A firewall is a filter that decides which network traffic may pass in or out of a machine, based on rules you set: which ports are open, to whom, and in which direction. It is the first line of defence for any server exposed to a network, and the safe posture is to deny everything by default and open only what a service genuinely needs.
At a glance
What it is
A rule-based filter for inbound and outbound network traffic
Why it matters
It limits what the outside can even attempt to reach
Sane default
Deny everything, then open only the ports you actually serve
What it is not
A substitute for keeping the services behind it secure
Stack
Default-deny, then open what you serve
Everything is blocked unless a rule allows it. The green band is the small set of ports you deliberately opened; the rest of the surface stays closed and quiet.
3
Logged and watchedwhat gets denied, so you can see who knocked
2
Allowed: the ports you servea short, deliberate list, nothing more
1
Blocked by defaultevery port and protocol you did not explicitly allow
What does a firewall actually do?
A firewall is the bouncer at the door of a machine. Network traffic arrives,
wanting in, and the firewall checks it against a list of rules: this port is
open to anyone, that one only to a private network, everything else is turned
away. It does the same for traffic going out, if you ask it to. The point is
control over the attack surface: the parts of your machine the outside world is
even allowed to knock on.
On the open internet, that surface is under constant, automated probing. Bots
scan every address looking for an open port to exploit. A firewall makes most of
that noise hit a closed door and stop there.
Why default-deny?
The safe way to run a firewall is to start by blocking everything, then open
only the specific ports a service genuinely needs. This is “default-deny”, and
it inverts the dangerous habit of leaving things open and hoping nobody finds
them. With default-deny, a service you forgot to lock down is closed, not
exposed; the mistake fails safe.
A firewall is necessary, not sufficient. An open port still leads to a service,
and that service has to be secure on its own: patched, authenticated, behind TLS
where it belongs. The firewall decides who may knock. It does not decide whether
the thing behind the door is sound. Pair it with a private network for anything
that does not truly need to face the public internet, and the door most attackers
reach is one you never opened.
Check it yourself
sudo ufw status verbose
Shows whether the firewall is active and which ports are open, if you use the uncomplicated firewall (ufw). An empty or inactive result means nothing is filtering yet.
A firewall handles
Which ports are reachable, and from where
Blocking the entire surface you never meant to expose
Cutting the noise of internet-wide port scanning
Separating a private network from the public one
A firewall does not handle
Bugs in the service that is listening on an open port
Encrypting traffic; that is TLS, a different layer
Authenticating users; an open port still needs its own login
Routing requests to a backend; that is a reverse proxy