Ubuntu Uncomplicated Firewall
Server Training - Server Management

The uncomplicated firewall for Ubuntu 8.04 not the easiest tool to use, in fact, it is not "uncomplicated". It requires a solid understanding of iptables, ports and networking in order to use effectively. You might say it is easier than using iptables...if the uncomplicated firewall had all the features of iptables, which it does not, yet. For a typical Ubuntu user, "uncomplicated" is what my mom is looking for. Find out what she thought, Click Here.

If you run the ufw command you will see a listing of the most important commands to run the ufw firewall.

Usage: ufw COMMAND

Commands:
enable Enables the firewall
disable Disables the firewall
default ARG set default policy to ALLOW or DENY
logging ARG set logging to ON or OFF
allow|deny RULE allow or deny RULE
delete allow|deny RULE delete the allow/deny RULE
status show firewall status
version display version information

It makes sense to set up a default policy of DROP with this command.

# ufw default deny
Default policy changed to 'deny'
(be sure to update your rules accordingly)

The man page says it will set default policies of DROP, which it does for the INPUT and FORWARD chain, but as you can see by looking at the iptables output it does not set a default DROP for the OUTPUT chain. This may be a serious problem if you are trying to stop any attempts to connect to insecure ports or to prevent the machine from "calling home" if it has malware installed. The blocking of most outgoing ports can add significant security.

Here is the iptables output. The Chain OUTPUT (policy ACCEPT)
means that everything is allowed to go out by default.

 

# iptables -L -n
Chain INPUT (policy DROP)
target prot opt source destination
ufw-before-input all -- 0.0.0.0/0 0.0.0.0/0
ufw-after-input all -- 0.0.0.0/0 0.0.0.0/0

Chain FORWARD (policy DROP)
target prot opt source destination
ufw-before-forward all -- 0.0.0.0/0 0.0.0.0/0
ufw-after-forward all -- 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ufw-before-output all -- 0.0.0.0/0 0.0.0.0/0
ufw-after-output all -- 0.0.0.0/0 0.0.0.0/0

Create Rules for Specific Situations

You can create a rules that you need by using the ufw command followed by the port number and the protocol you want to allow to connect.

# ufw allow 22/tcp

You can delete the rule you created by placing delete in front of the command you used to create the rule.

# ufw delete allow 22/tcp
Rule deleted

If you want to see how to set up an FTP Server with UFW: CLICK HERE

Here are some wrong ways to do things!
~# ufw allow 22/tcp from 192.168.5.100
ERROR: Wrong number of arguments

# ufw allow from 192.168.5.100 port 22/tcp
ERROR: Bad port '22/tcp'

Here is how you control access to one IP Address only on a specific port.

# ufw allow from 192.168.5.100 port 22
Rule added

Chain ufw-user-input (1 references)
target prot opt source destination
ACCEPT tcp -- 192.168.5.100 0.0.0.0/0 tcp spt:22
ACCEPT udp -- 192.168.5.100 0.0.0.0/0 udp spt:22

# ufw allow from 192.168.5.100 port 5900
Rule added

You are able to see the rules that you create with the status option. Note that when you just signify a port to add it will automatically add both a tcp and a udp port.

# ufw status
Firewall loaded

To Action From
-- ------ ----
Anywhere ALLOW 192.168.5.100 22:tcp
Anywhere ALLOW 192.168.5.100 22:udp
Anywhere ALLOW 192.168.5.14 5900:tcp
Anywhere ALLOW 192.168.5.14 5900:udp
Anywhere ALLOW 192.168.5.14 22:tcp
Anywhere ALLOW 192.168.5.14 22:udp

 Linux Terminal Server Firewall (DHCP,SSH, Samba)
You will need to enable several ports for a LTSP server as it will provide DHCP on ports 67,68 UDP and you may have Samba enabled on ports 139,445 and of course you will want SSH on port 22.

ufw allow 67/udp
ufw allow 68/udp
ufw allow 445/tcp
ufw allow 13/tcp

Delete a rule by using the delete command.

# ufw delete allow from 192.168.5.100 port 5900

If you view your /var/log/messages log you will see that the firewall is working and you can troubleshoot here as well.

~# tail /var/log/messages
Apr 22 14:36:18 ub3 kernel: [28092.908356] [UFW BLOCK INPUT]: IN=eth0 OUT= MAC=00:03:0d:11:f6:a9:00:14:bf:7f:59:b0:08:00 src=64.233.183.17 DST=192.168.5.12 LEN=80 TOS=0x00 PREC=0x00 TTL=44 ID=38470 PROTO=TCP SPT=80 DPT=38292 WINDOW=129 RES=0x00 ACK PSH URGP=0
Apr 22 14:36:20 ub3 kernel: [28094.761693] [UFW BLOCK INPUT]: IN=eth0 OUT= MAC=00:03:0d:11:f6:a9:00:14:bf:7f:59:b0:08:00 src=64.233.183.17 DST=192.168.5.12 LEN=80 TOS=0x00 PREC=0x00 TTL=44 ID=38471 PROTO=TCP SPT=80 DPT=38292 WINDOW=129 RES=0x00 ACK PSH URGP=0
Apr 22 14:36:22 ub3 kernel: [28097.108344] [UFW BLOCK INPUT]: IN=eth0 OUT= MAC=00:03:0d:11:f6:a9:00:14:bf:7f:59:b0:08:00 src=64.233.183.17 DST=192.168.5.12 LEN=80 TOS=0x00 PREC=0x00 TTL=44 ID=38472 PROTO=TCP SPT=80 DPT=38292 WINDOW=129 RES=0x00 ACK PSH URGP=0
Apr 22 14:36:27 ub3 kernel: [28101.809296] [UFW BLOCK INPUT]: IN=eth0 OUT= MAC=00:03:0d:11:f6:a9:00:14:bf:7f:59:b0:08:00 src=64.233.183.17 DST=192.168.5.12 LEN=80 TOS=0x00 PREC=0x00 TTL=44 ID=38473 PROTO=TCP SPT=80 DPT=38292 WINDOW=129 RES=0x00 ACK PSH URGP=0
Apr 22 14:36:36 ub3 kernel: [28110.733737] [UFW BLOCK INPUT]: IN=eth0 OUT= MAC=00:03:0d:11:f6:a9:00:14:bf:7f:59:b0:08:00 src=64.233.183.17 DST=192.168.5.12 LEN=64 TOS=0x00 PREC=0x00 TTL=44 ID=46618 PROTO=TCP SPT=80 DPT=38292 WINDOW=129 RES=0x00 ACK URGP=0
Apr 22 14:47:41 ub3 -- MARK --
Apr 22 14:50:07 ub3 kernel: [28920.075170] UDF-fs: No VRS found
Apr 22 14:50:30 ub3 kernel: [28943.613393] [UFW BLOCK INPUT]: IN=eth0 OUT= MAC=00:03:0d:11:f6:a9:00:1b:fc:90:e6:ac:08:00 src=192.168.5.14 DST=192.168.5.12 LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=28874 DF PROTO=TCP SPT=2013 DPT=5900 WINDOW=65535 RES=0x00 SYN URGP=0
Apr 22 14:50:33 ub3 kernel: [28946.659903] [UFW BLOCK INPUT]: IN=eth0 OUT= MAC=00:03:0d:11:f6:a9:00:1b:fc:90:e6:ac:08:00 src=192.168.5.14 DST=192.168.5.12 LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=28877 DF PROTO=TCP SPT=2013 DPT=5900 WINDOW=65535 RES=0x00 SYN URGP=0
Apr 22 14:50:39 ub3 kernel: [28952.688067] [UFW BLOCK INPUT]: IN=eth0 OUT= MAC=00:03:0d:11:f6:a9:00:1b:fc:90:e6:ac:08:00 src=192.168.5.14 DST=192.168.5.12 LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=28879 DF PROTO=TCP SPT=2013 DPT=5900 WINDOW=65535 RES=0x00 SYN URGP=0

 


Copyright CyberMontana Inc. and BeginLinux.com
All rights reserved. Cannot be reproduced without written permission. Box 1262 Trout Creek, MT 59874