Linux has two firewall management tools: firewalld and iptables. ufw (uncomplicated firewall) is a frontend for iptables. And there is nftables. Firewalld and iptables are incompatible and only one should be used. Neither are installed by default with the Raspberry Pi OS.
Firewalld (firewall daemon) has replaced iptables on most distros. As you might have guessed from its name, firewalld is part of the systemd family. Firewalld is incompatilbe with iptables and should never be used with it. To stop iptables services:
systemctl mask iptables
systemctl mask ip6tables
systemctl mask ebtables
Well, thats what the Internet says. However, when I installed firewalld on my Raspberry Pi 4, it installed iptables. So maybe firewalld is just another frontend for iptables.
To install firewalld:
sudo apt update
sudo apt install firewalld
To get a list of all available firewall zones:
sudo firewall-cmd --get-zones
An interface can only be added to a single zone.
sudo firewall-cmd --zone=public --permanent --add-interface=eth0
sudo firewall-cmd --zone=public --permanent --add-interface=wlan0
sudo firewall-cmd --zone=public --permanent --remove-interface=wlan0
# adding an interface to a zone makes it an active zone.
sudo firewall-cmd --zone=internal --add-source=192.168.0.1/24 --permanent
# white list local computers
# Adding a source to a zone makes it an active zone.
In addition to IP addresses, MAC addresses can be used for LAN sources. However, MAC addresses do not go past the router.
sudo firewall-cmd --get-active-zones
sudo firewall-cmd --zone=public --list-all
sudo firewall-cmd --list-all-zones
By default, firewalld will prevent the Raspberry Pi OS from discovering any printers.
To enable the Raspberry Pi to discover printers, you have to whitelist the local network
and add the Internet Printer Protocol (ipp) service. More precisely:
sudo firewall-cmd --zone=internal --add-source=192.168.0.1/24 --permanent
sudo firewall-cmd --zone=internal --add-service=ipp --permanent
To be able to access via Microsoft Windows, I had to enable the samba service:
sudo firewall-cmd --zone=internal --add-service=samba --permanent
In addition, I had to remove the printer and re-install it after enabling samaba.
To disable firewlld:
sudo systemctl stop firewalld
sudo systemctl mask --now firewalld
In order to get VNC to work on local computers, you have to enable the service vnc-server:
sudo firewall-cmd --zone-internal --add-service=vnc-server --permanent
Reference: Wikipedia - Internet Printer Protocol
fail2ban is supported by firewalld: https://firewalld.org
Fail2ban monitors the log files for mallicious activities and bans the user. It adds a firewall rule and blocks the user for a certain period of time. It will stop brute fore attacks. You need to have either "firewalld" or "iptables" set up before fail2ban is installed.
To install fail2ban:
sudo apt update
sudp apt install fail2ban
When fail2ban is installed it creates a directory /etc/fail2ban. Inside this directory is "jail.conf". This informs you how to setup jails, but do NOT modify it because it might get overwritten when fail2ban is updated. Instead create a new file "jail.local". Anything in "jail.local" will overide what is in "jail.conf".
To create a jail for ssh, put the following in /etc/jail.local:
[DEFAULT]
bantime = 600
action = %(action_)s
[sshd]
enable = true
maxretry = 3
If you right click "save link as", it will download this file. After downloading you might need to change the extension back to "local".
To see a list of jails:
sudo fail2ban-client status