld, etc.)
- Complexity: Medium
Setup Guides
Once you've chosen a tool, use these guides for detailed installation and setup instructions. Select your tool and operating system to see the relevant commands and information.
UFW (Uncomplicated Firewall) & GUFW
Functions
- Simplicity: Designed to be an easy frontend for `iptables` (and `nftables` in newer versions).
- Profiles: Application-aware (e.g., allowing "Apache Full" automatically opens ports 80 and 443).
- Logging: Easy toggle for logging dropped packets.
- GUFW: A graphical desktop application to manage UFW with point-and-click ease.
Installation
sudo apt update
sudo apt install ufw gufw*UFW is not standard in RHEL; `firewalld` is preferred. If you must use it, it is available via the EPEL repository.*
sudo dnf install epel-release
sudo dnf install ufwSetup & Configuration (CLI)
# 1. Set Defaults
sudo ufw default deny incoming
sudo ufw default allow outgoing
# 2. Allow SSH (Critical before enabling)
sudo ufw allow ssh
# OR specific port
sudo ufw allow 2222/tcp
# 3. Enable
sudo ufw enableFirewalld & firewall-config
Functions
- Zones: The core feature. Define zones (e.g., `public`, `home`, `work`) with different rules.
- Runtime vs. Permanent: Changes can be tested in "runtime" (lost on reboot) or written to "permanent".
- Rich Rules: Allows complex logic (e.g., "Allow SSH only from this subnet...").
- firewall-config: The advanced GUI for managing zones and services.
Installation
*Pre-installed on most RHEL-based systems.*
sudo dnf install firewalld firewall-config
sudo systemctl enable --now firewalld*Note: Installing this usually conflicts with UFW. Disable UFW first.*
sudo ufw disable
sudo apt install firewalld firewall-configSetup & Configuration (CLI)
# 1. Check Zone
sudo firewall-cmd --get-active-zones
# 2. Open Port (Permanent)
sudo firewall-cmd --zone=public --add-service=http --permanent
sudo firewall-cmd --reload
# 3. Panic Mode (Cut all connections)
sudo firewall-cmd --panic-onCockpit
Functions
- Web Interface: Accessed via port `9090`.
- Visual Logs: See firewall logs in real-time graphs.
- Firewall Management: **Important:** Cockpit's firewall UI is designed primarily for **Firewalld**.
Installation
sudo dnf install cockpit
sudo systemctl enable --now cockpit.socket
# Ensure firewall allows cockpit itself
sudo firewall-cmd --add-service=cockpit --permanent --zone=public
sudo firewall-cmd --reloadsudo apt install cockpit
# If you want to manage the firewall via the Cockpit UI:
sudo apt install firewalldSetup & Usage
- Navigate to `https://your-server-ip:9090`.
- Login with your system user credentials.
- Go to the **Networking** tab, then click **Firewall**.
Webmin
Functions
- Modules: Has specific modules for **Linux Firewall (iptables)**, **UFW**, and **Firewalld**.
- Flexibility: Unlike Cockpit, Webmin adapts to whatever firewall you have installed.
Installation
*Webmin is rarely in default repos; you typically download the package directly.*
wget https://prdownloads.sourceforge.net/webadmin/webmin_2.111_all.deb
sudo apt install ./webmin_2.111_all.deb -ywget https://prdownloads.sourceforge.net/webadmin/webmin-2.111-1.noarch.rpm
sudo dnf install ./webmin-2.111-1.noarch.rpm -yDeployment Scenario
An admin manages a server but isn't comfortable with CLI. They use Webmin (Port 10000) to click "Allow" on specific ports using the Networking > Linux Firewall module.
Select a tool above to see its setup guide.