Linux defaults to pretty much not listening on any ports. If you need to listen on ports, but only for certain IPs, or block outgoing traffic, the built-in firewall is excellent. There are numerous frontends for it. I use fail2ban, which can detect bad actors via logfiles, and ban them from any connection.