// Comparison

Linux Firewalls vs Practical Linux Forensics: Which Should You Read?

Two cybersecurity books on Defensive, compared honestly: who each is for, what each does best, and which to read first.

Intermediate

4/52007

Attack Detection and Response with iptables, psad, and fwsnort

Michael Rash

Michael Rash, author of psad and fwsnort, on building and operating Linux-native packet filtering and intrusion-response tooling. Pre-nftables in detail but conceptually durable.

Intermediate

4/52021

Practical Linux Forensics

A Guide for Digital Investigators

Bruce Nikkel

Bruce Nikkel's reference for forensic analysts working post-mortem on Linux images: filesystems, journaling, logs, persistence locations, and the chain of custody discipline around them.

Read this if

Linux administrators and defensive practitioners who need to actually configure a firewall, not just understand the concept. Rash's iptables coverage remains the cleanest practical introduction; psad and fwsnort for the active-response side.

Incident responders and forensic analysts working modern Linux systems. Nikkel covers ext4 / XFS / Btrfs internals, systemd journaling, persistence locations, and the chain-of-custody discipline that distinguishes evidence from notes. The post-systemd reference the field needed.

Skip this if

Readers fully on nftables / firewalld / cloud-native security groups, or anyone wanting an architecture-level treatise. The book is hands-on iptables rules and analysis, not a strategic frame.

Windows-only forensic analysts, or beginners without IR experience. The book assumes filesystem fluency and command-line forensics comfort.

Key takeaways

iptables remains the foundational mental model; even in nftables-or-eBPF environments, understanding match-and-target chains is required to read the rule sets the field still ships.
Active response is a real defensive option that's easy to overstate; the book's chapter on the trade-offs is appropriately cautious.
Port scanning detection (psad) and signature-based blocking (fwsnort) are still useful primitives that punch above their weight in budget-constrained environments.

Modern Linux forensics is not just "parse syslog"; systemd, journald, and the move to overlay-based containers each created new artifact classes.
The book's chapter on persistence enumeration is the cleanest in print; cron, systemd timers, init.d, profile files, all named.
Most cloud workloads are Linux, which means most cloud-incident forensics is Linux forensics; the book is the right starting reference.

How they compare

Linux Firewalls and Practical Linux Forensics are both rated 4/5 in our catalog. Pick by topic preference and reading style rather than by rating.

Both books target intermediate-level readers, so the choice is about topic, not difficulty.

Linux Firewalls and Practical Linux Forensics both cover Defensive, Linux, so reading them in sequence reinforces the same material from different angles.

Keep reading

Linux Firewalls

→ Alternatives to Linux Firewalls → What to read after Linux Firewalls