Linux
Firewalls (nftables & firewalld)
41 flashcards · answers and review in the app — launching soon
On a fresh openSUSE install the firewall is already blocking almost all outgoing traffic, and the built-in YaST firewall module is missing your Ethernet interface. What is the recommended way to fix rules?
You want to run a custom service on port 900 versus port 2000. Why does one of those choices require root and the other does not?
Where does a Linux system map friendly names like ssh, http, and https to their numeric IP port numbers?
A colleague says every IP service confirms receipt of packets. Which common protocols contradict that, and why does it matter for firewall rules?
You want a quick list of which ports your local machine is actually listening on, including the owning process. Which netstat invocation gives that?
You need to find which process is holding a specific network port, say port 22. Which command targets that directly?
From an outside host you want to discover which services and OS a server is exposing. Which tool and flags do that, and what does each flag add?
Against which servers is it legally and ethically safe to run an nmap port scan, and why does the target matter?
Beyond adding a firewall, what layered measures actually harden the network services running on a Linux host?
Which two files does the TCP wrapper library use to control host-based access, and which one wins when both could apply?
A host is listed in neither hosts.allow nor hosts.deny. Many admins assume that means blocked — what actually happens, and how do you build a secure setup?
You edited hosts.allow but the rules seem ignored for a given daemon. How do you verify that daemon even uses the TCP wrapper library?
In a typical Apache setup one process runs as root while the rest run as www-data. Why the split?
What does chroot rootdir command achieve for a network service, and what extra condition is required for it to actually contain the process?
In this book's usage, what specifically does the term firewall refer to?
A home user asks whether a local Linux firewall is really necessary behind their router. When does the router's protection stop being enough?
How does nftables relate to the older netfilter/iptables system, and roughly when did it take over as default?
You're writing a firewall by hand today. Why is reaching for the familiar iptables command the wrong move?
Predefined graphical firewall tools are marketed as convenient. What is the recurring downside, and how does it typically backfire for beginners?
What is FirewallD's headline advantage over the older static packet-filter approach?
What is a zone in FirewallD, and how does it relate to network interfaces?
Both the FirewallD drop and block zones refuse all traffic. What is the practical difference between them?
You ran firewall-cmd to open a port, it worked, but after a reboot the rule is gone. What did you miss?
With firewall-cmd, how do you open a service or port in a zone, and how do you inspect what's currently allowed?
What firewall front-end ships with Ubuntu, what is it built on, and what happens the moment you enable it with its default policy?
You install Apache and run ufw app list — the Apache profile appears. What state is that profile actually in for firewall purposes?
In nftables terminology, how do rules, chains, and tables nest — and how does this differ from iptables?
Which nftables protocol family do you choose when a single rule set should apply to both IPv4 and IPv6, and what are the alternatives?
nftables chains attach to kernel hooks rather than fixed built-in chains. Which hooks are available, in packet-flow order?
The old netfilter world had separate iptables, arptables, and ebtables commands. What changed under nftables, and does it use a different kernel mechanism?
How do you dump the entire nftables ruleset, save it, and later restore it verbatim?
An nft chain has two chains attached to the same hook with priority values 0 and 10. Which runs first?
What are the three ways to feed rules to nft, and what makes a rule file self-executing?
Beyond accept and drop, what other actions can an nft rule take, and which of them still lets later rules run?
Which nft match keywords select packets by port versus by IP address, and how do you express a range or a negation?
What does ct state match in an nftables rule, and which states can you test?
You harden an IPv6 server by dropping all ICMP the way you would on IPv4. Why does that break things?
You add limit rate 5/minute accept for pings, expecting extra pings to be blocked. Why might a sustained ping still get through?
What is the standard skeleton of an nft input filter that protects a simple web server?
In an nft filter chain, what is the default policy if you don't set one, and how do you make the chain deny-by-default?
You're testing a new firewall over SSH on a remote server. What's the safe way to avoid permanently locking yourself out?