Unix and Linux Stack Exchange
Unix and Linux Stack Exchange

Questions tagged [firewall]

A firewall is a program that controls the incoming and outgoing network traffic on a system. Use this tag for all questions related to firewall configuration and operation.

A firewall is often associated with a packet filter. A packet filter operates on link, network and transport layer. Examples for packet filters are

  • pf (OpenBSD; ported to NetBSD, FreeBSD and Mac OS)
  • ipfilter (NetBSD, FreeBSD)
  • ipfw (FreeBSD)
  • npf (NetBSD)
  • xtables (i.e. iptables/ebtables/arptables; Linux)
  • nftables (Linux; replacement for xtables)

The latest versions support IPv6 and stateful inspection. The latter means that the software keeps track of what happened within a limited time window and can correlate incoming packets to that history.

Firewalls are not limited to packet filters. Any gateway that enforces a security policy can be considered as a firewall. Examples for those are

  • web application firewalls
  • database firewalls
  • mail gateways
  • VoIP gateways (of which session border controllers are a particular form)
1014 questions
478
votes
5 answers

How does reverse SSH tunneling work?

As I understand this, firewalls (assuming default settings) deny all incoming traffic that has no prior corresponding outgoing traffic. Based on Reversing an ssh connection and SSH Tunneling Made Easy, reverse SSH tunneling can be used to get around…
Ali
  • 5,261
  • 5
  • 20
  • 18
64
votes
3 answers

Difference between SNAT and Masquerade

I am confused what's the actual difference between SNAT and Masquerade? If I want to share my internet connection on local network, should I select SNAT or Masquerade?
Chankey Pathak
  • 1,833
  • 8
  • 27
  • 35
61
votes
6 answers

Limit SSH access to specific clients by IP address

How do we allow certain set of Private IPs to enter through SSH login(RSA key pair) into Linux Server?
Ranjan Kumar
  • 819
  • 2
  • 8
  • 10
56
votes
9 answers

UFW: Allow traffic only from a domain with dynamic IP address

I run a VPS which I would like to secure using UFW, allowing connections only to port 80. However, in order to be able to administer it remotely, I need to keep port 22 open and make it reachable from home. I know that UFW can be configured to allow…
Carles Sala
  • 985
  • 4
  • 9
  • 13
50
votes
7 answers

How to configure Centos 7 firewallD to allow docker containers free access to the host's network ports?

I have docker installed on CentOS 7 and I am running firewallD. From inside my container, going to the host (default 172.17.42.1) With firewall on container# nc -v 172.17.42.1 4243 nc: connect to 172.17.42.1 port 4243 (tcp) failed: No route to…
adapt-dev
  • 1,329
  • 2
  • 13
  • 18
48
votes
2 answers

No route to host with nc but can ping

I'm trying to connect to port 25 with netcat from one virtual machine to another but It's telling me no route to host although i can ping. I do have my firewall default policy set to drop but I have an exception to accept traffic for port 25 on that…
Katz
  • 1,021
  • 5
  • 19
  • 36
46
votes
5 answers

Is there a way to find which iptables rule was responsible for dropping a packet?

I have a system that came with a firewall already in place. The firewall consists of over 1000 iptables rules. One of these rule is dropping packets I don't want dropped. (I know this because I did iptables-save followed by iptables -F and the…
Shawn J. Goff
  • 45,338
  • 25
  • 134
  • 145
43
votes
9 answers

Whitelist source IP addresses in CentOS 7

I want to set up CentOS 7 firewall such that, all the incoming requests will be blocked except from the originating IP addresses that I whitelist. And for the Whitelist IP addresses all the ports should be accessible. I'm able to find few solutions…
Krishnandu Sarkar
  • 533
  • 1
  • 4
  • 6
39
votes
1 answer

Is it better to set -j REJECT or -j DROP in iptables?

There's an example of iptables rules on archlinux wiki: # Generated by iptables-save v1.4.18 on Sun Mar 17 14:21:12 2013 *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [0:0] :TCP - [0:0] :UDP - [0:0] -A INPUT -m conntrack --ctstate…
Mikhail Morfikov
  • 10,309
  • 19
  • 69
  • 104
38
votes
1 answer

Do you need to reload after adding a rule in ufw?

Do you need to run any of these commands: sudo ufw reload sudo ufw disable sudo ufw enable after adding a rule via sudo ufw allow?
iLW
  • 483
  • 1
  • 4
  • 6
37
votes
4 answers

iptables: allow certain ips and block all other connection

How do I allow certain ips and block all other connection in iptables?
David
  • 503
  • 1
  • 4
  • 4
35
votes
2 answers

How iptables tables and chains are traversed

I know linux has 3 built-in tables and each of them has its own chains as follow: FILTER: PREROUTING, FORWARD, POSTROUTING NAT: PREROUTING, INPUT, OUTPUT, POSTROUTING MANGLE: PREROUTING, INPUT, FORWARD, OUTPUT, POSTROUTING But I can't understand how…
zer0uno
  • 1,273
  • 4
  • 16
  • 15
33
votes
6 answers

How to check whether firewall opened for a port but not listening on the port

We will be deploying a new application to a Server and the application will be listening on port 8443. We have asked Network team to open the firewall for the port 8443 on that server before deploying the application. There is no application…
yottabrain
  • 441
  • 1
  • 4
  • 4
32
votes
5 answers

How can I block a range of IP addresses with an Amazon EC2 instance?

I know a certain range of IP addresses are causing problem with my server, 172.64.*.* what is the best way to block access to my Amazon EC2 instance? Is there a way to do this using security groups or is it better to do it with the firewall on the…
cwd
  • 44,479
  • 71
  • 146
  • 167
26
votes
4 answers

Set some firewall ports to only accept local network connections?

How do I set up the firewall on a system in a LAN so that some ports are only open to connections from the local area network, and not from the outside world? For example, I have a box running Scientific Linux 6.1 (a RHEL based distro), and I want…
hpy
  • 4,517
  • 8
  • 53
  • 73
1
2 3
67 68