G
GuideDevOps
Lesson 16 of 28

Firewalls & Packet Filtering

Part of the Networking Basics tutorial series.

Firewalls are the first line of defense for your infrastructure. They control what traffic can enter and leave your networks, protecting against unauthorized access, attacks, and data leaks.

What is a Firewall?

Firewall = Network security device that filters traffic based on rules:

Internet
    ↓
[Firewall - Apply Rules]
    ↓
├─ Allow SSH from office IPs
├─ Allow HTTPS from anywhere
├─ Block everything else
    ↓
Internal Network

Types of Firewalls:

  1. Packet Filter — Inspects headers (simple, fast)
  2. Stateful — Tracks connections (smarter, default)
  3. Application Gateway — Understands protocols (deep inspection)
  4. Next-Gen — Includes IDS/IPS, DPI, malware detection

How Firewalls Work

Packet Inspection:

Incoming packet arrives
    ↓
Extract headers:
  - Source IP
  - Destination IP
  - Source Port
  - Destination Port
  - Protocol (TCP/UDP)
    ↓
Check rules:
  IF source=10.0.0.0/8 AND port=22 AND proto=TCP
    THEN allow
  ELSE deny
    ↓
Allow: Packet reaches destination
Deny: Packet dropped

Firewall Rules

Basic Rule Structure:

Rule IDProtocolSourceSource PortDestDest PortAction
1TCPANYANYTHIS22ALLOW
2TCPANYANYTHIS443ALLOW
3TCPANYANYTHIS80ALLOW
4ANYANYANYANYANYDENY

Default Policy:

  • Default ALLOW (whitelist model):

    • Allow everything except blocked
    • More open, less secure

  • Default DENY (blocklist model):

    • Block everything except allowed
    • More secure, more restrictive

Firewall Directions

Ingress (Incoming):

Traffic entering your network

  • Rule: Allow port 443 (HTTPS)
  • Rule: Block port 25 (SMTP from internet)

Egress (Outgoing):

Traffic leaving your network

  • Rule: Allow DNS to 8.8.8.8:53
  • Rule: Block peer-to-peer protocols
  • Rule: Prevent data exfiltration

Stateful Firewalls

Stateless (simple):

Request: 203.0.113.50:54321 → 192.168.1.100:80
Response: 192.168.1.100:80 → 203.0.113.50:54321

Would need explicit rule for response!

Stateful (smart):

Request: 203.0.113.50:54321 → 192.168.1.100:80
Firewall remembers: HTTP response allowed from :80 to :54321
Response: Automatically allowed! ✓

No need for explicit response rule

Connection States:

  • NEW: New connection initiating
  • ESTABLISHED: Active conversation
  • RELATED: Connected to established (e.g., FTP data channel)
  • INVALID: Doesn't match any state

Linux Firewall: UFW

UFW (Uncomplicated Firewall) — Easy wrapper around iptables:

# Enable firewall
sudo ufw enable
 
# Check status
sudo ufw status
 
# Allow SSH (important! don't lock yourself out)
sudo ufw allow 22/tcp
 
# Allow HTTPS
sudo ufw allow 443/tcp
 
# Allow HTTP
sudo ufw allow 80/tcp
 
# Deny a port
sudo ufw deny 23/tcp  # Block telnet
 
# Allow from specific IP
sudo ufw allow from 192.168.1.100 to any port 22
 
# Delete a rule
sudo ufw delete allow 80/tcp
 
# Reset firewall
sudo ufw reset

View all rules:

sudo ufw show added
 
# Output:
# ufw allow 22/tcp
# ufw allow 80/tcp
# ufw allow 443/tcp

Linux Firewall: iptables

iptables — Lower-level firewall control:

# Allow incoming SSH
sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT
 
# Allow established connections
sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 
# Drop all other incoming
sudo iptables -A INPUT -j DROP
 
# Allow all outgoing
sudo iptables -A OUTPUT -j ACCEPT
 
# List all rules
sudo iptables -L -v
 
# Clear all rules
sudo iptables -F
 
# Save rules (persist across reboot)
sudo iptables-save > /etc/iptables/rules.v4
sudo ip6tables-save > /etc/iptables/rules.v6

Example: Web Server Setup

# Flush existing
sudo iptables -F
 
# Default policies
sudo iptables -P INPUT DROP
sudo iptables -P FORWARD DROP
sudo iptables -P OUTPUT ACCEPT
 
# Allow loopback
sudo iptables -A INPUT -i lo -j ACCEPT
 
# Allow established
sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 
# Allow SSH
sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT
 
# Allow HTTP
sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT
 
# Allow HTTPS
sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT
 
# Everything else dropped (already set as policy)
 
# Apply
sudo iptables-save | sudo tee /etc/iptables/rules.v4

Network Segmentation

Segment your network by trust level:

Internet
    ↓
[Firewall 1]
    ↓
DMZ (Semi-public)
├─ Web servers (port 80/443 allowed in)
├─ API servers (port 8080 allowed in)
├─ No admin tools
    ↓
[Firewall 2]
    ↓
Internal Network
├─ Database servers
├─ Admin tools
├─ Restricted to internal IPs only
    ↓
[Firewall 3]
    ↓
Management Network
├─ SSH administration
├─ Monitoring
├─ Highly restricted

Rules per segment:

DMZ inbound:
Allow HTTP/HTTPS from anywhere
Allow SSH from admin IPs only
Deny database connections from outside

Internal inbound:
Allow from DMZ for database queries
Deny from internet
Allow database replication

Management inbound:
Allow SSH from specific IPs
Allow SNMP monitoring
Deny everything else

Kubernetes Network Policies

Kubernetes Network Policy = Firewall rules for pods:

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-api-to-db
spec:
  podSelector:
    matchLabels:
      tier: database
  policyTypes:
  - Ingress
  ingress:
  - from:
    - podSelector:
        matchLabels:
          tier: api
    ports:
    - protocol: TCP
      port: 5432  # Postgres

This policy says:

  • Pods labeled tier: database can receive traffic
  • Only from pods labeled tier: api
  • Only on port 5432
  • All other traffic to database pods is blocked

Firewall Best Practices

1. Default Deny, Explicit Allow

✓ Block everything by default
✓ Only allow necessary ports/IPs
✗ Don't allow everything by default

2. Document Rules

PortProtocolSourcePurpose
22SSH10.0.0.0/8Admin access
80HTTP0.0.0.0/0Public web
443HTTPS0.0.0.0/0Secure web
5432TCP10.1.0.0/24DB access

3. Separate Environments

✓ Development ← Firewall A
✓ Staging ← Firewall B
✓ Production ← Firewall C
→ Reduces blast radius

4. Restrict SSH Access

# Allow SSH only from office
ufw allow from 203.0.113.0/24 to any port 22
 
# Better: SSH bastion host
Office Bastion (port 22) → Internal (port 22)

5. Monitor Firewall Activity

# Watch dropped packets
sudo iptables -n -v -x -L | grep DROP
 
# UFW logs
sudo tail -f /var/log/ufw.log

Troubleshooting Connectivity

"Can't connect to service"

1. Check firewall is running
   sudo ufw status

2. Check rule exists
   sudo ufw show added | grep port

3. Verify port is correct
   ss -tlnp | grep port

4. Test connection
   telnet destination port

"Firewall too restrictive"

1. Check dropped packets
   sudo iptables -n -v -l | grep DROP

2. Add rule for legitimate traffic
   sudo ufw allow from 10.0.0.5 to any port 8080

3. Test again

Key Concepts

  • Firewall = Filters network traffic based on rules
  • Packet Filtering = Examines headers
  • Stateful = Remembers connection state
  • Ingress = Incoming traffic
  • Egress = Outgoing traffic
  • DMZ = De-militarized zone for public services
  • Default Deny = Block everything except allowed
  • Segmentation = Separate networks by trust level
  • Network Policy = Kubernetes firewall rules
  • Always restrict SSH to trusted IPs