🎁 New User? Get 20% off your first purchase with code NEWUSER20 Register Now →
Menu

Categories

Security & Hardening

Best Open Source Firewalls for Linux: Complete Comparison (2026)

Dorian Thorne | April 12, 2026 | 20 min read | 4 views
Best Open Source Firewalls for Linux: Complete Comparison (2026)

Choosing the right firewall is one of the most important security decisions for any Linux server or network. Linux has an exceptionally strong ecosystem of open source firewalls, from simple host-based tools like UFW to enterprise-grade network firewalls like OPNsense. This guide compares every major option and helps you choose the right one for your needs.

Linux Firewall Architecture

Before comparing tools, understand the Linux firewall stack:

  • Netfilter - The kernel-level packet filtering framework (built into the Linux kernel)
  • iptables - The traditional userspace tool for configuring Netfilter rules
  • nftables - The modern replacement for iptables (since kernel 3.13)
  • UFW, firewalld, Shorewall - Higher-level frontends that make configuration easier

1. UFW (Uncomplicated Firewall)

Best for: Single servers, beginners, Ubuntu/Debian systems

# Install and enable
  sudo apt install ufw
  sudo ufw enable

  # Basic rules
  sudo ufw allow 22/tcp           # Allow SSH
  sudo ufw allow 80/tcp           # Allow HTTP
  sudo ufw allow 443/tcp          # Allow HTTPS
  sudo ufw allow from 10.0.0.0/24 # Allow entire subnet

  # Deny and reject
  sudo ufw deny 3306/tcp          # Block MySQL from outside
  sudo ufw reject 25/tcp          # Reject SMTP with notification

  # Application profiles
  sudo ufw app list               # Available application profiles
  sudo ufw allow 'Nginx Full'     # Allow HTTP + HTTPS for Nginx
  sudo ufw allow 'OpenSSH'        # Allow SSH

  # Rate limiting (brute-force protection)
  sudo ufw limit ssh/tcp          # Max 6 connections/30 seconds

  # Status and management
  sudo ufw status verbose         # Show all rules with details
  sudo ufw status numbered        # Show rules with numbers
  sudo ufw delete 3               # Delete rule number 3
  sudo ufw reset                  # Remove all rules
  sudo ufw disable                # Disable firewall

  # Logging
  sudo ufw logging on
  sudo ufw logging medium         # low/medium/high/full
  # Logs go to /var/log/ufw.log

2. firewalld

Best for: RHEL, CentOS, AlmaLinux, Fedora systems, dynamic environments

# Install and enable
  sudo dnf install firewalld
  sudo systemctl enable --now firewalld

  # Zone-based architecture
  firewall-cmd --get-zones        # List all zones
  firewall-cmd --get-active-zones # Show active zones
  firewall-cmd --get-default-zone # Show default zone

  # Add services (persistent)
  sudo firewall-cmd --permanent --add-service=ssh
  sudo firewall-cmd --permanent --add-service=http
  sudo firewall-cmd --permanent --add-service=https
  sudo firewall-cmd --reload      # Apply permanent changes

  # Add custom ports
  sudo firewall-cmd --permanent --add-port=8080/tcp
  sudo firewall-cmd --permanent --add-port=3000-3100/tcp

  # Rich rules (advanced)
  sudo firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="10.0.0.0/24" service name="mysql" accept'
  sudo firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="192.168.1.100" port port="22" protocol="tcp" accept'

  # Status
  firewall-cmd --list-all         # Show all rules for default zone
  firewall-cmd --list-services    # Show allowed services

  # Remove rules
  sudo firewall-cmd --permanent --remove-service=http
  sudo firewall-cmd --permanent --remove-port=8080/tcp
  sudo firewall-cmd --reload

3. nftables (Modern iptables Replacement)

Best for: Advanced users, new deployments, complex rulesets

# Install
  sudo apt install nftables
  sudo systemctl enable --now nftables

  # Basic ruleset
  sudo nft add table inet filter
  sudo nft add chain inet filter input { type filter hook input priority 0 ; policy drop ; }
  sudo nft add chain inet filter forward { type filter hook forward priority 0 ; policy drop ; }
  sudo nft add chain inet filter output { type filter hook output priority 0 ; policy accept ; }

  # Allow established connections
  sudo nft add rule inet filter input ct state established,related accept

  # Allow loopback
  sudo nft add rule inet filter input iif lo accept

  # Allow SSH, HTTP, HTTPS
  sudo nft add rule inet filter input tcp dport 22 accept
  sudo nft add rule inet filter input tcp dport { 80, 443 } accept

  # Allow ICMP (ping)
  sudo nft add rule inet filter input icmp type echo-request accept

  # Rate limiting
  sudo nft add rule inet filter input tcp dport 22 ct state new limit rate 5/minute accept

  # List rules
  sudo nft list ruleset

  # Save rules
  sudo nft list ruleset > /etc/nftables.conf

4. iptables (Legacy but Still Widely Used)

Best for: Legacy systems, scripts, compatibility

# Basic rules
  sudo iptables -A INPUT -i lo -j ACCEPT
  sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
  sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT
  sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT
  sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT
  sudo iptables -A INPUT -j DROP

  # Save rules
  sudo iptables-save > /etc/iptables/rules.v4

  # Restore rules
  sudo iptables-restore < /etc/iptables/rules.v4

  # List rules with line numbers
  sudo iptables -L --line-numbers -n -v

5. OPNsense / pfSense (Network Firewalls)

Best for: Network perimeter, home lab, replacing commercial firewalls

  • OPNsense - Fork of pfSense with better security practices, weekly updates, modern UI, HardenedBSD base
  • pfSense - The original, massive community, extensive documentation, proven in production

Both provide: web GUI, VPN (OpenVPN, WireGuard, IPsec), IDS/IPS (Suricata), traffic shaping, DHCP, DNS, multi-WAN, VLAN support, and plugin ecosystems.

Comparison Table

FirewallDifficultyBest ForDistros
UFWEasySingle servers, beginnersUbuntu, Debian
firewalldMediumEnterprise, zone-basedRHEL, Fedora, Alma
nftablesAdvancedComplex rules, modernAny Linux
iptablesAdvancedLegacy, scriptingAny Linux
OPNsenseMediumNetwork firewall, GUIDedicated appliance
pfSenseMediumNetwork firewall, GUIDedicated appliance

Which Firewall Should You Use?

  • Single Ubuntu/Debian server? Use UFW - simple, effective, takes 2 minutes to set up
  • RHEL/AlmaLinux/Fedora server? Use firewalld - it is the default and well-integrated
  • Complex multi-server environment? Use nftables for maximum flexibility
  • Home lab or office network? Deploy OPNsense on dedicated hardware or VM
  • Legacy systems with existing scripts? Keep iptables but plan migration to nftables

Recommended Reading

Master Linux security and networking:

Download our Linux Firewall Comparison Cheat Sheet for a printable side-by-side reference of all firewall tools with setup commands.

Share this article:
Dorian Thorne
About the Author

Dorian Thorne

Cloud Infrastructure, Cloud Architecture, Infrastructure Automation, Technical Documentation

Dorian Thorne is a cloud infrastructure specialist and technical author focused on the design, deployment, and operation of scalable cloud-based systems.

He has extensive experience working with cloud platforms and modern infrastructure practices, including virtualized environments, cloud networking, identity and acces...

Cloud Computing Cloud Networking Identity and Access Management Infrastructure as Code System Reliability
View all books

Related Articles

Stay Updated

Subscribe to our newsletter for the latest tutorials, tips, and exclusive offers.