FIREWALL UFW

# ufw logging on|off Set the default policy (ie mostly open vs mostly closed) # ufw default allow|deny Accept or drop incoming packets to (can see what services are available with status (see below)). can be specified via service name in /etc/services, protocol:port, or via package meta-data. allow adds service entry to /etc/ufw/maps and deny removes service entry from /etc/ufw/maps. Basic syntax: # ufw allow|deny [service] Display status of firewall and ports in the listening state, referencing /var/lib/ufw/maps. Numbers in parenthesis are not displayed to user # ufw status UFW Examples Allow port 53 $ sudo ufw allow 53 Delete Allow port 53 $ sudo ufw delete allow 53 Allow port 80 $ sudo ufw allow 80/tcp Delete Allow port 80 $ sudo ufw delete allow 80/tcp Allow port smtp $ sudo ufw allow smtp Delete Allow port smtp $ sudo ufw delete allow smtp Allow fro Particular IP $ sudo ufw allow from 192.168.254.254 Delete the above rule $ sudo ufw delete allow from 192.168.254.254

Today I learned a different way to configure the firewall on my Ubuntu 10.04 Lucid Lynx Server: the ufw command. UFW stands for Uncomplicated FireWall, and its just that. It provides a simpler interface to add or remove firewall rules to iptables, the default Linux firewall. Its installed on Ubuntu Server by default (and has been, since Ubuntu 8.04), and I find a little simpler than the application I used to use to configure my firewall: Firehol. (Heres how to set up Firehol, if you are interested. Its more difficult than ufw, in my opinion, but a lot easier than setting up iptables manually!) A new Ubuntu Server install (as of 10.04) contains a firewall (iptables) that is not enabled. Ubuntu.com has a great tutorial that explains that ufw is the default configuration tool for iptables. After I set up my server, I used ufw to close all ports by default, then open up ports for the services I use. I dont have complex security needs or run a proxy server, so my rules are simple.

Adding Rules
Before adding rules, its best to explicitly set the default behavior. By default, I like to block everything: both incoming and outgoing traffic. After that is done, I selectively open ports to support the services I wish to run. In contrast, UFW, by default, denies all incoming traffic but allows all outgoing traffic. That setup is accomplished manually with the following commands.

$ sudo ufw default deny incoming $ sudo ufw default allow outgoing The following commands open ports for named services that I use: namely, SSH (port 22), a web server (port 80), and Webmin (port 10000). Any services named in /etc/services may be identified by name instead of port number. $ sudo ufw allow ssh $ sudo ufw allow www $ sudo ufw allow webmin UFW also has a list of application presets, for common servers such as Apache, OpenSSH, Lighttpd, and Samba. You can view the list by issuing the command: $ sudo ufw app list You can implement firewall rules for Samba and Lighttpd by using the commands below, which specify the application name, not the service name. Note that you must enclose in quotation marks any application names that include spaces. $ sudo ufw allow Samba Its better to limit Samba access to hosts on your LAN. Using ufws more complex syntax, you can do just that. Note that you have to add app before the application name in this case. $ sudo ufw allow from 10.0.0.0/8 to 127.0.0.1 app Samba $ sudo ufw allow to 10.0.0.0/8 from 127.0.0.1 app Samba

The following commands open the ports required by my Transmission-Daemon server. Here I must specify port numbers explicitly. Note that you use a colon instead of a dash to specify port ranges. Plus, when creating rules for port ranges, you must specify whether they apply to TCP or UDP. $ sudo ufw allow 9091 $ sudo ufw allow 20500:20599/tcp $ sudo ufw allow 20500:20599/udp The following command opens up ports needed for MySQL, but only to hosts within the local network. $ sudo ufw allow from 10.0.0.0/8 to any port 3306/tcp If you wish to open up MySQL to the world, you could use a simpler syntax. $ sudo ufw allow mysql

Deleting Rules
Deleting rules is pretty simple. Just use the following syntax, and replace <> with the entire rule that you wish to delete. $ sudo ufw delete <...> For example: $ sudo ufw delete allow ssh $ sudo ufw delete allow 10000 You can also delete all the rules with a single command. $ sudo ufw reset

Enabling the Firewall

The following command enables the firewall rules immediately, and upon subsequent system restarts. This command will also refresh the rules. Run this command each time you update your firewall configuration. $ sudo ufw enable

Disabling the Firewall

To disable the firewall, simply issue the following command. $ sudo ufw disable

Checking the Configuration

You can check your configuration by issuing one of the following commands. The verbose version shows more information.

$ sudo ufw status $ sudo ufw status verbose

Firewall Configuration Script

Here is a script that I wrote to set up my firewall. This script resets the firewall to deny everything but the services/applications I have installed on my server. Run it with sudo. You only have to run it once, not on every boot. #!/bin/sh

# obtain server's IP address SERVERIP=`hostname --all-ip-addresses | cut --fields 1 --delimiter " "`

# disable firewall ufw disable

# reset all firewall rules ufw reset

# set default rules: deny all incoming traffic, allow all outgoing traffic ufw default deny incoming ufw default allow outgoing

# open port for SSH ufw allow OpenSSH

# open port for Webmin ufw allow webmin

# open ports for Samba file sharing ufw allow from 10.0.0.0/8 to $SERVERIP app Samba ufw allow to 10.0.0.0/8 from $SERVERIP app Samba

# open ports for Transmission-Daemon ufw allow 9091 ufw allow 20500:20599/tcp ufw allow 20500:20599/udp

# open port for MySQL ufw allow proto tcp from 10.0.0.0/8 to any port 3306 # open ports for Lighttpd ufw allow Lighttpd Full # open port for network time protocol (ntpd) ufw allow ntp # enable firewall ufw enable # list all firewall rules ufw status verbose

Graficamente

http://www.linuxbsdos.com/?p=7453&upm_export=print
Like all Linux distributions, Ubuntu 10.10 1, aka, Maverick Meerkat, the latest version of the popular Linux distribution, ships with a firewall installed. The firewall is actually embedded in the kernel. In Ubuntu, the firewall's original command line interface has been replaced by ufw, a more user-friendly command line script.Ufw, the Uncomplicated FireWall, has a graphical interface that is also a lot simpler to use than other graphical firewall interfaces in Linux. This article will present a step by step guide on how to install and configure Gufw, the graphical interface to ufw. Before installing and configuring Gufw, take a few moments to check the status of ufw. To do that, launch a shell terminal and type sudo ufw status. The output should read Status: inactive. That is the default state of ufw on a new installation of Ubuntu (10.10) 2. Ok, time to install Gufw, which is one of the featured applications in the Ubuntu Software Center. If you still have the terminal open, you can just type sudo apt-get install gufw to install it, or start the Software Center from Applications > Software Center, and install it from there. Installing Gufw from the Software Center [caption id="attachment_7460" align="aligncenter" width="575" caption="Installing Gufw"]

Once installed, there will be an entry for it in the menu at System > Administration > Firewall configuration. This is the default Gufw interface. It is disabled. [caption id="attachment_7456" align="aligncenter" width="336" caption="Gufw disabled"]

This is Gufw's interface in enabled status. [caption id="attachment_7457" align="aligncenter" width="336" caption="Gufw enabled"]

By default, ufw operates in an inactive stateful tracking mode: All outgoing connections are allowed, and all incoming connections that are not related to an entry in the state table, that is, that are not related to an outgoing connection, are disallowed. The default incoming policy is DROP. All default policies are set out in the /etc/default/ufw file. By default, IPv6 traffic is blocked. To enable IPv6 traffic, edit /etc/default/ufw and change IPV6=no to IPV6=yes. Let us take a look at other files that are involved in the configuration of ufw/Gufw. Ufw's main configuration file is /etc/ufw/ufw.conf. The state of this file before Gufw is enabled is shown below. Note the highlighted entry. [caption id="attachment_7459" align="aligncenter" width="494" caption="ufw.conf, default"]

The state of ufw.conf after Gufw is enabled, If you type sudo ufw status in a shell terminal, the output should read Status: active. [caption id="attachment_7458" align="aligncenter" width="440" caption="ufw.conf, modified"]

That is all there is to installing and enabling Gufw in Ubuntu 10.10. Most users will not need to do anything beyond this point, but if you want to create custom rules, you can start creating them from Gufw, or from the command line using the ufw utility. Gufw comes with a default set of rules. You may read those rules in the /etc/default/ufw file. There are also rules defined in some files under the /etc/ufw directory. Those rules are in the before.rules and after.rules files. Equivalent IPv6 rules are in the before6.rules and after6.rules files. The rules in the "before" files are evaluated before any custom rules you create, and the "after" rules are evaluated after your custom rules. To create a custom rule, click on the Add button on the main Gufw window. The rule creation window has three tabs Preconfigured, Simple and Advanced. From the Preconfigured, you can create very broad rules for a preset number of applications and services. The preset services are: FTP, HTTP, IMAP, NFS, POP3, Samba, SMTP, ssh, VNC and Zeroconf, and the preset applications or programs are: Amule, Deluge, KTorrent, Nicotine, qBittorrent, and Transmission. [caption id="attachment_7466" align="aligncenter" width="566" caption="Preconfigured rules"]

The Simple tab allows you to create rules with a port number defined. This makes it possible to create rules for services and applications not preset in the Preconfigured tab. [caption id="attachment_7467" align="aligncenter" width="566" caption="Gufw's simple rules creation interface"]

The Advanced tab makes it possible to create more specific rules using source and destinations ports and addresses. [caption id="attachment_7468" align="aligncenter" width="566" caption="Gufw's advanced rules creation interface"]

The example below creates a rule from the Preconfigured tab allowing ssh traffic into a host. While this makes it easy for anybody to create a firewall rule, it lacks specificity. In this example, ssh traffic from all sources would be allowed in. That's not a good thing, unless that is what you want. [caption id="attachment_7472" align="aligncenter" width="566" caption="Using pre-configured services"]

Once a rule has been created, it will be shown in the main window of Gufw. You may also view the rule from a shell terminal by typing sudo ufw status. [caption id="attachment_7473" align="aligncenter" width="390" caption="Generated rules in the main This second example shows how to create a rule from the Simple tab. The example shown in the image below is for a rule allowing ssh traffic in to the host. [caption id="attachment_7474" align="aligncenter" width="566" caption="Creating rules in the Simple tab"]

Rather than use a service or application name, you could just specify the port number associated with that application or service. To repeat the ssh rule in the example above using a port number, you would specify port 22, which is the default port for ssh. [caption id="attachment_7475" align="aligncenter" width="566" caption="Simple rule creation with port number"]

This example shows how to create a rule from the Advanced tab. The rule shown in the image below allows ssh traffic from all hosts in a network to a particular host in another network. Note: The IP addresses used in these rules do not represent addresses used in a real case. [caption id="attachment_7476" align="aligncenter" width="566" caption="Advanced rule creation"]