Embedded Linux firewall

Deep dive into Welma embedded Linux firewall protection. 

Devices communicate over the network to receive updates, expose services, or integrate with backend systems. This creates a need for robust protection on both incoming and outgoing traffic. That’s why Welma leverages a software firewall for embedded Linux systems.

Its purpose: enforce network protection by filtering traffic and preventing unauthorized access.

embedded linux firewall welma

Why an embedded Linux firewall matters

  • Preventing unauthorized access: Not all ports or services should be publicly reachable. A firewall ensures only the intended ones are exposed.
  • Limiting exposure to attacks: By default, most cyberattacks begin by scanning for open ports. A locked down firewall significantly reduces the attack surface.
  • Stopping compromised Linux devices from participating in attacks: A hijacked device could be used in a DDoS attack, sending large volumes of malicious requests. Filtering outgoing packets helps detect and block abnormal activity early.
  • Maintaining operational integrity: Logging suspicious traffic helps operators identify threats, but logging must remain controlled to avoid overload or log-based denial of service situations.

How the firewall is implemented in Welma Yocto distribution

Welma uses the Linux kernel’s Netfilter framework to implement its firewall. Netfilter provides low‑level hooks that allow Welma to inspect and filter packets as they enter or leave the device.

Default behavior

Welma ships with a secure baseline configuration:

  • All ports are closed by default.
  • Only port 22 (SSH) is open in development images to allow shell access.
  • Incoming requests to closed ports are silently dropped, making the device appear unreachable and reducing exposure to probing attacks.
  • Dropped packets are logged with rate limiting, ensuring traceability without overwhelming system resources.

If the firewall configuration fails to apply, for example, because of a syntax error, Welma proactively disables network access. The Linux device still boots, but no network interface is brought online.

This guarantees that an invalid firewall configuration never exposes an unprotected embedded system.

Configuration flexibility

Welma provides two ways to configure the embedded Linux firewall:

  1. Simplified syntax with SFW (Simple Firewall)

For most use cases, Welma offers a simplified configuration tool called SFW.
It allows developers to:

  • Open only a limited set of ports
  • Keep all remaining ports closed
  • Define allowed inbound and outbound traffic through a clean, easy-to-read syntax

This approach offers strong security out of the box, while giving engineering teams the freedom to adapt the configuration to their specific needs.

  1. Full Netfilter rules for advanced users

Expert developers can define complex filtering logic using the complete Netfilter syntax, enabling fine-grained control.

Conclusion

Welma embedded Linux firewall provides a robust and flexible foundation for securing network communication.

Built on proven kernel capabilities, it enforces a default deny model, supports both simple and advanced configurations, and ensures embedded devices remain protected even in the event of misconfiguration.

Schedule a demo