I use iptables by many years and used it also for complex solutions and only recently i’ve discovered ufw (Uncomplicated Firewall), the ubuntu version, or better developed to ease iptables firewall configuration, ufw provides a user friendly way to create an IPv4 or IPv6 host-based firewall. By default UFW is disabled.
Installation
I’ve ufw installed on my ubuntu 11.04, i don’t know if it’s a default (probably) or it’s been installed some time ago during some test, anyway on Debian and Ubuntu you can install it with
aptitude install ufw |
Basic Operation
You can get the status, and start or stop ufw with these commands, please note all ufw commands must be run as root, so use a sudo in front of any command or become root with sudo -i
ufw status
ufw enable
ufw disable |
If you enable or disable it the command will take care of enabling or disabling the firewall also at startup time.
Set a default behavior
With the argument default you can set your default policy to accept or deny packets.
ufw default allow ufw default deny |
Allow and Deny
The basic sintax to allow or deny a specific port is
ufw allow port ufw deny port |
Without options it work BOTH for tcp and udp if you want to specify a protocol write
ufw allow port/protocol ufw deny port/protocol |
So to allow ssh only on your machine you can use:
ufw enable ufw default deny ufw allow 22/tcp |
It is also possible to allow access from specific hosts or networks to a port. The following example allows ssh access from host 192.168.0.2 to any ip address on the host:
ufw allow from 192.168.0.2 to any port 22 proto tcp |
Replace 192.168.0.2 with 192.168.0.0/24 to allow ssh access from the entire subnet.
dry-run
Adding the –dry-run option to a ufw command will output the resulting rules, but not apply them. For example, the following is what would be applied if opening the HTTP port:
~#ufw --dry-run allow http *filter :ufw-user-input - [0:0] :ufw-user-output - [0:0] :ufw-user-forward - [0:0] :ufw-before-logging-input - [0:0] :ufw-before-logging-output - [0:0] :ufw-before-logging-forward - [0:0] :ufw-user-logging-input - [0:0] :ufw-user-logging-output - [0:0] :ufw-user-logging-forward - [0:0] :ufw-after-logging-input - [0:0] :ufw-after-logging-output - [0:0] :ufw-after-logging-forward - [0:0] :ufw-logging-deny - [0:0] :ufw-logging-allow - [0:0] :ufw-user-limit - [0:0] :ufw-user-limit-accept - [0:0] ### RULES ### ### tuple ### allow tcp 22 0.0.0.0/0 any 192.168.0.2 in -A ufw-user-input -p tcp --dport 22 -s 192.168.0.2 -j ACCEPT ### tuple ### allow tcp 80 0.0.0.0/0 any 0.0.0.0/0 in -A ufw-user-input -p tcp --dport 80 -j ACCEPT ### END RULES ### ### LOGGING ### -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 -I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 ### END LOGGING ### ### RATE LIMITING ### -A ufw-user-limit -m limit --limit 3/minute -j LOG --log-prefix "[UFW LIMIT BLOCK] " -A ufw-user-limit -j REJECT -A ufw-user-limit-accept -j ACCEPT ### END RATE LIMITING ### COMMIT Rules updated |
Logging
Enabling and disabling logging it’s really easy, use :
ufw logging on ufw logging off |
Ok this is all for a basic guide on ufw, but perhaps you think it’s still not so Uncomplicated ?
Don’t worry because there is also a nice GUI called gufw.
It supports common tasks such as allowing or blocking pre-configured services, common P2P, or individual IP/port(s), and many others operations !
Check also this guide on gufw
How to easily manage your Linux firewall with gufw
Popular Posts:
- None Found
Thanks, this looks nice and simple. Although I don’t know why someone would take a project he/she worked hard to create, and then name it “ufw” or “gufw” or “jdfhywesdshhsnbb112999sbdndb”… Maybe there’s a coolness quality I’m not aware of 🙂
Application profiles are also supported by ufw. These are pre-defined protocols/ports that can be referenced by application name (protocol names are from /etc/services). I wrote a couple of hundred:
Stubborn Tech Problem Solving: UFW application profiles
Bug #659619 in ufw
Unfortunately they haven’t been packaged yet.
Thanks for the info.