Uncomplicated Firewall (ufw)

D

DevynCJohnson

Guest
A firewall is a form of network security that allows or denies incoming and out-going data. Linux (like all or most operating systems) has firewall software. Many Linux systems use a program/daemon called "iptables" or "ufw" as the firewall software. Using firewalls helps protect the system from malware. However, firewalls alone are not enough, but they do help prevent malware, data-theft, etc. Understanding how to use ufw will help admins secure their servers, networks, and other computer systems.

ufw, or "Uncomplicated Firewall", is commonly seen on Ubuntu systems. The GUI interface is called Gufw (GUI for Uncomplicated Firewall). However, not all systems use Gufw, and Gufw does not come with ufw by default. Gufw uses GTK while the Qt alternative is called "kmyfirewall".

To disable ufw, type "ufw enable" using Root privileges. Obviously, typing "ufw disable" will disable the firewall. To enable or disable logging, type "ufw logging on" or "ufw logging off", respectively.

To view the current ufw rules and current status, type "ufw status verbose" (also with Root privileges). Alternately, to sort the rules by port number, type "ufw status numbered".

NOTE: In the list of rules, "Anywhere" means TCP and UDP.

Users (when using Root privileges) can edit rules using various commands. To permit connections of a particular protocol (both incoming and out-going), type "ufw allow ssh" to allow all SSH connections on any port. In addition, "ufw allow ssh/tcp" specifically declares SSH over TCP as opposed to TCP and UDP. To deny protocols and connections, use the same commands, but replace "allow" with "deny".

Various ufw examples
Code:
ufw allow ftp/tcp # allow ftp on tcp
ufw deny http # block http on all ports, both tcp and udp
ufw allow 3000:3300/tcp # open ports 3000 to 3300 for tcp only (no udp)
ufw deny from 192.168.2.10 # explicitly deny incoming connections from 192.168.2.10
ufw allow from 192.168.0.4 to any port 22 # permit IP address to access port 22 via any protocol
TIP: A general template to remember is "ufw allow|deny <PORT>/<PROTOCOL>".

To delete created rules, type something like "ufw delete allow ftp" which would delete all rules that allow FTP. The command "ufw delete ftp" would remove rules that allow or deny FTP connections. If a user sees a rule listed in the output of "ufw status numbered", then a specific rule can be deleted by listing the number. For instance, when a user executes "ufw status numbered", each rule is given a number (listed in brackets). By typing "ufw delete 7" (for the rule numbered "7"), that particular rule is deleted.

To erase all rules and use the defaults, type "ufw reset".

The configuration files for ufw include /etc/default/ufw, /etc/ufw/before[6].rules, /etc/ufw/after[6].rules, /etc/ufw/sysctl.conf, and /etc/ufw/ufw.conf.

Alternatives to ufw include "iptables", which is another popular firewall software for Linux. Other alternatives include ipchains, Netfilter, NuFW, ipset, Privoxy, and many others.

Some Linux distros are dedicated to being a firewall for a whole network or part of a network. Some firewall distros include SmoothWall, IPCop, IPFire, OpenWrt, Zeroshell, Untangle, and others. However, not all firewall distros use ufw. Users who prefer Ubuntu and ufw can install “Ubuntu Server” and then uninstall any unneeded software. Then, Ubuntu can be used as a dedicated firewall for a network.

Further Reading

https://wiki.archlinux.org/index.php/firewalls
https://help.ubuntu.com/community/UFW
https://wiki.archlinux.org/index.php/Uncomplicated_Firewall
http://shorewall.net/
http://www.tecmint.com/open-source-security-firewalls-for-linux-systems/
http://www.ipcop.org/
http://flex-fw.net/
 

Attachments

  • slide.jpg
    slide.jpg
    27.9 KB · Views: 34,365
Last edited:


Thank you for review!

Since a few last years I have been working on my personal project - flex-fw (http://flex-fw.net).
It has an easy syntax like used by ufw, but it was oriented to peoples who are familiar with iptables already.
Could you add it to your "Further Reading" section? Possibly it will be useful for someone.
 
Last edited:
Thank you for review!

Since a few last years I have been working on my personal project - flex-fw (http://flex-fw.net).
It has an easy syntax like used by ufw, but it was oriented to peoples who are familiar with iptables already.
Could you add it to your "Further Reading" section? Possibly it will be useful for someone.

Sure! Thanks for sharing.

I will also add the link to the "Further Reading" section on my up-coming article on IPTables (which will have the link http://www.linux.org/threads/introduction-to-iptables.7310/).
 

Members online


Top