Hey, I have recently switched to Linux from Windows and completed confused on Firewalls.
Firewalld - Very complex for beginners (especially for me because I am noob!)
UFW - Used on Ubuntu. Not sure if it works well on Fedora and is effective as firewalld
Opensnitch - It also provides Application blocking. But on the newer version, you can also edit system firewall settings (nftables). I am considering this option because it is easy to use (GUI).
What do you guys say?
Hi and welcome, there is a gui for firewalld “manafirewall”, you may give it a try.
Yeah, but it is not being actively developed, and it is complex as the GUI of the official Firewalld.
Also, is there any documentation, resource, or video to understand firewalld completely in simple language.
Official firewalld documentation goes out of my mind.
In my personal experience firewalld is handy and effective.
The entry hurdle is a bit high, but this whole topic is not the easiest.
If you look for a better or diffrent documentation, you can have a look e.g here, it may explain it a bit better:
This of cause depends on your needs.
Basically Fedora brings along a pre configured FirewallD and SELinux.
This usually should be a in good and save condition.
Fedora Workstation and Server have a varying start setting.
The Work Station Setup tends to be a bit more open/versatile.
Thank you!
What do you think about opensnitch?
I prefer firewalld for simple port opening, but recall ufw needing custom profiles.
I stick with UFW Ubuntu and firewalld Fedora and openSUSE; basically whatever the distro comes with that isn’t direct nftables.
Examples of nftables always looked confusing so I never used it 
I’m not sure what this all does for nftables, but firewalld is simple like:
firewall-cmd --add-service='https'
firewall-cmd --add-port='20/tcp' --permanent
Or a custom UFW rule like:
[transmission-custom]
title=transmission-custom
description=Transmission
ports=51413,9091/tcp|51413/udp
Thank you!
There is another GUI for Firewalld, called “firewall-config”, might be better than “manafirewall”.
dnf install firewall-config
Neither!
Only iptables (or nftables)!
Iptables is the most control and visibility over your firewall you’ll ever get.
Don’t waste time on ufw or firewalld, they are all built on top of iptables/nftables. So just learn the very few basics that you need to set up a stateful firewall with iptables, and you’ll be good to go.
Opensnitch, though, is a cool way to give yourself something that even iptables can’t give you easily - a GUI to manage blocks by IP per application.
@john101
if you really want to control each app/executable then Opensnitch.
Be aware of dozens requests during the setup, though it’s worth the effort .
I am really considering to use opensnitch since it is easy-to-use for me and provides application blocking as well as the ability to configure system firewall.
Well, that’s true, nftables/iptables will give you the most control, however this on the other hand will give you a lot of room for doing it wrong. That’s why these “front ends” have a purpose, protecting user for making mistakes, that are very likely to be made. Even small mistakes tend to be fatal to times.
Trial by fire
I agree with learning iptables/nftables initially in order to avoid getting used to specific front-ends. In my case ufw/firewalld were easier, so I didn’t need to figure out tables, and stuck to the more-simple tools for years. Any distro that doesn’t have one of those default would either have me take the time to start learning tables, or to pull-in extra dependencies for ufw/firewalld to manage the tables for me.
I’m not sure if firewall front-ends can be less-secure vs tables direct, but if UFW or firewalld had their own CVEs that didn’t apply to iptables/nftables, I’d go full-in on not recommending front-ends; security usually doesn’t go well with convenience
See, the issue already comes up while we are talking about iptables.
iptables has been replaced by nftables long ago.
The tool to manage nftables is “nft”.
If you were used to iptables, you’ll have to relearn things.
Sure there are tools to convert iptables rules to nftables, but it is easier to lose track with nft and it’s intertwined chains.