Sunday, June 1, 2008

Ubuntu UFW

For those who are trying Ubuntu for the first time, it may seem weird that it does not seem to have a firewall. Sure, the Ubuntu desktop is secured by default by not having any listening daemons but unless the user does not install anything extra we can't be sure that the desktop can be as secure as the default install.

Instead of installing something like Firestarter to secure your Ubuntu, Ubuntu 8.04 comes with the UFW, Uncomplicated Firewall.

At this moment it is still CLI-based but the syntax is easy to understand.

Launch terminal (Application -> Accessories -> Terminal) :

$ sudo ufw enable
That's to start the UFW. To stop it just replace enable with disable. The UFW service is up but no rules and policies have been defined, it is still ANY-ANY now.

$ sudo ufw default deny
This will set the default policy of blocking all incoming traffic. By default UFW allows all out going traffic unless otherwise specified.

I have SSH running on port 2121 and so to allow it through UFW:

$ sudo ufw allow 2121
This will allow UDP/TCP ports 2121 incoming to my PC.

If you only allow TCP port 2121:
$ sudo ufw allow 2121/tcp

You can also do:

$ sudo ufw allow ntp
To allow for NTP to pass, so as long it is defined in /etc/services

To see the status and rules defined in UFW:
$ sudo ufw status

To remove the rule:
$ sudo ufw delete allow 2121 (or 2121/tcp)

If you allow IP forwarding from one network ( to another in the public ( and you would like to block port 80 to the public one:

ufw deny proto tcp from to port 80

UFW is a simple and straight forward interface to manipulate the Linux firewall. It lacks the flexibility and the granularity of other CLI based interface like Shorewall or vuurmuur but will suffice for most PC systems.

No comments: