Tooling

Firewalls

nftables, ufw, pfSense — packet filtering at host and network level.

Linux host-level

  • nftables — modern Linux packet filter; replaced iptables. Cleaner syntax, faster, atomic rule swaps. The default in 2026 distros.
  • ufw (Uncomplicated Firewall) — friendly nftables / iptables wrapper. The default for "just block / allow ports."
  • firewalld — Red Hat / Fedora's runtime-aware firewall daemon; zone-based.
  • iptables — legacy; many older guides reference it; on most distros now backed by nftables.
  • iptables-legacy vs iptables-nft — verify which your distro uses.

Default deny patterns

# ufw — minimal hardening
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow 22/tcp     # ssh
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
sudo ufw enable

Network-level firewalls (router / appliance)

  • OPNsense — modern open-source firewall distro (FreeBSD-based); web UI; default for home / small office. Active development; the default over pfSense in 2026.
  • pfSense Community Edition — the original; still works; pfSense Plus is paid.
  • OpenWrt — embedded Linux for routers; flexible.
  • VyOS — Vyatta-derived; CLI-driven; great for network engineers.
  • Sophos UTM Home / Untangle — older.
  • MikroTik RouterOS — commercial hardware + software combo.

Cloud / k8s

  • AWS Security Groups + NACLs — stateful + stateless filters.
  • GCP VPC firewall rules — same niche.
  • Azure NSG — same.
  • Cilium NetworkPolicy — eBPF-enforced k8s network policy.
  • Calico NetworkPolicy — same.

Application-level filtering

  • CrowdSec — collaborative IPS; share blocklists across instances.
  • fail2ban — log-tail-based banning; classic.
  • See Server Hardening.

Patterns to adopt

  • Default deny inbound, allow outbound. Open only what you need.
  • Use ssh only via Tailscale / VPN — close port 22 to the public internet.
  • Restrict admin services (Grafana, Prometheus, DB) to internal networks only.
  • IPv6 — same rules apply; don't forget. ufw default deny incoming covers both, but check.
  • Persistence — make sure rules survive reboot. ufw and firewalld handle this; raw nftables needs nftables.service.
  • Log denied packets sparingly — full logging fills disks fast. Sample.

Modern alternatives

  • Tailscale ACLs — replace much network-level filtering with identity-aware ACLs in JSON.
  • Cloudflare WAF / Access — shift firewall logic to the edge.
  • Service mesh policies — pod-to-pod filtering inside k8s with Cilium / Istio.

Pick this if…

  • Default Linux host-level: ufw (simple) or nftables (powerful).
  • Default home / small office router: OPNsense.
  • Network engineer with real switching needs: VyOS or MikroTik.
  • Kubernetes network policy: Cilium or Calico.
  • Cloud: the cloud's native security groups; pair with VPC design.
  • Reduce attack surface drastically: put services behind Tailscale instead of opening any ports.

On this page