An Introduction to Ubuntu’s ‘Uncomplicated’ Firewall
It’s inevitable. At some point, you’re going to be using Ubuntu, or an Ubuntu-derived, Linux distribution. This could be as an admin with a traditional server or desktop, a virtual machine, or as an image for container deployments.
There’s a good reason for that. Ubuntu is not only a widely used operating system for multiple purposes, but it’s also very user-friendly.
Even the firewall has become quite simple to use. That, of course, hasn’t always been the case. When I first started using Linux, if I wanted to configure the firewall, I had to suck it up and learn iptables, which was no easy feat. In fact (at the time), iptables was one of the most complicated tools to not only master but to simply use.
Imagine, you wanted to secure SSH traffic and you knew to do so would require commands like this:
|
1 2 |
sudo iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT sudo iptables -A OUTPUT -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT |
Not only were the iptables commands a significant challenge to remember, but they were also a bear to type. And with so many options and flags to consider, it was very easy to get things wrong.
I even knew some Linux admins who were prone to tossing their hands in the air and leaving every port on a server open for all to see. That, of course, isn’t just lazy but inviting trouble.
Fortunately, over the years, Ubuntu evolved and adopted a far simpler firewall tool that anyone could learn and use.
The firewall in question is UFW (Uncomplicated Firewall). Like the RHEL-based firewalld, UFW is just a frontend for iptables that focuses on simplicity. Believe me when I say that’s a good thing. And even though UFW is uncomplicated, it still works very well. And for those who prefer a GUI (and have a desktop environment available on their Ubuntu deployments), there’s a graphical option that means you’d never have to run a single command for the firewall.
What I want to do is show you how UFW works and then walk you through the process of installing a GUI.
What You’ll Need
The only things you’ll need to follow along are a running instance of a Ubuntu-based Linux distribution and a user with sudo privileges.
Using UFW from the Command Line
The first thing we’ll do is work with the firewall from the command line. UFW will be installed, by default, on your Ubuntu machines. You can verify this by issuing the command:
|
1 |
sudo ufw status |
You will probably see the following output:
|
1 |
Status: inactive |
Obviously, that means UFW hasn’t been enabled. To activate the firewall, issue the command:
|
1 |
sudo ufw enable |
Now, when you issue the status command, it will report:
|
1 |
Status: active |
Your firewall is now working. You can view even more information with the command:
|
1 |
sudo ufw status verbose |
The above command will report something like:
|
1 2 3 4 |
Status: active Loggin: on (low) Default: deny (incoming), allow (outgoing), disable (routed) New profiles: skip |
If you attempt to SSH into that machine, you’ll be blocked. Why? Because out of the box, UFW blocks all incoming traffic.
Open Ports with SSH
Let’s open the SSH port (22), so we can log into the machine via Secure Shell. We can do that either by port or service. Those commands are:
|
1 2 |
sudo ufw allow 22 sudo ufw allow ssh |
Unlike firewalld on RHEL-based machines, you don’t have to reload the firewall for the changes to take effect.
Now, if you attempt to SSH into that machine, you will be allowed.
You can do the same with any service or port, such as:
|
1 2 |
sudo ufw allow 80 sudo ufw allow http |
It really is that simple.
There are, however, a few more tricks up UFW’s sleeve. Let’s stick with SSH traffic. When you opened port 22 on the machine, it will allow traffic from any machine through that port. What if you want to allow only one machine through that port? If you know the IP address of that machine, you can do that. First, you have to delete the rule you just created with the command:
|
1 |
sudo ufw delete allow ssh |
Let’s say you want to only allow SSH traffic from a machine with IP address 192.168.1.73. The command for that would be:
|
1 |
sudo ufw allow from 192.168.1.73 to any port ssh |
Once you’ve run the above command, only the machine at IP address 192.168.1.73 will be allowed in through port 22. And since all other ports are blocked, the SSH port is the only thing open and it’s only open to that one machine.
To delete that rule, the command would be:
|
1 |
sudo ufw delete allow from 192l.168.1.73 to any port ssh |
Or, maybe you want to open the SSH port to all machines on your LAN. Sticking with the same IP address scheme, that command would be:
|
1 |
sudo ufw allow from 192.168.1.0/24 to any port 22 |
What about the GUI?
If you want to install the GUI app for UFW, the command is:
|
1 |
sudo apt-get install gufw -y |
Once the installation completes, you’ll find the Firewall GUI in your desktop menu. Open the app, type your sudo password when prompted, and you’ll find a very simple GUI tool for managing UFW (Figure 1).
-
Figure 1: The gufw GUI app makes managing UFW even easier.
Click the Rules tab and you’ll see the last command we ran above listed (Figure 2).
-
Figure 2: Our rule to allow all LAN traffic through SSH is listed.
To create a new rule with the GUI, click + in the Rules tab and use either the Preconfigured, Simple, or Advanced tabs to create your rule. The Simple tab is my favorite, because all you have to do is type a name; select a policy, direction, and protocol, and then type either a port or service (Figure 3).
-
Figure 3: Creating a firewall rule with the Simple tab in gufw.
The Advanced tool is similar to the Simple option, only it adds Interface, Log, From, and To options.
And that’s the gist of working with Uncomplicated Firewall. You’d be hard-pressed to find an easier firewall system on the market to help lock down your systems.
To learn more about UFW, make sure to visit its Ubuntu Wiki page or issue the command man ufw.
