Recently while monitoring traffic on my LAN, I noticed activity from URL’s and IP addresses that had somehow got past my router, and were roaming my network. Some immediate tweaks to my router stopped that activity (at least for the time being). The event forced me to rethink security for my networked computers, and one my conclusions was to add a firewall to each of my 4 Linux machines. After doing some research, the Uncomplicated Firewall (UFW) was a clear choice to aide in securing these machines.
The Uncomplicated Firewall (UFW) is a Linux netfilter firewall. It is designed to be simple and easy to use, but don’t underestimate it. UFW is a powerful tool. It can be run from the command line or from a graphic user interface (the most common graphic program is Gufw). This article will deal with the command line setup and configuration. Though there are many ways to setup and configure UFW, I will deal with what should be the most typical types of settings.
UFW Already On My System or Download?
UFW is native on some Linux distributions, and foreign to others, so the first step is to see if it is already on your system. From the command line, type:
$ sudo ufw status
If, after you enter your user password for “sudo” at the next prompt, you get a return like or similar to the following, UFW is not installed:
command not found
To get UFW, you download it from your Linux version’s repositories. How this is down is system dependent. Here is an example for Debian, Ubuntu, Mint (and other Debian variants):
$ sudo aptitude install ufw or $ sudo apt-get install ufw
Once the program is installed, use this command:
$ sudo ufw enable
In case you want to disable the firewall:
$ sudo ufw disable
Assuming you still have the firewall enabled, you can now view the default setup:
$ sudo ufw status verbose
The output from the status command should be similar to this:
Default: deny (incoming), allow (outgoing)
New profiles: skip
Notice that in the sample output that ALL the incoming ports are closed, and all the outgoing ports are OPEN. Now we need to open the incoming ports that we need.
The syntax for opening a port is:
$ sudo ufw allow [port #]/[optional: protocol]
Here is an an example of a rule opening a port commonly used by a secure shell (SSH), which will allow our firewalled computer to receive input across the secure shell from another computer on our network (or….gasp, elsewhere):
$ sudo ufw allow 22 or $ sudo ufw allow 22/tcp
Note: the first option opens the port for both tcp and udp connections, while the second option restricts the port to just tcp. In most cases, the first option should suffice. As discussed later in this document, you can also accomplish opening a port for SSH by simply “allowing” the program or process, by name.
At some point you might find that the rule you created doesn’t meet your needs. You can either “deny” the rule, or “delete” it.
$ sudo ufw deny 22 or $ sudo ufw delete allow 22
A PC has 65,535 tcp/udp ports, so it is not surprising that you may not know which port you need to open for a process to work. You could install “nmap” and run some port scans to find “who has what opened where”, or simply type the following command and you will see a list of programs and services with pre-set rules for UFW:
$ sudo ufw app list
Here is an much abbreviated version of the response for the “app list” command:
Assuming you have a local network using SAMBA, and you want your local computers to be able to access your firewalled computer, which in this case is your Server. Here, using information from the “apps list”, you type:
$ sudo ufw allow SAMBA or $ sudo ufw allow CIFS
How did CIFS become an option? CIFS (Common Internet File System) is a protocol that lets programs make requests for files and services on remote computers. CIFS is a protocol used by SAMBA. If SAMBA is not listed in the “apps list”, then CIFS becomes its replacement in UFW.
Note: You deny or delete “allow” programs/services in the same manner as in the “ports” example.
Ufw will allow you to set a range of IP addresses. By so doing, all computers on your local network will be allowed to access the Server. To do this, on the Server, you would type:
$ sudo ufw allow 192.168.1.0/24
Here any protocol from inside 192.168.1.1-192.168.1.255 LAN will be able to access the server.
An Example of Putting UFW To Work
Below are the command line entries for ufw on a Debian Wheezy computer:
$ sudo ufw enable
$ ufw allow CIFS
$ ufw limit SSH
$ ufw allow tcp
$ ufw allow DNS
$ ufw allow Bonjour
What has happened:
Ufw is enabled.
Samba is allowed, using tcp on port 139 and 445, then allowed using udp ports 137 and 138.
A secure shell is allowed on port 22, with access limited to 6 attempts in 30 seconds.
Tcp is allowed on port 80.
Domain Name Service (DNS) is allowed through port 53
Bonjour (Apple’s zero-configuration networking service) accesses through tcp at port 5298 and through udp at port5353.
All other access ports are closed.
As with any computer related piece of security, you have to find a balance between security and convenience. Experiment, and remember the fewer ports you have open, the more your exposure is lessened.
Here is a summary typical Uncomplicated Firewall commands:
ufw enable – turn on the firewall
ufw disable – turn off the firewall
ufw default allow – allow all connections by default
ufw default deny – drop all connections by default
ufw status – current rules
ufw app list – show apps with preset rules
ufw allow port – allow traffic on a port
ufw deny port – port block
ufw deny from ip – ip block
There are other commands for the Uncomplicated Firewall. What I did in this article was provide the “basics”. Depending upon your needs, the rest is up to you. To help you, here are the sources for this article: