Linux Security Layers

An Interactive Guide: Firewalls vs. MAC

1. The Core Distinction

A common misconception is confusing Network Security (Firewalls) with System Internals Security (Mandatory Access Control, or MAC). Click the buttons below to see what each one *actually* controls and how they differ.

2. The Analogy: "The High-Security Office"

To visualize how these layers work together, imagine your server is a corporate headquarters. Explore the two key security roles in this building.

The Firewall (Front Desk Guard)

Location: The main entrance.

Job: Checks IDs and stops strangers from entering.

Logic: "You are from a suspicious location? You cannot come in." or "Nobody is allowed on the 22nd floor (Port 22) except admin staff."

Limitation: Once someone passes the guard, the firewall stops watching them. If a thief has a valid ID badge, the firewall lets them in.

AppArmor / SELinux (Keycard Readers)

Location: On every single door inside the building (Server Room, CEO's Office, Cafeteria).

Job: Controls what people can *do* once they are inside.

Logic: "I see you are the 'Janitor' (a web server process). You are trying to open the 'CEO's Safe' (`/etc/shadow`). Access Denied."

Why it matters: If a hacker steals an employee's badge (exploits a vulnerability), MAC systems trap them in the lobby so they can't steal critical data.

3. Deep Dive: Meet the MACs

Both AppArmor and SELinux are Linux Security Modules (LSM) that enforce MAC policies, but they work differently. Select one to learn its specific mechanism, pros, and cons.

Select a module to see its details.

4. Summary Scenario: The Nginx Hack

Let's see how these layers work in a real-world attack. A hacker finds a bug in your Nginx web server. Click "Next Step" to see how the attack unfolds.

Start: The Server is Running

Your Nginx website is running normally. The Firewall is active, and so is your AppArmor/SELinux profile. You are ready for traffic.

Step 1: The Firewall

The hacker sends a malicious request to Port 80 (HTTP). The firewall sees this as "allowed" web traffic.

Result: The packet is ALLOWED. The firewall has been bypassed.

Step 2: The Exploit

The malicious request hits Nginx and triggers a bug. The hacker gains control of the Nginx process, running as the `www-data` user.

Result: The application is COMPROMISED. The hacker is "inside".

Step 3: The MAC System (AppArmor/SELinux)

The hacker (controlling Nginx) tries to read `/etc/shadow` or download a virus. The MAC system intervenes: "Wait! The policy for Nginx says it can ONLY read web files. It is NOT allowed to read shadow files or execute new programs."

Result: The action is BLOCKED. The hack is contained.

5. Firewall Management Tools

Most Linux users don't write raw iptables rules. Instead, they use front-end tools to manage the firewall. Choose a tool below to see how it works and when to use it.