Should I enable firewall in Linux?

Firewalld is an open source, host-based firewall that seeks to prevent unauthorized access to your computer. A firewall is usually a minimum requirement by any information security team at any modern organization, but it's also a good idea for general computer use.

Firewalld can restrict access to services, ports, and networks. You can block specific subnets and IP addresses.

As with any firewall, firewalld inspects all traffic traversing the various interfaces on your system. The traffic is allowed or rejected if the source address network matches a rule.

Firewalld uses the concept of zones to segment traffic that interacts with your system. A network interface is assigned to one or more zones, and each zone contains a list of allowed ports and services. A default zone is also available to manage traffic that does not match any zones.

Firewalld is the daemon's name that maintains the firewall policies. Use the firewall-cmd command to interact with the firewalld configuration.

Check the firewalld configuration

Before getting started, confirm that firewalld is running:

$ sudo firewall-cmd --state

The output is either running or not running. To start your firewall if it's not running, use systemctl:

$ sudo systemctl --enable --now firewalld

[ Free download: Advanced Linux commands cheat sheet. ]

View zones

To view all zones on a system, use the --get-zones option:

$ sudo firewall-cmd --get-zones

To display the default zone, use --get-default-zone:

$ sudo firewall-cmd --get-default-zone

By default, if firewalld is enabled and running and in the public zone, all incoming traffic is rejected except SSH and DHCP.

[ Download the free Linux firewall cheat sheet. ]

Allow a port

To allow traffic from any IP through a specific port, use the --add-port option along with the port number and protocol:

$ sudo firewall-cmd --add-port=80/tcp

This rule takes effect immediately but only lasts until the next reboot. Add the --permanent flag to make it persistent:

$ sudo firewall-cmd --add-port=80/tcp --permanent

[ Free eBook: Manage your Linux environment for success. ]

Reload firewalld

I prefer to reload my firewall after making changes. To reload firewalld and all permanent rules:

$ sudo firewall-cmd --reload

Add a service

There are predefined services you can allow through your firewall. To see all predefined services available on your system:

$ sudo firewall-cmd --get-services

For example, to add the HTTP service to your firewall permanently, enter:

$ sudo firewall-cmd --add-service=http --permanent 

$ sudo firewall-cmd --reload

Specify traffic by subnet

You can assign traffic coming from a particular subnet to a specific zone (which allows specific ports and services, possibly unique to just that zone).

For example, to assign the network 172.16.1.0/24 to the internal zone and to allow the Jenkins service:

$ sudo firewall-cmd --zone=internal \
--add-source=172.16.1.0/24 --permanent

$ sudo firewall-cmd --add-service=jenkins --permanent 

$ sudo firewall-cmd --reload

List ports and services

You can list all ports and services allowed in the default zone using the --list-all option:

$ sudo firewall-cmd --list-all

To view all settings for all zones, use --list-all-zones:

$ sudo firewall-cmd --list-all-zones

Know your firewall

A good firewall is an essential feature on modern computer systems, and firewalld is one of the most convenient available. Its commands are intuitive and clear, and its ability to report useful descriptions of its policies makes it easy to understand. Review your firewall settings, and try out some firewall-cmd commands today.

[ Download now: A sysadmin's guide to Bash scripting. ]

Quick to answer questions about finding your way around Linux Mint as a new user.

Forum rules
There are no such things as "stupid" questions. However if you think your question is a bit stupid, then this is the right place for you to post it. Please stick to easy to-the-point questions that you feel people can answer fast. For long and complicated questions prefer the other forums within the support section.
Before you post please read how to get help. Topics in this forum are automatically closed 6 months after creation.

How important is it to turn the firewall on?

By default (latest LM Cinnamon) it is off. I just turned it on. Does it really make a difference or will it mess up my other settings?

Last edited by LockBot on Wed Dec 28, 2022 7:16 am, edited 1 time in total.
Reason: Topic automatically closed 6 months after creation. New replies are no longer allowed.

DAMIEN1307

Re: How important is it to turn the firewall on?

Post by DAMIEN1307 » Wed Oct 10, 2018 6:16 pm

it has been said by many, that if you are using a router with firewall, (most routers are firewalled), then there is no reason to turn on a software firewall...call me old but i have both enabled on my system...maybe its redundant, i really dont know but both are on...DAMIEN

Re: How important is it to turn the firewall on?

Post by AZgl1800 » Wed Oct 10, 2018 6:45 pm

I have to depend on the ISP's modem Firewall.

I cannot turn on the Linux firewall as that blocks all sharing attempts to my Win7PC and from my Android cellphone.
Simpler to just make sure the modem firewall is updated.

LM21.x upgraded from 20.3 Cinnamon on an ASUS FX705GM laptop

Re: How important is it to turn the firewall on?

Post by Lord Boltar » Wed Oct 10, 2018 7:16 pm

I have mine on on my laptop and yes I have a firewall on on my home router, but if I take my laptop on a trip somewhere and use public access at an airport it is far better to leave it on - if a program gets blocked you can simply allow it to pass through

IF your problem has been solved, please edit your original post and add [SOLVED] to the beginning of the Subject Line. It helps other members

The only way for evil to prosper is for good men to do nothing

reneLevel 20

Re: How important is it to turn the firewall on?

Post by rene » Wed Oct 10, 2018 8:03 pm

freshtamatic wrote: ↑

Wed Oct 10, 2018 6:04 pm

How important is it to turn the firewall on?

Not very. Basically everybody is these days behind a NAT router in the form of their modem; frequently even a double NAT with a home router locally behind the modem again. This means that nothing and no one from the internet can connect to your system anyway without port forwarding having been set up, i.e., without your modem/router having been configured to forward incoming connection attempts at a certain port to your system.

In future IPv6 days we may (optionally) have more directly exposed systems but in current IPv4 reality the only thing to be a little wary of is UPnP, a by your modem/router provided protocol to automatically set up such forwarding. It is used for example by file sharing programs such as Transmission to expose a listening port on your system to the wider internet, to allow downloads from you hence allow downloads by you at reasonable speeds.

Other than that firewalls are mostly an irrelevant nuisance in the sense of only blocking traffic from your own internal LAN, i.e., AZgl1500's issue above. Although I haven't a virgin Mint install available to quickly check I believe that a default Mint install doesn't have a single port open in the first place even towards your LAN, let alone forwarded from the internet, and those opened by UPnP or explicitly by you by setting up a port forwarding rule from your modem are listened on by security-vetted open-source software, not (generally) large numbers of opaque, closed binary blobs such as on Windows. Mind you that e.g. gaming on Linux changes the "closed binary blobs" issue a little.

But this is then the reason why no firewall is enabled by default on Mint. Essentially the thing a firewall tends to do on Linux is block legitimate traffic from your own LAN only. The paranoid may want to disable UPnP on their modem/router but other than that you needn't worry. And don't let anyone tell you differently, even though some will try hard...

DAMIEN1307

Re: How important is it to turn the firewall on?

Post by DAMIEN1307 » Wed Oct 10, 2018 9:05 pm

A NAT router will prevent a service from being found and accessible from the Internet. That being said, it works a lot like strong inbound only rules. It does not provide protection against methods like a reverse connection designed to bypass a firewall. Another important thing to note is that the NAT router's protection is not host based. So if another machine on the same network with yours IS compromised the NAT router will offer your machine no protection...DAMIEN

BenedettoLevel 2

Re: How important is it to turn the firewall on?

Post by Benedetto » Thu Oct 11, 2018 6:41 am

Having experienced the vagaries of Windows updates over the years (I not longer have Windows) I always check, as a matter of experience, that the firewall is still switched on after any major Mint upgrades.

Best wishes,
Linux Mint 21 Cinnamon 5.4.9 - Desktop
Linux Mint 21 - VAIO Laptop

Hoser RobLevel 19

Re: How important is it to turn the firewall on?

Post by Hoser Rob » Thu Oct 11, 2018 6:57 am

Yes, turn it on, I'd suggest it even if you're behind a NAT router.

But is not having it on as insane as not doing so in WIndows? No. Linux doesn;t leave unused ports open link Windows does, that cuts down on problems right there.

I keep one laptop as stable as possible but I've messed around on my netbook in the past. Hopped distros, DEs, wiht much reinstalling. And a couple of times, I'm embarassed to say, I forgot to turn the firewall on after installing. One time for weeks. ANd this is on a netbook I schlep around to cafes with wifi hotspots often. No nice router security.

Did I ever get hacked? No. I would have been hacked in milliseconds in a WIndows box.

I turned the firewall on, red faced, every time I did this though, not recommending not using one at all. But Linux isn't a hacker's paradise like WIndows.

Should I enable Linux firewall?

Is it better to turn on firewall?

Why use firewall Linux?

Should I enable firewall on Ubuntu?