Ultimate Guide to Raspberry Pi Firewall: Configuration, Protection, and Usage

In today's connected world, ensuring the security of networks is more critical than ever. Firewalls play a fundamental role in protecting networks from unauthorized access, cyber threats, and malicious activities. By acting as a barrier between trusted internal networks and untrusted external networks, firewalls filter incoming and outgoing traffic based on predefined security rules. This helps in preventing cyber attacks, safeguarding sensitive data, and maintaining the overall integrity and reliability of network systems. Implementing a robust firewall is essential for any organization or individual looking to enhance their network security posture.

Raspberry Pi is a versatile and cost-effective single-board computer that can be effectively used as a firewall. This tiny computer is perfectly capable of serving as a firewall appliance, screening traffic, and locking down your local network. In this article, we'll provide an overview of the Raspberry Pi firewall, including how to set up, configure, and optimize a Raspberry Pi as a firewall to help you create a robust and secure firewall solution using Raspberry Pi.

Understanding Firewalls

A firewall serves as a network security measure, monitoring both inbound and outbound network traffic and determining whether to permit or block specific traffic based on predefined security rules.

For more than 25 years, firewalls have stood as an initial defense in network security. They create a barrier between trusted, controlled internal networks and untrusted external networks, such as the Internet.

Firewalls can take the form of hardware, software, software-as-a-service (SaaS), public cloud, or private cloud (virtual). Acting as a continuous filter, a firewall protects your network by scrutinizing incoming data and blocking anything suspicious from entering your network.

There are various types of firewalls, including proxy firewalls, stateful inspection firewalls, unified threat management (UTM) firewalls, next-generation firewalls (NGFW), threat-focused NGFW, virtual firewalls, and cloud native firewalls.

Why Should You Use a Raspberry Pi as a Firewall?

Raspberry Pi firewall is an essential tool for enhancing the security and privacy of your network. Here are several key benefits: 

• Cost: Raspberry Pi firewalls come at a lower cost compared to conventional firewall hardware.
• Flexibility: Due to its open-source nature, Raspberry Pi offers extensive customization options, such as installing various firewall software, tweaking settings, and incorporating advanced features.
• Features: A Raspberry Pi firewall can boast features like packet filtering, intrusion detection and prevention, support for VPNs, and the ability to segment networks.
• Control: By using a Raspberry Pi firewall, you gain an additional layer of control and security, enabling you to block advertisements, known malicious domains, and system ports, as well as isolate IoT devices.
• Monitoring network traffic: A Raspberry Pi Firewall provides the ability to closely monitor network traffic, allowing you to keep a vigilant eye on data packets entering and exiting your network. This visibility can help you detect any unusual or suspicious activity, providing an early warning system against potential threats.
• Stopping virus attacks: One of the key benefits of using a Raspberry Pi Firewall is its ability to block virus attacks before they can infiltrate your network. By filtering incoming data packets, the firewall can identify and block malicious code, protecting your devices from infection.
• Preventing hacking: A Raspberry Pi Firewall acts as a barrier between your network and potential hackers, preventing unauthorized access to your devices and data. It does this by analyzing incoming and outgoing traffic and blocking any suspicious activity that could indicate a hacking attempt.
• Stopping spyware: Spyware is malicious software that can monitor your activities without your knowledge, potentially compromising your privacy and security. A Raspberry Pi Firewall can help stop spyware by blocking unauthorized attempts to send data from your network to external sources.
• Promoting privacy: Privacy is a major concern in today's digital world, and a Raspberry Pi Firewall can help protect your privacy by blocking unauthorized access to your network. By preventing external parties from accessing your data, the firewall helps ensure that your private information remains secure.

Raspberry Pi Firewall Setup Method

There are several popular methods for setting up a firewall on a Raspberry Pi:

1. IPTables: This is the default Linux kernel firewall, which can be configured manually or through scripts. It is lightweight but requires a certain level of technical expertise.
2. Firewalld: This is a user-friendly interface for managing Netfilter/IPTables firewall rules on Linux/Unix systems and is included in Raspberry Pi OS.
3. OpenWrt: This is a Linux distribution tailored for embedded devices, featuring a comprehensive built-in firewall interface. It serves as a complete router firmware.
4. Pi-hole: This tool provides network-wide ad blocking by filtering DNS at the network level. It also functions as a basic firewall.

Your choice will depend on your specific needs and technical proficiency. IPTables offers basic but highly customizable firewall management, while Firewalld and OpenWrt provide user-friendly web interfaces suitable for beginners. Pi-hole is specialized in blocking unwanted domains.

Given the affordability of Raspberry Pis, consider using a separate device for each approach to facilitate learning. Start with simpler configurations and progress to more advanced setups as your requirements evolve.

How to Build Out the Firewall

Preparing the Pi

First, download and install the latest version of Raspberry Pi OS (formerly Raspbian) onto a microSD card, and then boot up your Raspberry Pi. The Raspberry Pi OS includes IPTables pre-installed, allowing you to start configuring firewall tasks immediately.

Connect your Raspberry Pi to your router or switch via Ethernet. Access its configuration interface by logging into its IP address through a web browser. Here are some initial steps to follow:

1. Change the default password to enhance security.
2. Enable SSH to allow remote access.
3. Update all software by running sudo apt update && sudo apt upgrade to ensure the system is fully patched.
4. Create a firewall user account with limited sudo privileges for handling security tasks.
5. Back up your work using sudo rpi-backup so you can re-image the SD card if necessary.

With these steps completed, you are ready to set up your firewall. Depending on your requirements, you can choose between IPTables, Firewalld, or OpenWrt.

IPTables Firewall on Raspbian

IPTables is the native firewall software for Linux. To begin:

1. Gain root access or use sudo. Run iptables -L to display the current firewall rules.
2. Clear existing rules with iptables -F to start with a clean slate.
3. Allow loopback traffic by running iptables -A INPUT -i lo -j ACCEPT.
4. Permit established connections with iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT.
5. Block all other traffic by setting the default policy: iptables -P INPUT DROP. This will block all incoming traffic by default.
6. Save the rules with iptables-save > /etc/iptables.rules to ensure they reload on reboot.
7. To allow specific ports, use iptables -I INPUT -p tcp --dport 80 -j ACCEPT.

Now, you have a basic IPTables firewall that blocks all traffic by default. Adjust the rules as needed. For more advanced configurations, consult the extensive documentation on the Linux IPTables website.

OpenWrt Router Firmware

Setup

For a comprehensive firewall solution, consider deploying OpenWrt on your Raspberry Pi:

1. Download the latest OpenWrt image for your Raspberry Pi model from openwrt.org.
2. Use Etcher to flash the image to an SD card and reboot your Pi.
3. Access the Pi's IP address via a web browser and set up a username and password.
4. Navigate to Security > Firewall and enable the firewall. Ensure "Accept Established" is turned on.
5. Utilize the Services, Traffic Shaper, and UCI scripts for tasks like port forwarding and Quality of Service (QoS).
6. Under Firewall Zone, click "Add" to create custom rules for blocking or allowing IPs or ports between LAN and WAN.
7. Configure WiFi security, DHCP server, and other settings through the comprehensive OpenWrt web interface.

OpenWrt transforms your Raspberry Pi into a powerful and flexible firewall router, offering numerous configuration options to block malware and secure your IoT devices. Enhance its functionality further by installing additional packages.

Using FirewallD on Raspbian

For a more user-friendly alternative to IPTables, consider using FirewallD:

1. Install FirewallD with sudo apt install firewalld.
2. Enable and start FirewallD using sudo systemctl enable --now firewalld.
3. List available zones with sudo firewall-cmd --get-zones.
4. View active rules with sudo firewall-cmd --list-all.
5. Open ports by specifying the zone, e.g., sudo firewall-cmd --zone=public --add-port=80/tcp --permanent.
6. Reload the firewall to apply changes with sudo firewall-cmd --reload.
7. Utilize the firewall-cmd utility to manage complex rulesets across different zones and interfaces.

FirewallD's zone-based configuration simplifies access control compared to raw IPTables. Explore its advanced features, such as rich rule classification and connection tracking integration, to optimize your firewall management.

Additional Firewall Tools

In addition to core firewall functions, a Raspberry Pi can enhance network security through supplementary tools. Consider exploring these options:

• Squid Proxy: A transparent caching proxy that filters web traffic blocks ads, and malware domains.
• Snort IDS: Deploy intrusion detection rules to monitor traffic in real time and alert on anomalies.
• DHCP/DNS Server: Provide network services with additional filtering layers for enhanced security.
• Network Monitoring: Use tools like Wireshark and NtopNG to analyze firewall logs and monitor activity on different interfaces.
• Traffic Shaping: Implement packages such as Trickle or TC to prioritize or throttle bandwidth usage.
• MAC Spoof Protection: Prevent devices from impersonating others on the network.
• VPN Server: Set up OpenVPN or WireGuard to allow secure external or remote access to your LAN.
• Network Segregation: Use VLANs to isolate IoT devices, guest devices, or sensitive devices for improved security.

By combining these tools, a Raspberry Pi can scale to manage diverse networking tasks safely, going beyond basic packet filtering.

How to Configure the Firewall in Raspberry Pi

Install UFW on Raspberry Pi

UFW is included in the default repository for most Linux distributions and will automatically install IPTables as a prerequisite if it's not already on your system.

I am testing this tutorial on Raspberry Pi OS, but it should work on any distribution since UFW is a standard package available in all default repositories.

To install UFW on Raspberry Pi OS or any Debian-based distribution, run:

sudo apt update

sudo apt install ufw

Default UFW configuration

Like most firewalls, UFW's default configuration is to deny all incoming traffic. Fortunately, UFW is not automatically enabled upon installation, so you won't immediately lose access to your Raspberry Pi.

For those new to firewalls, they typically operate in a whitelist mode by default. This means that all traffic is blocked unless there is a specific rule allowing it based on protocol, port, source, or destination IP.

In this setup, incoming traffic is denied while outgoing traffic is permitted. Enabling UFW now would result in losing access to SSH, VNC, and any hosted services. Therefore, it's crucial to first identify and list the ports that need to be opened.

Allow Port on a Firewall

Since UFW is configured to deny all incoming traffic by default, the main task is to open the necessary ports for your services.

For example, to host a website, you need to allow HTTP traffic on port 80. If you use SSH, you should allow port 22, at least for your computer.

The basic syntax for this is:

ufw allow [PORT]

For example:

sudo ufw allow 80

Note: Administrator privileges are required for all firewall commands, so ensure to prefix all commands with sudo.

When you need more specific configurations, additional options are available with the allow command:

Specify the protocol for the port (TCP or UDP):

ufw allow [PORT]/[PROTOCOL]

Example:

sudo ufw allow 80/tcp

Specify the IP addresses allowed (source and destination):

ufw allow from [IP OR SUBNET] to [IP] port [PORT]

Examples:

sudo ufw allow from 192.168.1.10 to 192.168.1.20 port 80

sudo ufw allow from 192.168.1.0/24 to 192.168.1.20 port 80

In these examples, 192.168.1.20 is the Raspberry Pi's IP address, 192.168.1.10 can be your computer's IP, and 192.168.1.0/24 allows access to the entire LAN.

Combine all options:

ufw allow from [IP or SUBNET] proto [UDP/TCP] to [IP] port [PORT]

Block Port on a Firewall

You can configure UFW to block specific ports using a command similar to the one used to allow them:

sudo ufw deny [PORT]

This command also supports the same additional options for specifying protocols and IP addresses.

Remember, UFW's default policy is to block all incoming connections unless explicitly allowed. Therefore, you typically will only need to use the deny command if you change this default policy.

If you want to change the default rule to allow all incoming connections, you can use:

sudo ufw default allow incoming

In this example, UFW switches to a blacklist mode, where everything is allowed unless explicitly blocked.

How to Enable/Disable the Firewall on Raspberry Pi

Nftables

If your Raspberry Pi OS is kept updated, it should come with nftables pre-installed as the primary firewall. Below are the steps to activate or deactivate it on your Raspberry Pi.

1. To check if nftables is presently active, you can run the following command:

$ sudo systemctl status nftables.service

2. To initiate (enable) the nftables firewall service, use:

$ sudo systemctl start nftables.service

3. To halt (disable) the nftables firewall service:

$ sudo systemctl stop nftables.service

4. To set the nftables firewall to start automatically upon system boot:

$ sudo systemctl enable nftables.service

5. To set the nftables firewall to be inactive by default upon system boot:

$ sudo systemctl disable nftables.service

6. To view the presently configured nftables firewall rules:

$ sudo nft list ruleset

7. To remove (purge) all currently configured nftables firewall rules – effectively allowing all traffic, though not disabling the firewall entirely:

$ sudo nft flush ruleset

Iptables

For those using an older Raspberry Pi OS version or those who have manually activated the traditional iptables support, the following procedures can be employed to activate or deactivate the firewall:

Example 1: To deactivate iptables, modify the default chain rules to allow incoming traffic and then remove all existing rules that block or explicitly permit traffic:

$ sudo iptables -P INPUT ACCEPT

$ sudo iptables -P FORWARD ACCEPT

$ sudo iptables -P OUTPUT ACCEPT

$ sudo iptables -F

Example 2: To activate iptables, configure the desired rules. You can inspect the currently configured rules by executing:

$ sudo iptables -L

UFW

The ufw (uncomplicated firewall) serves as a user-friendly interface for managing nftables and iptables, and it's not included in the default installation of Raspberry Pi OS. However, it's a favored choice among system administrators for its straightforward command structure, which translates rules to the appropriate iptables or nftables backend. Let's explore how to activate or deactivate it on Raspberry Pi:

Example 1:

To deactivate the ufw firewall:

$ sudo ufw disable

To activate the ufw firewall:

$ sudo ufw disable

Example 2:

To examine the present status of the ufw firewall:

$ sudo ufw status

OR

$ sudo ufw status verbose

Firewall status: list current rules

Now, another helpful command is to display the firewall status. This command not only reveals whether the firewall is currently active or inactive but also presents all your established rules in an understandable layout.

To access a similar display on your Raspberry Pi, execute:

sudo ufw status

If necessary, employing the verbose mode will additionally furnish you with the default policies:

sudo ufw status verbose

Remove existing rules

We've covered how to incorporate new rules with UFW (such as allowing or denying), but what if you need to remove some?

Firstly, display the previous status screen but include the rule IDs in the list by executing:

sudo ufw status numbered

As illustrated in the screenshot below, each rule is assigned a corresponding number. Consequently, you can proceed to delete them using:

sudo ufw delete [ID]

Managing and Monitoring Your Firewall

Once your firewall is set up, ongoing management entails several key tasks:

• Log Monitoring: Regularly review logs for policy violations or intrusion attempts. Use commands like 'journalctl -xe' or utilize dedicated log analysis tools.
• Configuration Backup: Ensure to back up configuration files, such as /etc/iptables.rules, to facilitate restoration in case of faults or mishaps.
• Rule Synchronization: Keep firewall rules synchronized across system reboots by configuring scripts to execute on system startup.
• Rule Testing: Test firewall rules periodically by deliberately attempting to breach them, validating that defenses hold up as intended.
• Service Auditing: Audit services and close any unnecessary open ports to minimize the exposed attack surface over time.
• System Updates: Stay current with operating system and software updates. This can be achieved through monitoring scripts or manual update routines.

Proactive maintenance ensures that your Pi firewall defenses remain optimally calibrated over the long term. Regularly reassess your setup as your needs and potential threats evolve.

Advanced Raspberry Pi Firewall Configurations and Usage

Physical Security: Delve into methods for physically safeguarding the Pi firewall device, including enclosure locking, discreet placement, and measures to disable the device if tampered with.

Traffic Analysis: Showcase the utilization of tools like tcpdump or Wireshark on the Pi to inspect firewall logs and monitor network traffic, aiding in troubleshooting efforts.

Enhancing Security: Guide reinforcing security measures, such as deactivating unused services, prohibiting password logins, implementing application control for minimal privileges, and staying updated with OS patches.

Advanced Routing: Learn how to configure advanced routing functionalities like static routing, network address translation (NAT), route filtering, and packet manipulation for precise traffic management.

Fail-Safe Solutions: Cover failover options for ensuring firewall reliability, including redundancy with multiple Pis, automatic reboot mechanisms, and remote logging to monitor uptime.

Directory Integration: Understand the integration process of the Pi firewall with external Active Directory (AD) or Lightweight Directory Access Protocol (LDAP) for authenticated and secure user access.

Captive Portals: Provide instructions for creating guest portals integrated with the firewall to conduct compliance checks for visitor devices.

VPN Integration: Transform the Pi into a VPN server endpoint using OpenVPN or WireGuard, facilitating remote access or establishing site-to-site connections.

Guest Network Setup: Configure a segregated WiFi network behind the firewall to accommodate untrusted guest devices in an isolated environment.

Intrusion Prevention: Implement intrusion detection and prevention systems (IDS/IPS) by deploying Snort or Suricata signatures to thwart exploits proactively.

Handling Encrypted Traffic: Offer strategies for permitting local device access to HTTPS sites while still preventing external threats from infiltrating the network.

Advanced Topics

1. Enhanced Physical Security
   • Concealment Enclosures: Utilize enclosures to obscure the Pi and safeguard cables/ports against tampering. Incorporate motion sensors to detect unauthorized access attempts.
   • Tamper Detection Mechanisms: Implement tamper-evident locks/seals to signal if the case is opened illicitly. Develop protocols to disable iptables rules upon detecting physical tampering.
   • Monitored Power Supplies: Employ power supplies equipped with monitoring capabilities to deactivate power in case of disconnection or thwarting device theft.
2. Advanced Routing Strategies
   • Policy-based Routing: Harness policy routing/rule tables for nuanced traffic routing between VLANs or between WAN/LAN based on specific criteria such as protocol, source/destination, etc.
   • Static Routes: Define explicit paths for traffic flow instead of relying solely on dynamic routing protocols.
   • Route Filters: Implement route filters to constrain the propagation of routes and regulate routing behavior.
   • Network Address Translation (NAT): Implement NAT for masquerading and port forwarding, facilitating external access to internal servers.
3. Fail-Safe Measures
   • Health Monitoring Scripts: Deploy heartbeat scripts to oversee firewall functionality and automatically restart processes if unresponsive, accompanied by alerting mechanisms for transparency.
   • Firewall Clustering: Employ Carnegie Mellon University's Trickle project to cluster firewalls, distributing loads and ensuring high availability.
   • Geographic Load Balancing: Distribute traffic across multiple firewalls located in different regions to enhance redundancy.
   • Out-of-Band Management: Set up cellular dongles for backup connectivity to enable remote administration in case of LAN failure.
4. Directory Service Integration
   • Integration Procedures: Provide step-by-step instructions for integrating with open-source solutions like FreeIPA for centralized authentication against an LDAP/Kerberos server.
   • Network Access Control: Utilize group policies and permissions from an AD server to filter network access, streamlining management tasks in large networks.

Conclusion

We encourage you to explore the possibilities and implement a Raspberry Pi firewall to protect your network. Whether you're looking to secure a home network or a small business environment, the Raspberry Pi offers a flexible and powerful solution. By following the steps outlined in this guide, you can leverage the full potential of your Raspberry Pi to create a robust and reliable firewall. Embrace the journey of learning and enhancing your network security, and enjoy the peace of mind that comes with knowing your network is well-protected.

Read More

• RP2040 vs. ESP32: How to Choose the Right Microcontrollers
• Understanding the BeagleBone Black Pinout: Pin Diagram and Configuration Explained
• SDRAM vs. DDR vs. DRAM: Are SDRAM, DDR, and DRAM Memory ICs the Same?
• Raspberry Pi Pico vs. Arduino