UFW or Uncomplicated Firewall, is a text based firewall that works with iptables. UFW is designed to be an easier way to manage a firewall from the command line. Whether this is easier than learning iptables or not, you can decide. But UFW comes partially set up when you install Ubuntu. Now it is not activated by default so you have not protection but some basic settings are in place when you do start up UFW.
The Ubuntu 9.10 server brings three new features to the UFW firewall; outgoing filtering update, filtering by interface and bash completion. This now brings a total of 12 new features since the UFW was first released in version 8.04. Finally, the UFW is reaching a mature stage where you can use it instead of writing rules with iptables.
If you run the ufw command you will see a listing of the most important commands to run the ufw firewall. Take some time to look this over as you will need this as a resource.
Usage: ufw COMMAND
enable enables the firewall
disable disables the firewall
default ARG set default policy
logging LEVEL set logging to LEVEL
allow ARGS add allow rule
deny ARGS add deny rule
reject ARGS add reject rule
limit ARGS add limit rule
delete RULE delete RULE
insert NUM RULE insert RULE at NUM
status show firewall status
status numbered show firewall status as numbered list of RULES
status verbose show verbose firewall status
show ARG show firewall report
version display version information
Application profile commands:
app list list application profiles
app info PROFILE show information on PROFILE
app update PROFILE update PROFILE
app default ARG set default application policy
The first step in managing the firewall is to check the status.
sudo ufw status
When you see a status as inactive you know that your server is vulnerable to attacks on open ports. It is important that you get UFW up and protecting your server before you connect to the Internet.
The first thing to do is to make sure you have access to the server remotely using SSH. Be sure you have installed SSH on the server with:
sudo apt-get install ssh
Now create a firewall rule before you actually activate the firewall so if you are accessing it from SSH you will not break your connection.
As root complete the following commands.
sudo ufw allow proto tcp from 188.8.131.52/24 to any port 22
sudo ufw enable
Command may disrupt existing ssh connections. Proceed with operation (y|n)? y
Firewall is active and enabled on system startup
Note that a subnet was allowed for connection on port 22. If you wanted to enter a single IP Address just change it to the IP Address you want.
Now you have access using SSH it is important before you create additional rules to understand what your firewall looks like from the outside, what ports are really open.
sudo apt-get install nmap
Starting Nmap 5.00 ( http://nmap.org ) at 2009-10-13 07:05 MDT
Interesting ports on 192.168.5.96:
Not shown: 996 closed ports
PORT STATE SERVICE
22/tcp open ssh
Nmap done: 1 IP address (1 host up) scanned in 0.16 seconds
There are already several common rules that are configured into the firewall immediately. One of those is the state rules that provide for any RELATED or ESTABLISHED connections. This means that if you connect to a web server from a machine it will allow the information you requested from the web server to return based on the fact that the local machine established the connection and the returning information was related to that request.
The Linux kernel includes the Netfilter subsystem, which is used to manipulate or decide the fate of network traffic headed into or through your server. All modern Linux firewall solutions use this system for packet filtering.
The kernel's packet filtering system would be of little use to administrators without a userspace interface to manage it. This is the purpose of iptables. When a packet reaches your server, it will be handed off to the Netfilter subsystem for acceptance, manipulation, or rejection based on the rules supplied to it from userspace via iptables. Thus, iptables is all you need to manage your firewall if you're familiar with it, but many frontends are available to simplify the task.
ufw - Uncomplicated Firewall
ufw by default is initially disabled. From the ufw man page:
“ ufw is not intended to provide complete firewall functionality via its command interface, but instead provides an easy way to add or remove simple rules. It is currently mainly used for host-based firewalls. ”
The following are some examples of how to use ufw:
- First, ufw needs to be enabled. From a terminal prompt enter:
sudo ufw enable
- To open a port (ssh in this example):
sudo ufw allow 22
- Rules can also be added using a numbered format:
sudo ufw insert 1 allow 80
- Similarly, to close an opened port:
sudo ufw deny 22
- To remove a rule, use delete followed by the rule:
sudo ufw delete deny 22
- It is also possible to allow access from specific hosts or networks to a port. The following example allows ssh access from host 192.168.0.2 to any ip address on this host:
sudo ufw allow proto tcp from 192.168.0.2 to any port 22Replace 192.168.0.2 with 192.168.0.0/24 to allow ssh access from the entire subnet.
- Adding the --dry-run option to a ufw command will output the resulting rules, but not apply them. For example, the following is what would be applied if opening the HTTP port:
sudo ufw --dry-run allow http
*filter :ufw-user-input - [0:0] :ufw-user-output - [0:0] :ufw-user-forward - [0:0] :ufw-user-limit - [0:0] :ufw-user-limit-accept - [0:0] ### RULES ### ### tuple ### allow tcp 80 0.0.0.0/0 any 0.0.0.0/0 -A ufw-user-input -p tcp --dport 80 -j ACCEPT ### END RULES ### -A ufw-user-input -j RETURN -A ufw-user-output -j RETURN -A ufw-user-forward -j RETURN -A ufw-user-limit -m limit --limit 3/minute -j LOG --log-prefix "[UFW LIMIT]: " -A ufw-user-limit -j REJECT -A ufw-user-limit-accept -j ACCEPT COMMIT Rules updated
- ufw can be disabled by:
sudo ufw disable
- To see the firewall status, enter:
sudo ufw status
- And for more verbose status information use:
sudo ufw status verbose
- To view the numbered format:
sudo ufw status numbered
| If the port you want to open or close is defined in |
ufw Application Integration
/etc/ufw/applications.d, and can be edited if the default ports have been changed.
- To view which applications have installed a profile, enter the following in a terminal:
sudo ufw app list
- Similar to allowing traffic to a port, using an application profile is accomplished by entering:
sudo ufw allow Samba
- An extended syntax is available as well:
ufw allow from 192.168.0.0/24 to any app SambaReplace Samba and 192.168.0.0/24 with the application profile you are using and the IP range for your network.
There is no need to specify the protocol for the application, because that information is detailed in the profile. Also, note that the app name replaces the port number.
- To view details about which ports, protocols, etc are defined for an application, enter:
sudo ufw app info Samba
/etc/ufw/*.rules. These files are a great place to add legacy iptables rules used without ufw, and rules that are more network gateway or bridge related.
The rules are split into two different files, rules that should be executed before ufw command line rules, and rules that are executed after ufw command line rules.
- First, packet forwarding needs to be enabled in ufw. Two configuration files will need to be adjusted, in
/etc/default/ufwchange the DEFAULT_FORWARD_POLICY to “ACCEPT”:
net.ipv4.ip_forward=1Similarly, for IPv6 forwarding uncomment:
- Now we will add rules to the
/etc/ufw/before.rulesfile. The default rules only configure the filter table, and to enable masquerading the nat table will need to be configured. Add the following to the top of the file just after the header comments:
# nat Table rules *nat :POSTROUTING ACCEPT [0:0] # Forward traffic from eth1 through eth0. -A POSTROUTING -s 192.168.0.0/24 -o eth0 -j MASQUERADE # don't delete the 'COMMIT' line or these nat table rules won't be processed COMMITThe comments are not strictly necessary, but it is considered good practice to document your configuration. Also, when modifying any of the rules files in
/etc/ufw, make sure these lines are the last line for each table modified:
# don't delete the 'COMMIT' line or these rules won't be processed COMMITFor each Table a corresponding COMMIT statement is required. In these examples only the nat and filter tables are shown, but you can also add rules for the raw and mangle tables.
In the above example replace eth0, eth1, and 192.168.0.0/24 with the appropriate interfaces and IP range for your network.
- Finally, disable and re-enable ufw to apply the changes:
sudo ufw disable && sudo ufw enable
/etc/ufw/before.rules. It is recommended that these additional rules be added to the ufw-before-forward chain.
- Similar to ufw, the first step is to enable IPv4 packet forwarding by editing
/etc/sysctl.confand uncomment the following line
net.ipv4.ip_forward=1If you wish to enable IPv6 forwarding also uncomment:
- Next, execute the sysctl command to enable the new settings in the configuration file:
sudo sysctl -p
- IP Masquerading can now be accomplished with a single iptables rule, which may differ slightly based on your network configuration:
sudo iptables -t nat -A POSTROUTING -s 192.168.0.0/16 -o ppp0 -j MASQUERADEThe above command assumes that your private address space is 192.168.0.0/16 and that your Internet-facing device is ppp0. The syntax is broken down as follows:
- -t nat -- the rule is to go into the nat table
- -A POSTROUTING -- the rule is to be appended (-A) to the POSTROUTING chain
- -s 192.168.0.0/16 -- the rule applies to traffic originating from the specified address space
- -o ppp0 -- the rule applies to traffic scheduled to be routed through the specified network device
- -j MASQUERADE -- traffic matching this rule is to "jump" (-j) to the MASQUERADE target to be manipulated as described above
- -t nat -- the rule is to go into the nat table
- Also, each chain in the filter table (the default table, and where most or all packet filtering occurs) has a default policy of ACCEPT, but if you are creating a firewall in addition to a gateway device, you may have set the policies to DROP or REJECT, in which case your masqueraded traffic needs to be allowed through the FORWARD chain for the above rule to work:
sudo iptables -A FORWARD -s 192.168.0.0/16 -o ppp0 -j ACCEPT sudo iptables -A FORWARD -d 192.168.0.0/16 -m state --state ESTABLISHED,RELATED -i ppp0 -j ACCEPTThe above commands will allow all connections from your local network to the Internet and all traffic related to those connections to return to the machine that initiated them.
- If you want masquerading to be enabled on reboot, which you probably do, edit
/etc/rc.localand add any commands used above. For example add the first command with no filtering:
iptables -t nat -A POSTROUTING -s 192.168.0.0/16 -o ppp0 -j MASQUERADE
If you are using ufw, you can turn on logging by entering the following in a terminal:
sudo ufw logging onTo turn logging off in ufw, simply replace on with off in the above command.
If using iptables instead of ufw, enter:
sudo iptables -A INPUT -m state --state NEW -p tcp --dport 80 -j LOG --log-prefix "NEW_HTTP_CONN: "A request on port 80 from the local machine, then, would generate a log in dmesg that looks like this:
[4304885.870000] NEW_HTTP_CONN: IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=58288 DF PROTO=TCP SPT=53981 DPT=80 WINDOW=32767 RES=0x00 SYN URGP=0
The above log will also appear in
/var/log/kern.log. This behavior can be modified by editing
/etc/syslog.confappropriately or by installing and configuring ulogd and using the ULOG target instead of LOG. The ulogd daemon is a userspace server that listens for logging instructions from the kernel specifically for firewalls, and can log to any file you like, or even to a PostgreSQL or MySQL database. Making sense of your firewall logs can be simplified by using a log analyzing tool such as fwanalog, fwlogwatch, or lire.
- Shorewall is a very powerful solution to help you configure an advanced firewall for any network.
- ipkungfu should give you a working firewall "out of the box" with zero configuration, and will allow you to easily set up a more advanced firewall by editing simple, well-documented configuration files.
- fireflier is designed to be a desktop firewall application. It is made up of a server (fireflier-server) and your choice of GUI clients (GTK or QT), and behaves like many popular interactive firewall applications for Windows.