Firewalls
nftables, ufw, pfSense — packet filtering at host and network level.
Linux host-level
- ★ nftables — modern Linux packet filter; replaced iptables. Cleaner syntax, faster, atomic rule swaps. The default in 2026 distros.
- ★ ufw (Uncomplicated Firewall) — friendly nftables / iptables wrapper. The default for "just block / allow ports."
- firewalld — Red Hat / Fedora's runtime-aware firewall daemon; zone-based.
- iptables — legacy; many older guides reference it; on most distros now backed by nftables.
- iptables-legacy vs iptables-nft — verify which your distro uses.
Default deny patterns
Network-level firewalls (router / appliance)
- ★ OPNsense — modern open-source firewall distro (FreeBSD-based); web UI; default for home / small office. Active development; the default over pfSense in 2026.
- pfSense Community Edition — the original; still works; pfSense Plus is paid.
- OpenWrt — embedded Linux for routers; flexible.
- VyOS — Vyatta-derived; CLI-driven; great for network engineers.
- Sophos UTM Home / Untangle — older.
- MikroTik RouterOS — commercial hardware + software combo.
Cloud / k8s
- AWS Security Groups + NACLs — stateful + stateless filters.
- GCP VPC firewall rules — same niche.
- Azure NSG — same.
- Cilium NetworkPolicy — eBPF-enforced k8s network policy.
- Calico NetworkPolicy — same.
Application-level filtering
- CrowdSec — collaborative IPS; share blocklists across instances.
- fail2ban — log-tail-based banning; classic.
- See Server Hardening.
Patterns to adopt
- ★ Default deny inbound, allow outbound. Open only what you need.
- Use
sshonly via Tailscale / VPN — close port 22 to the public internet. - Restrict admin services (Grafana, Prometheus, DB) to internal networks only.
- IPv6 — same rules apply; don't forget.
ufw default deny incomingcovers both, but check. - Persistence — make sure rules survive reboot. ufw and firewalld handle this; raw nftables needs
nftables.service. - Log denied packets sparingly — full logging fills disks fast. Sample.
Modern alternatives
- Tailscale ACLs — replace much network-level filtering with identity-aware ACLs in JSON.
- Cloudflare WAF / Access — shift firewall logic to the edge.
- Service mesh policies — pod-to-pod filtering inside k8s with Cilium / Istio.
Pick this if…
- Default Linux host-level: ufw (simple) or nftables (powerful).
- Default home / small office router: OPNsense.
- Network engineer with real switching needs: VyOS or MikroTik.
- Kubernetes network policy: Cilium or Calico.
- Cloud: the cloud's native security groups; pair with VPC design.
- Reduce attack surface drastically: put services behind Tailscale instead of opening any ports.