A firewall is a key piece of your homelab’s security puzzle. It decides what gets in, what stays out, and what moves within your network. Whether you’re running a simple home setup or a complex lab environment, understanding and managing firewalls helps keep your systems safe and running smoothly.

If you haven’t yet, check out our recent guide on routing basics — Routing Basics for Your Homelab: Static and Dynamic Routing Explained — for how routing works alongside firewalls in your network.

In this guide, we’ll explore firewall options you might use in your homelab, from dedicated network appliances to Linux host-based firewalls, and practical tips for managing them.

Network Firewall Appliances: pfSense and OPNsense

For many homelab enthusiasts, dedicated firewall appliances like pfSense and OPNsense offer a powerful, flexible way to secure and route network traffic. Both are open-source firewall/router platforms built on FreeBSD, packed with features suitable for home labs and professional environments.

• Popularity, stability, and rich feature set (pfSense)
• Modern UI and additional features (OPNsense)
• Web interface for firewall rules, VLANs, VPNs, and routing
• Fine control over LAN, WAN, VPN, and other networks

These platforms handle routing and firewalling together, providing comprehensive network security.

Use cases:

• Isolating IoT devices on separate VLANs
• Securing remote access with VPNs
• Applying detailed inbound and outbound traffic rules

Both require some learning but offer excellent control and security.

Host-Based Firewalls: UFW, firewalld, iptables, and nftables

Host-based firewalls control traffic on a per-device basis, giving you granular control over individual systems, while appliance firewalls manage traffic at the network edge.

• Simple command-line front-end for iptables on Debian/Ubuntu (UFW)
• Dynamic, zone-based firewall for Red Hat, Fedora, CentOS (firewalld)
• Traditional, granular packet filtering and NAT rules (iptables)
• Modern, efficient, flexible replacement for iptables (nftables)

Arch Linux users can choose the tool that fits their workflow and comfort level.

iptables vs nftables

While iptables remains common, nftables is rapidly becoming the preferred Linux firewall framework.

Linux Firewalls: A Brief History

Before iptables, ipchains was the default Linux firewall tool up to kernel 2.2, offering basic filtering. Linux kernel 2.4 introduced iptables, bringing advanced filtering, NAT, and stateful inspection. From kernel 3.13 onward, nftables was introduced to modernize firewall management with improved performance and a streamlined syntax.

Example Firewall Commands

Here are some basic commands to get you started with different Linux host firewalls.

UFW (Uncomplicated Firewall)

# Enable UFW
sudo ufw enable
# Allow SSH
sudo ufw allow ssh
# Deny incoming HTTP
sudo ufw deny http
# Check status and rules
sudo ufw status verbose

iptables

# Flush existing rules
sudo iptables -F
# Allow established and related incoming traffic
sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow SSH
sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT
# Drop all other incoming traffic
sudo iptables -P INPUT DROP
# Save rules (depends on distro)
sudo iptables-save > /etc/iptables/rules.v4

nftables

# Example nftables configuration snippet
sudo nft add table inet filter
sudo nft add chain inet filter input { type filter hook input priority 0\; }
sudo nft add rule inet filter input ct state established,related accept
sudo nft add rule inet filter input tcp dport ssh accept
sudo nft add rule inet filter input drop
# List rules
sudo nft list ruleset

firewalld

# Start firewalld service
sudo systemctl start firewalld
# Allow HTTP service permanently
sudo firewall-cmd --permanent --add-service=http
# Reload to apply changes
sudo firewall-cmd --reload
# Check current rules
sudo firewall-cmd --list-all

Logging and Monitoring Firewall Activity

Monitoring firewall logs is essential to understand what traffic is being allowed or blocked and to detect possible intrusions.

• Check logs in /var/log/ (e.g., /var/log/kern.log, /var/log/messages, or /var/log/firewalld) depending on your system

• Use journalctl to view systemd journal logs for firewall services:

  sudo journalctl -u firewalld
  

• Enable rule-level logging (e.g., iptables -j LOG, nftables log)
• Capture traffic using tools like tcpdump or wireshark
• Set up centralized logging (e.g., syslog, ELK stack) for large or multi-device environments

Regular review of firewall logs helps catch misconfigurations and security issues early.

Practical Tips for Firewall Management in Your Homelab

• Pick the right firewall for your setup — appliance for network-wide control, host firewalls for individual devices
• Keep routing and firewall rules coordinated to avoid conflicts
• Use zones or VLANs to segment your network and limit exposure
• Test firewall rules with tools like nmap and tcpdump
• Document your firewall setup for easier troubleshooting and future changes

Conclusion

Firewalls play a crucial role in protecting your homelab by controlling the flow of network traffic and preventing unauthorized access. Whether you choose dedicated network appliances like pfSense and OPNsense or prefer host-based firewalls on your Linux systems, having a well-configured firewall is a key component of your security strategy.

Each option comes with its strengths and learning curves. Appliance firewalls provide centralized, full-network control, while host-based firewalls offer detailed, per-device protection. Understanding these differences helps you select the best tools for your specific needs and environment.

Regularly updating your firewall rules, monitoring logs, and testing your configurations will help you maintain a secure and resilient homelab. As your network grows and changes, adapting your firewall strategy is essential to keep pace with new challenges and threats.

By experimenting and learning continuously, you’ll gain confidence and skill in managing your homelab’s firewall setup. This ongoing process ensures your network remains safe, reliable, and ready for whatever projects and services you decide to build next.