You just provisioned a fresh Linux server. Within minutes, the SSH brute-force bots will arrive.
There are too many ways to build a firewall in Linux. I wrote a practical guide to the four major tools: iptables, nftables, firewalld, and ufw, including their mental models and deployable configs.
Also includes a deep dive into the "Docker Trap" (why Docker silently bypasses your default-deny rules) and how to fix it.
(And yes, I still spend the intro and conclusion reminding everyone that FreeBSD's PF is the undisputed king of packet filtering. Let's argue in the replies.)
Read it here: https://blog.hofstede.it/linux-firewalls-how-to-actually-secure-a-cloud-server-iptables-nftables-firewalld-ufw/
#Linux #Sysadmin #DevOps #Security #Netfilter #Docker #Networking
Larvitz :fedora: :redhat:
npub1fj…jaq90
2026-03-14 10:08:46 UTC
Author Public Key
npub1fj6u59lnses9xu6xa6ewugrfg2e639lg32r24383525xq3deyuaspjaq90Seen on
wss://relay.momostr.pinkPublished at
2026-03-14 10:08:46 UTCEvent JSON
{
"id": "c0b6018b9236f63b382cdfb6a26cd47db7b83a1c908eb7fc535843b706c10b15",
"pubkey": "4cb5ca17f38660537346eeb2ee206942b3a897e88a86aac4f1a2a86045b9273b",
"created_at": 1773482926,
"kind": 1,
"tags": [
[
"t",
"netfilter"
],
[
"t",
"security"
],
[
"t",
"linux"
],
[
"t",
"sysadmin"
],
[
"t",
"networking"
],
[
"t",
"docker"
],
[
"t",
"devops"
],
[
"proxy",
"https://burningboard.net/@Larvitz/116226977046684691",
"web"
],
[
"proxy",
"https://burningboard.net/users/Larvitz/statuses/116226977046684691",
"activitypub"
],
[
"L",
"pink.momostr"
],
[
"l",
"pink.momostr.activitypub:https://burningboard.net/users/Larvitz/statuses/116226977046684691",
"pink.momostr"
],
[
"-"
]
],
"content": "You just provisioned a fresh Linux server. Within minutes, the SSH brute-force bots will arrive.\n\nThere are too many ways to build a firewall in Linux. I wrote a practical guide to the four major tools: iptables, nftables, firewalld, and ufw, including their mental models and deployable configs.\n\nAlso includes a deep dive into the \"Docker Trap\" (why Docker silently bypasses your default-deny rules) and how to fix it.\n\n(And yes, I still spend the intro and conclusion reminding everyone that FreeBSD's PF is the undisputed king of packet filtering. Let's argue in the replies.)\n\nRead it here: https://blog.hofstede.it/linux-firewalls-how-to-actually-secure-a-cloud-server-iptables-nftables-firewalld-ufw/\n\n#Linux #Sysadmin #DevOps #Security #Netfilter #Docker #Networking",
"sig": "abee093454e2f5d2a801b6362438309cd170c596fb64c956a716be8bbeaeceda0dc389477facbf7ceef26496aa2931840d8761f3016947a041f6593d06c3b414"
}