Linux/Unix: Basic Security Tools – chattr, semanage, ufw, firewalld Explained

Introduction – Why Learn Linux Security Tools?

Securing a Linux system isn’t just about strong passwords—it’s about controlling file immutability, access policies, and firewall configurations. Whether you’re protecting log files from tampering or securing ports, tools like chattr, semanage, ufw, and firewalld provide fine-grained control over security without requiring third-party software.

In this guide, you’ll learn:

• How to make files immutable with chattr
• How to manage SELinux contexts with semanage
• How to control firewall access using ufw and firewalld
• Real-world use cases and examples

1. chattr – Make Files Immutable or Append-Only

What is chattr?

chattr (change attribute) sets file attributes on ext-based filesystems (ext2/3/4), allowing you to make files immutable (cannot be modified or deleted) or append-only.

Syntax:

sudo chattr [+/-][attribute] filename

Common Attributes:

Example 1: Make a log file immutable

sudo chattr +i /var/log/syslog

Even root can’t modify or delete it until you remove the attribute:

sudo chattr -i /var/log/syslog

2. semanage – Manage SELinux Policies (RHEL-based)

What is semanage?

semanage is a policy management tool for SELinux, used to manage file contexts, ports, and booleans in a secure, persistent way.

Install:

sudo yum install policycoreutils-python-utils  # RHEL/CentOS

Syntax:

semanage [object_type] -l/add/delete -a -t context name

Example 1: Allow HTTP on a custom port

sudo semanage port -a -t http_port_t -p tcp 8081

Now SELinux won’t block Apache on port 8081.

Example 2: View port rules

semanage port -l | grep http

Used in SELinux-enabled systems (RHEL, Fedora, CentOS) to prevent false positives and service denials.

3. ufw – Uncomplicated Firewall (Debian-based)

What is ufw?

ufw is a simplified firewall frontend for iptables, ideal for Ubuntu/Debian systems. It helps you allow/deny traffic with a human-readable syntax.

Install:

sudo apt install ufw

Common ufw Commands:

Example:

sudo ufw allow from 192.168.1.10 to any port 22

Allows only a specific IP to SSH into the system.

4. firewalld – Dynamic Firewall Manager (RHEL/Fedora)

What is firewalld?

firewalld is a zone-based firewall daemon using iptables/nftables, ideal for RHEL, CentOS, Fedora, and supports dynamic changes without restarting services.

Install:

sudo yum install firewalld

Start and enable:

sudo systemctl enable --now firewalld

Common firewalld Commands:

Example:

sudo firewall-cmd --zone=public --add-service=ssh --permanent
sudo firewall-cmd --reload

Adds SSH to the public zone.

Tool Comparison Table

Summary – Recap & Next Steps

Security is a layered practice. With chattr, you can prevent tampering. With semanage, SELinux security contexts are managed properly. With ufw and firewalld, you’re able to filter and control traffic effortlessly.

Key Takeaways:

• Use chattr +i to protect critical files from deletion.
• Use semanage to whitelist custom ports in SELinux.
• Use ufw or firewalld for user-friendly firewall control.
• Always test configurations to ensure access is not unintentionally blocked.

FAQs

What happens if I make /etc/passwd immutable?
System won’t be able to modify it. Avoid using chattr +i on critical system files unless absolutely needed.

Can I use both ufw and firewalld together?
No. They both manage iptables/nftables. Use only one firewall tool at a time.

What if semanage isn’t found?
Install it via:

sudo yum install policycoreutils-python-utils

Is ufw secure enough for production?
Yes, for most standard firewall configurations. For complex needs, consider iptables or nftables directly.

How do I reset ufw to default settings?
Run:

sudo ufw reset