Secure your Linux

Jan 13

Securing your server

Running servers is a constant challenge and a public facing device will be hammered by bots trying to find a hole so securing such a device is a high priority task.


Due to the immense popularity of using GNU/Linux for servers several firewalls have been developed over time.

Most users know of ufw and the graphical tool gufw which uses iptables to control inbound and outbound traffic.


Traditionally firewalls requires knowledge of which port(s) a given service uses and the ability to create a rule that limits inbound traffic to the given service - further restricting network interface and source addresses allowed.

This is a complex business and you got to have routes and priorities straight or you can get into serious connectivity problems and weird issues. The iptables based rules requires a reload and large complicated rulesets are hard to troubleshoot.

Application Firewall

If you for some reason want to know every single process making an outgoing network request - you could look to the opensnitch firewall. It is available from AUR.


Firewalld is the latest breed in free and opensource firewall applications. Firewalld can be configured using the term application since an application is merely a definition of which ports should be allowed - e.g. a http application or ssh or smtp.

When you configure the firewall you use zones to define where you are and services to define what you allow. Install firewalld

# pacman -Syu firewalld

When firewalld is enabled and started the default zone is public which allows the computer to be visible but all ports closed.

Adding a specific service (application) is most easily done using the command line. A GUI is available if you install the dependencies for it.

Adding services has immediate effect - no need to reload the service.

Simply add the service to the allowed service to the desired zone

Example - adding http to public zone

# firewall-cmd --zone=public --add-service=http

It is important to realize that changes you make on the fly is not permanent. To make a certain service available on a permanent base you add the --permanent argument

# firewall-cmd --permanent --zone=public --add-service=http

What if you want to add your own service definition?

Easy-peasy - look in the folder /usr/lib/firewalld/services and make a copy of an appropriate service definition.

Example - you want to run a ssh server on a non default port.

Copy the ssh.xml service definition to /etc/firewalld/services

# cp /usr/lib/firewalld/services/ssh.xml /etc/firewalld/services/my-ssh.xml

Edit the service definition

# nano /etc/firewalld/services/my-ssh.xml

Change the port to match your service and the short name to distinguish from the original service.

<?xml version="1.0" encoding="utf-8"?>
  <short>My SSH service</short>
  <description>Secure Shell (SSH) is a protocol for logging into and executing commands on remote machines. It provides secure encrypted communications. If you plan on accessing your machine remotely via SSH over a firewalled interface, enable this option. You need the openssh-server package installed for this option to be useful.</description>
  <port protocol="tcp" port="30000"/>

Wait 5-10 seconds for the service file to be recognized and activate it

# firewall-cmd --zone=public --add-service=my-ssh

Same rule on permanent applies and that's it.


Firewalld is an extremely powerful and configurable firewall - it deserves much more attention than it gets.


Next Post Previous Post