This is a read-only archive. Find the latest Linux articles, documentation, and answers at the new Linux.com!

Linux.com

Feature: System Administration

Simplify system security with the Uncomplicated Firewall

By Michael Anckaert on October 01, 2008 (4:00:00 PM)

Share    Print    Comments   

The Uncomplicated Firewall (UFW) is a new tool from Ubuntu whose goal is to make configuration of the built-in Linux packet filter less complicated and more secure for novice users.

You must run UFW commands as root, so in Ubuntu, you must preface them with the sudo command. With UFW, enabling and disabling packet filtering is a simple matter of issuing the sudo ufw enable and sudo ufw disable commands. You set the default policy for filtering packets by running the sudo ufw default command and passing the allow or deny argument, depending on what you want to achieve. If you issue the sudo ufw default allow command, all incoming packets will be allowed by default, creating a very unsecure packet filter but giving you the broadest range of allowed services. The command sudo ufw default deny will block all incoming packets, requiring that you allow specific services to pass the packet filter.

Packet filters allow or deny certain services as specified by an administrator. Compared to iptables, the most common command used on Linux systems to configure packet filtering, the rules syntax used by UFW is extremely simple. You can use as much or as little information as you want to specify a filter rule. In the simplest case, you simply pass the protocol definition you want to allow or deny with syntax like this:

sudo ufw allow 80/tcp sudo ufw deny 21/tcp

These examples allow TCP traffic on port 80, which is used by the HTTP protocol, and deny TCP traffic on port 21, used by the FTP protocol.

Non-sysadmins may argue that it's not very "uncomplicated" if you have to specify rules by their port numbers and protocol names. To make things even simpler, you can refer to services by their names instead:

sudo ufw deny smtp sudo ufw allow ssh

The file /etc/services contains a list of services with their official port numbers as assigned by IANA, the organization responsible for naming and numbering Internet protocols.

More complex filtering

When it comes to packet filters, where something comes from is as import as what it is. Filtering packets on their source or destination address is one of biggest tasks of a packet filter. UFW gives you a powerful syntax to filter on source and destination addresses. After specifying the protocol in your rule, you can add additional options:

sudo ufw allow|deny [proto protocol] [from ADDRESS [port PORT]] [to ADDRESS [port PORT]] sudo ufw allow ssh from 192.168.2.3 sudo ufw allow smtp from 192.168.2.7 to 192.168.2.9

Deleting a rule is as simple as specifying the original rule with the delete keyword in front of it. For example, to remove our previous rule that denied SSH traffic, enter:

sudo ufw delete allow ssh from 192.168.2.3

Most administrators find it useful to log what the packet filter is doing. Use the sudo ufw logging on|off command to enable or disable logging. With logging enabled, you can check the output of dmesg to see what UFW is doing to your packets.

No matter how good or easy your packet filter is, building a good chain of rules is never easy. There are plenty of good sources on the Internet about building good packet filter rules.

The next version of Ubuntu, Intrepid Ibex, will make it even easier to allow certain programs to be allowed or denied access by using package integration, which will allow you to use UFW with an application's name instead of with the services it provides. This extra functionality will add a layer of abstraction that targets a specific program instead of a particular port/protocol definition, as in:

sudo ufw apache default allow

As you can see, the UFW tool makes it easy to work with the built-in Linux packet filter.

Share    Print    Comments   

Comments

on Simplify system security with the Uncomplicated Firewall

Note: Comments are owned by the poster. We are not responsible for their content.

Simplify system security with the Uncomplicated Firewall

Posted by: Anonymous [ip: 71.114.229.100] on October 01, 2008 05:43 PM
The syntax for ufw when using an application profile is:
sudo ufw allow Apache

or when using the extended syntax:
sudo ufw allow from 192.168.1.3 app Apache

You can see a list of installed application profiles with:
sudo ufw app list

#

Gufw

Posted by: Anonymous [ip: 76.74.204.4] on October 01, 2008 06:16 PM
If you want to overkill, I recommend a GUI for it: http://gufw.tuxfamily.org/

(totally optional, of course!)

#

Re: Gufw

Posted by: Anonymous [ip: 68.200.218.75] on October 02, 2008 10:56 PM
I'm not sure why this crude tool keeps getting plugged in internet forums such as this.

If you want a really good Linux firewall configuration tool then look at <a href="http://www.fwbuilder.org">Firewall Builder</a>. It has a far superior GUI and feature set. It is also compatible with IPTables(linux), PF(*BSD), Cisco ACLs, DD-WRT(Linksys Routers) and more.

Now THAT'S a firewall GUI.

#

Simplify system security with the Uncomplicated Firewall

Posted by: Anonymous [ip: 70.232.36.141] on October 01, 2008 11:13 PM
Looks a bit like openbsd's pf rules

#

Re: Simplify system security with the Uncomplicated Firewall

Posted by: Anonymous [ip: 62.92.44.68] on October 02, 2008 08:45 AM
thats because it was based on PF's syntax ;)

#

Simplify system security with the Uncomplicated Firewall

Posted by: Anonymous [ip: 70.106.208.54] on October 02, 2008 02:34 PM
I see all these articles showing how to use the firewall , but I don't see anything telling me what I need to know ! ! I understand the articles , but I don't know what I need to block ? I realize that there are many things to block , I am just looking for a starting place . How about an article that shows what I need to block with the firewall ?? Thats what would help me the most .

#

Re: Simplify system security with the Uncomplicated Firewall

Posted by: Anonymous [ip: 129.138.30.143] on October 02, 2008 07:09 PM
I would recommend firewalling on a whitelist basis: block everything and only allow the services you need. If you are looking for suspicious traffic, try playing with an IDS like Snort.

#

Simplify system security with the Uncomplicated Firewall

Posted by: Anonymous [ip: 205.200.22.48] on October 02, 2008 10:35 PM
wouldn't it be easier if I could click a checkmark beside the port I wanted open? Why do you keep making me use the command line. Even my router with less than 2MB of operating system uses a graphical interface for everything.

#

Re: Simplify system security with the Uncomplicated Firewall

Posted by: Anonymous [ip: 129.138.30.71] on October 03, 2008 05:53 AM
If you want a GUI to abstract away the details, then something like Firestarter would be best. On the other hand, working on the command line would better teach you what goes on behind the scenes. Also, it is fun!

#

Simplify system security with the Uncomplicated Firewall

Posted by: Anonymous [ip: 90.195.248.99] on October 03, 2008 06:51 AM

Simplify system security with the Uncomplicated Firewall

Posted by: Anonymous [ip: 98.165.57.79] on October 05, 2008 03:19 AM
GUI schmui. Firestarter has been a GUI l4m3r option for quite some time now.

As a command line ethusiast and minimalist, as well as despiser of the iptables syntax, I stoked about the arrival of ufw

#

Simplify system security with the Uncomplicated Firewall

Posted by: Anonymous [ip: 24.249.6.134] on October 05, 2008 02:50 PM
Give me Webmin to manage my iptables any day. As a matter of fact, give me Webmin to manage just about everything on my Linux box. You make the rules and order them with a very straight forward web-based interface. When I made they switch from Windows to Linux on all my servers, I ran across Webmin the first day. I can't say enough good things about it. Especially if you like a GUI.

#

This story has been archived. Comments can no longer be posted.



 
Tableless layout Validate XHTML 1.0 Strict Validate CSS Powered by Xaraya