Ubuntu 10.04 Firewall (UFW) Basics

Overview

UFW or Uncomplicated FireWall is a basic software solution for protecting against network intrusions. It’s basic in the form that it’s a wrapper around the more powerful and complex iptables and therefore makes some assumptions such as rate limits. There are no smart detection systems and adaptability but it also makes it very simple and easy to use. This is not to say it’s too basic but it will suffice in most situations just like Windows Firewall. As time has progressed, UFW has improved a lot with a lot added features.

Install

Installing UFW on Ubuntu is very simple:
$sudo apt-get install ufw

To get the GUI for UFW:
$sudo apt-get install gufw

The remaining part of this article will be describing how to use UFW from command line.

Port/Service Confirguration

After installing ufw it should be inactive. To find the status of ufw:
$sudo ufw status numbered

Inactive means the firewall is turned off but it will be made active on a reboot. Disabled means it is turned off and it will not start when the system is restarted. If ufw is installed on a remote system and only accessible via terminal I would recommend disabling ufw in the event the system goes down and when it comes back up could block remote terminal connections:
$sudo ufw disable

Another default that is applied to ufw is that the firewall is set to allow all which means all connections are able to connect to the computer system unless a rule exists. It’s often easier to deny all and allow specific protocols or ports. To do this run the following command:
$sudo ufw default deny

To revert the above command:
$sudo ufw default allow

The command format to allow or deny something is $sudo ufw /. For example to allow port 22 (SSH):
$sudo ufw allow 22
This will allow TCP and UDP type traffic through port 22. To specify the protocol just append it to the end:
$sudo ufw allow 22/tcp
Replace allow with deny to block connections:
$sudo ufw deny 22/tcp

To allow/deny a multiple / range of ports do the following:
$sudo ufw allow 21,22,80,1000:1024
The comma separated numbers are the individual ports whilst the colon means the range. The above command would have opened connections for ports 21, 22,80 and 1000-1024.

ufw recognizes some services. To get a list of the services perform the following command:
$sudo less /etc/services

Replace the port number with the service name:
$sudo ufw deny ssh

To delete a rule, add the keyword delete after ufw and before the allow/deny switch:
$sudo ufw delete deny 22/tcp
or by using the status command and deleting by number from the left hand side:
$sudo ufw delete 2
will delete the second rule listed in the ufw status printout.

If ufw is enabled, running the status command will also list the rules that have been entered.

The defaults and rules can be applied to outgoing connections too. Here are some examples:
$sudo ufw default deny outgoing
Stops all outgoing connections by default

$sudo ufw default allow outgoing
Reverts back to allow outgoing connections

$sudo ufw allow out 22
Allows outgoing connections on port 22.

$sudo ufw allow out to 192.168.0.1 port 22
Allows outgoing connections from port 22 to machine 192.168.0.1

Source Configuration

Adding “from ” will permit or refuse connection from a specific IP address:
$sudo ufw deny from 192.168.0.1
The above command will block all connection requests from 192.168.0.1.

To block a range of IP addresses, do the following:
$sudo ufw deny from 192.168.0.1 to 192.168.0.254

Source settings can also be applied to specific ports/services like this:
$sudo ufw allow from 192.168.0.1 to any port 22/tcp

Rule Conflicts

Depending on the order the rules were added will depend on which rules are evaluated first. Using the commands described above here is Scenario 1:

$sudo ufw default deny
$sudo ufw allow 22
$sudo ufw deny from 192.168.0.1 to any port 22

With the allow port 22 added first, the computer with 192.168.0.1 will still be allowed to connect to port 22 because ufw see’s that 22 is allowed and it will not evaluate any rules below it. To fix the problem the commands should be entered in the following order:

$sudo ufw default deny
$sudo ufw deny from 192.168.0.1 to any port 22
$sudo ufw allow 22

The most generic and therefore open rule should be last with more specific rules added first. The ufw status command will list the rules in place in the order they were added / evaluated.

To insert a new rule in a specific position, use the status command with the option numbered:
$sudo ufw status numbered
This will list all the exist rules with a number index on the left hand side.

Create a new rule as per normal but add insert before the rule to specify the order it should be inserted in:
$sudo ufw insert 2 deny from 192.168.0.1 to any port 22
The above rule will be inserted in position 2 and move the old 2 and below rules down 1 place.

Limiting Connections

In place of opening a service / port there is also limiting. The rule for the limit is:

ufw supports connection rate limiting, which is useful for protecting against brute-force login attacks. ufw will deny connections if an IP address has attempted to initiate 6 or more connections in the last 30 seconds.

I have not seen any article on how to change the limit rules.

To use the connection limiting function, replace the word allow with limit. For example:
$sudo ufw limit 22

If an allow rule exists for port 22, it should be removed otherwise ensure the limit rule is above the allow rule.

Common Server Ports

Below is a list of common ports to be left open. Whilst not all of them are applicable or the same it’s worth considering:

Summary

ufw is a nice wrapper to enable and disable ports and the syntax used are fairly logical and human readable. I would like to see more work done on the limit command which limits the connections coming in (and hopefully soon) going out.

http://gliderservices.no-ip.org/blog/?p=9

Linux Server Security – Ubuntu’s ufw Firewall Configuration Tool

About Danny

I.T software professional always studying and applying the knowledge gained and one way of doing this is to blog. Danny also has participates in a part time project called Energy@Home [http://code.google.com/p/energyathome/] for monitoring energy usage on a premise. Dedicated to I.T since studying pure Information Technology since the age of 16, Danny Tsang working in the field that he has aimed for since leaving school. View all posts by Danny → This entry was posted in Linux, Networking, Security and tagged , , , , , , , , , . Bookmark the permalink.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.