Linux Firewalls
Attack Detection and Response with iptables, psad, and fwsnort
Michael Rash, author of psad and fwsnort, on building and operating Linux-native packet filtering and intrusion-response tooling. Pre-nftables in detail but conceptually durable.
As an Amazon Associate we earn from qualifying purchases. The link above is sponsored.
- Authors
- Michael Rash
- Published
- 2007
- Publisher
- No Starch Press
- Pages
- 336
- Language
- English
Read this if
Linux administrators and defensive practitioners who need to actually configure a firewall, not just understand the concept. Rash's iptables coverage remains the cleanest practical introduction; psad and fwsnort for the active-response side.
Skip this if
Readers fully on nftables / firewalld / cloud-native security groups, or anyone wanting an architecture-level treatise. The book is hands-on iptables rules and analysis, not a strategic frame.
Key takeaways
- iptables remains the foundational mental model; even in nftables-or-eBPF environments, understanding match-and-target chains is required to read the rule sets the field still ships.
- Active response is a real defensive option that's easy to overstate; the book's chapter on the trade-offs is appropriately cautious.
- Port scanning detection (psad) and signature-based blocking (fwsnort) are still useful primitives that punch above their weight in budget-constrained environments.
Notes
Pair with The Practice of Network Security Monitoring (Bejtlich) for the strategic frame and Practical Linux Forensics (Nikkel) for the host-side context. For current iptables / nftables documentation, the kernel.org Wiki and netfilter documentation are authoritative. Rash's cipherdyne.org maintains the psad and fwknop projects he authored.
What to read before
What to read before Linux Firewalls →Beginner · 2017
Practical Packet Analysis
Chris Sanders' working manual for Wireshark, geared at troubleshooting and incident response rather than abstract protocol theory. Updated for Wireshark 2.x.
Beginner · 2019
Foundations of Information Security
Jason Andress' compact tour of the field: confidentiality / integrity / availability, identification and authentication, network and OS controls, written for newcomers and adjacent disciplines.
Beginner · 2021
How Cybersecurity Really Works
Sam Grubb's gentle, exercise-driven introduction for non-specialists who need a working mental model of attacker behaviour and basic defence.
What to read next
What to read after Linux Firewalls →Advanced · 2010
Tableaux de bord de la sécurité réseau
A practitioner's manual for measuring and steering network security — metrics, dashboards, monitoring and risk indicators — for the people who run security operations.
Intermediate · 2013
The Practice of Network Security Monitoring
Richard Bejtlich's NSM playbook: how to deploy collection sensors, validate that you actually see what you think you see, and build detection workflows around open-source tools.
Intermediate · 2013
Applied Network Security Monitoring
A practitioner's walkthrough of building an NSM capability end to end, from deciding what to collect through detection and the analysis workflow that ties it together. The tooling is dated, but the way it teaches you to think about monitoring is not.
Explore similar books
Alternatives to Linux Firewalls →Intermediate · 2013
The Practice of Network Security Monitoring
Richard Bejtlich's NSM playbook: how to deploy collection sensors, validate that you actually see what you think you see, and build detection workflows around open-source tools.
Intermediate · 2021
Practical Linux Forensics
Bruce Nikkel's reference for forensic analysts working post-mortem on Linux images: filesystems, journaling, logs, persistence locations, and the chain of custody discipline around them.
Intermediate · 2017
Network Security Through Data Analysis
Michael Collins on building situational awareness from network telemetry: collection architecture, statistical baseline-setting, and the analytic patterns that turn raw flows into detection.