The Status of Firewalls in Various Operating Systems

With the internet becoming an integral part of our lives, the importance of firewalls has also increased. One of the most fundamental ways to protect our computers and mobile devices from malicious attacks is to use a firewall. So, how are the firewalls of the operating systems we commonly use configured by default? In this article, we will examine the status of the firewall for Windows, macOS, Linux, Android, iOS, and even IoT devices.

What is a Firewall?

The internet is a massive communication network that connects devices worldwide. Our devices use data packets to communicate with each other on the internet. Have you ever wondered why, if the internet’s purpose is to connect all devices worldwide, someone from any country can’t connect to and control your device? For example, how can you avoid catching an infectious disease if you are in the same room with someone who has it?

This is where the firewall comes into play. It determines which packets the device can send out and which packets it can receive from outside. It does this according to predefined rules, usually set by the device manufacturer.

The goal is to ensure that even though devices are connected to a global communication network, they cannot talk to everyone and listen to everyone. This protects them from attacks.

Among our devices with firewalls, our primary devices are modems that protect our devices from any device worldwide. Most modems come with a basic firewall. This firewall rejects all irrelevant packets coming from outside while accepting packets that are responses to packets sent by the device. This way, an unknown device from the other side of the world cannot communicate with you out of the blue.

Not only modems have firewalls. Most devices also have their own firewalls. Most devices that connect to the internet… For example, our computers and phones.

Windows

The Windows firewall (which does not block viruses, but regulates internet connections) comes with various profiles. These profiles apply different rules and restrictions depending on which network your computer is connected to. This way, you are protected at different levels wherever you connect to the internet.

1. Private Network This profile is used for trusted networks, such as your home or office. When you select this profile in Windows, certain services are allowed to communicate with other devices on your network. Key Features: Network Discovery Enabled: Your computer is visible to other devices and can access resources on the network, such as printers, media devices, or other computers. File and Printer Sharing: Features such as file and printer sharing may be enabled by default on this network. Incoming Traffic: The firewall is more flexible than on a public network. Incoming connections are allowed for sharing services and applications you specify, but it is still not open to all incoming traffic.

2. Public Network This profile is designed for public and untrusted networks such as airports, cafes, or hotels. It applies the most restrictive firewall settings and protects you from potential threats. Key Features: Network Discovery Off: Your computer is invisible to other devices on the network. This prevents malicious users from scanning your device and searching for vulnerabilities. Limited Sharing: Automatic sharing of files, printers, or other network resources is disabled. Incoming Traffic: By default, it blocks all incoming connections. This profile only allows responses to connections you initiate and blocks all unwanted connection requests from outside.

3. Domain Network This profile is typically used in large corporate networks. It automatically activates when your computer is connected to a domain controller. Key Features: Centralized Management: Firewall settings are managed according to policies centrally defined by network administrators. Custom Rules: Administrators can define rules tailored to the domain’s specific security requirements and software. This ensures that all users adhere to the same security standards. Flexible Structure: Rules can be more restrictive or allow more access to specific services, depending on the network’s needs.

Windows asks which profile to assign to which network when the user connects to a new network for the first time. If the user does not make a selection, the public network profile is assigned by default. It usually asks this question: “Do you want other computers and devices on this network to be able to find your computer?”

macOS

Unlike Windows, macOS is an operating system that comes with a built-in firewall that is disabled by default. So how does macOS, often touted as “very secure,” provide protection in this case? The answer lies in a permission-based security model similar to mobile operating systems such as iOS and Android. However, this model works a little differently than we might think.

macOS’s security philosophy is based not on preventing applications from sending data to the internet (outgoing connections), but on blocking unwanted connections (incoming connections) from outside.

The real magic happens when an application wants to open a port to accept a connection from an external network, i.e., to act like a server.

At this very moment, if your firewall is active, macOS steps in and asks you a specific question about that application: “Should the application named [Application Name] be allowed to accept incoming network connections?” This way, you decide whether the application can respond to requests from the outside world. The system doesn’t ask you this for everything. Trusted applications produced by Apple have these permissions by default.

• Trusted Applications: Trusted system applications such as FaceTime, AirDrop, and Messages, which are digitally signed by Apple, automatically have these permissions.

• Applications Downloaded from the Internet: This check is typically performed when applications you download from the internet, which are not recognized or signed by Apple, attempt to act like a server.

In addition to macOS’s simplified permission-based security feature, there is also a firewall that you can configure manually. It is simply disabled by default.

To activate the firewall, go to System Preferences > Network > Firewall. After turning on the firewall, the “Options…” button that appears is the center of all manual control.

1. “Block all incoming connections” All incoming connections are blocked, including those from all applications you have authorized. What does it do? It is ideal when you are on an extremely insecure public network (such as a convention center Wi-Fi) where you will only be performing basic tasks like browsing the internet and do not want any services (file sharing, screen sharing, even FaceTime calls) to reach you.

2. Application List and Permission Management (+ and - Buttons) This is the heart of the panel. Here, you will see a list of applications with specific rules defined for incoming connections. (+) Button: Press this button to add any application from your Applications folder to the list. When you add it, the default setting “Allow incoming connections” appears next to it. (-) Button: Select an application from the list and press this button to remove the custom rule. Changing Permissions: You can change the setting next to an application to “Allow” or “Block”. What Does This Give You? Pre-Authorization: You can pre-authorize incoming connections for an application that hasn’t asked you yet (e.g., a development server you just installed). This way, no warning window will appear when the application first runs. Right to Block a Specific Application: You can add an application installed on your computer that you never want to accept external connections to the list and set it to “Block.” The system will never ask about this application and will silently reject all its requests. Right to Override Automatic Decisions: If you want to block incoming connections from a normally permitted signed application (e.g., the sharing feature of the Music app), you can override the system’s default behavior by adding it to the list and selecting the “Block” option.

3. Other Automatic Permissions The panel also contains two “automatic permission” options: “Automatically allow built-in software to receive incoming connections”: When this option is selected, macOS automatically grants permission for its own core services and applications (FaceTime, AirDrop, etc.). It is generally recommended to leave this option enabled. “Automatically allow downloaded signed software to receive incoming connections”: This also automatically grants permission to software recognized by Apple and digitally signed by trusted developers. Software from large companies such as Microsoft or Adobe falls under this category. This reduces the number of permission windows that pop up constantly. If you uncheck these options, the system will start asking for permission much more frequently. This gives you more granular control but may slow down the user experience slightly.

4. Enable stealth mode This feature, is one of the most important manual settings. It makes you completely “invisible” to network scans by preventing your computer from responding to discovery requests such as pings on the network. This is a critical defense mechanism that you can turn on and off manually.

Linux

Unlike other systems, Linux allows control at the kernel level. Starting with Netfilter, which forms the basis of Linux network security, let’s examine the legendary iptables that allows us to manage it, its modern successor nftables, and the user-friendly interface ufw.

1. Netfilter is a network packet filtering framework within the Linux kernel. It is a system that captures and examines every network packet entering, leaving, or passing through (routed) your computer. It is low-level, and its configuration is provided through commands given by programs such as iptables/nftables. Netfilter uses “hooks” to capture network packets at specific points in their journey. The most basic hooks are:
   • INPUT: Where packets arriving at your computer are captured.
   • OUTPUT: Where packets leaving your computer are captured.
   • FORWARD: Where packets forwarded to another location via your computer are captured (e.g., if used as a router).
2. iptables has been the standard tool for Linux firewall management for years. It is very powerful, flexible, and allows you to write rules suitable for any scenario.
   • Tables: Group rules according to their purpose. The most common is the filter table.
   • Chains: Rule lists corresponding to netfilter hooks (INPUT, OUTPUT, FORWARD).
   • Rules: “If the packet has these characteristics, do this” commands that you write inside the chains.

     # Add a rule to the INPUT chain (-A)
     # If the incoming packet is a TCP packet (-p tcp)
     # And the destination port is 22 (--dport 22)
     # Accept this packet (-j ACCEPT)
     sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT
     

     The syntax is a bit complex. Performance issues may arise when adding a large number of rules. Separate commands are required for IPv4 (iptables) and IPv6 (ip6tables).

3. It is a modern and more efficient alternative developed to address the complexity and some performance issues of iptables. Most current Linux distributions now use nftables by default. Advantages of nftables:
   • Single Tool: A single command (nft) is used for both IPv4, IPv6, and other protocols.
   • More Understandable Syntax: Rules have a more readable and modern structure.
   • Better Performance: It is more efficient than iptables, especially when there are a large number of rules.
   • Atomic Rule Updates: Prevents instant security vulnerabilities by updating the entire rule set in a single operation.

     # Add a rule to the input chain of the filter table in the inet family
     # Accept if the TCP destination port is 22
     sudo nft add rule inet filter input tcp dport 22 accept
     

4. User-Friendly Interface: ufw (Uncomplicated Firewall)
   If you’re thinking, “I don’t want to deal with the complex syntax of iptables or nftables; I just want to easily add basic rules,” then ufw is the tool you’re looking for. As the name suggests, ufw is an interface designed to simplify firewall management. It automatically generates iptables or nftables commands for you in the background. It comes as the default in desktop distributions like Ubuntu and is ideal for end users.

# Enable the firewall
sudo ufw enable

# Deny all incoming connections by default (VERY IMPORTANT!)
sudo ufw default deny incoming

# Allow all outgoing connections by default
sudo ufw default allow outgoing

# Allow SSH (by service name)
sudo ufw allow ssh

# Allow HTTP (port 80) traffic
sudo ufw allow http

# Allow only TCP protocol on port 8080
sudo ufw allow 8080/tcp

# Delete a rule
sudo ufw delete allow 8080/tcp

# Show current status and rules
sudo ufw status verbose

Generally, Linux users configure their firewalls using UFW. Whether the firewall is active and configured in Linux depends on the person/company/community providing the distribution. It is also possible to use UFW without entering commands. The program called gUFW makes this very easy.

Let’s examine the UFW status in popular Linux distributions such as Ubuntu, Mint, and Debian. UFW is installed in Ubuntu but is not configured and is disabled. UFW is installed in Mint. gUFW is also installed. However, it is not configured and is not active. Debian, on the other hand, comes with a minimum set of programs as a matter of principle, so neither UFW nor gUFW is installed.

Android and iOS

Android’s Approach

Android is built on the Linux kernel, so it actually has a powerful firewall engine like Netfilter under the hood. However, as users, we don’t interact with this engine directly. The Android operating system automatically manages this infrastructure to enforce application sandbox rules. The “firewall-like” settings that users can manage are as follows:

• Application-Based Data Restriction: This is the most powerful network control Android offers to end users. From Settings > Network & Internet > Apps menu, for any application you choose:
• You can restrict background data. This prevents the application from using the internet when it is not open on your screen.
• You can completely disable mobile data usage.

In addition to these restrictions, Android regularly offers the following freedoms:

• Private DNS: Allows you to enhance your network security and privacy by routing your network traffic through encrypted DNS servers.
• VPN API: Android provides an infrastructure that allows third-party applications to act like a VPN connection and route all device traffic through themselves. Ad-blocking and tracker-blocking applications such as NetGuard or AdGuard actually use this VPN infrastructure to function like a firewall on your device without requiring root privileges, blocking unwanted connections.

Root Permissions (Advanced): Advanced users who grant root permissions to their device can experience a traditional firewall experience by directly controlling Linux’s iptables engine with apps like AFWall+.

iOS’s Approach

Apple’s “walled garden” philosophy is also evident in network security. iOS offers an even more rigid and closed system than Android. At the core level, iOS features a completely closed and automatically operating packet filtering system (firewall) that is inaccessible to the user. This system is designed to enforce application sandboxing and cannot be manually managed in any way.

The user has limited but effective controls, which are as follows:

• Cellular Data Control: Similar to Android, under Settings > Cellular, you can individually determine whether each app can use mobile data.
• Local Network Access Permission: This is one of iOS’s most powerful security features. When an app wants to scan other devices on your Wi-Fi network (Chromecast, smart TV, printer, etc.), iOS asks you with a notification: “[App Name] wants to find and connect to devices on your local network.” Without granting this permission, the app is prevented from “sniffing around” on your local network.
• VPN API: Just like Android, third-party firewall or ad-blocker apps can use VPN infrastructure to filter the device’s network traffic.

IoT

Advanced Devices (Smart TVs): They typically use stripped-down operating systems based on Linux (Tizen, webOS) or Android (Android TV). Their security models are inherited from these systems, but user control is zero. Your security is entirely dependent on the manufacturer’s updates.

Simple Devices (Light Bulbs, Plugs): These devices do not have a traditional firewall. Their security relies solely on being programmed to communicate with the manufacturer’s cloud server and, most importantly, on your home modem’s NAT feature. Their main firewall is your modem.