Networking

Getting started with Uncomplicated Firewall

Thanks to Uncomplicated Firewall, network admins don't have to dive deep into iptables to keep their machines secure. Jack Wallen introduces you to this user-friendly security front end.

linuxnethero.jpg
Image: Jack Wallen

Out of the box, Ubuntu Server is pretty secure. But like every machine you put on your network, you want to make sure it meets your company policy for standards. To that end, you'll most likely be tweaking any firewall that winds up on your network. Fortunately, with Ubuntu Server, this isn't terribly hard—thanks to Uncomplicated Firewall (UFW). I'm going to walk you through the process of configuring a UFW policy and then create your first firewall rule.

UFW briefly explained

Before we get into this setup, it's important to understand that UFW acts as a front-end for the much more complicated iptables. In order to become proficient with iptables, you would be investing considerable time. Gaining a full understanding of UFW isn't nearly as challenging. If you're concerned that UFW doesn't offer enough power, know that this particular firewall tool is very well-suited for host-based firewalls and offers quite a number of useful features (for a full list of the features, check out the official UWF Ubuntu wiki page).

Out of the box, UWF will be installed. You can double check on this by issuing the command ufw version. This will report back which version of UWF is installed on your system (on a fully updated installation of Ubuntu 16.04, UFW reports as 0.35).

Let's configure.

Configuring the default policy

The default UFW policy is set in the file /etc/default/ufw. There are four particular lines you want to look for:

DEFAULT_INPUT_POLICY="DROP"
DEFAULT_OUTPUT_POLICY="ACCEPT"
​DEFAULT_FORWARD_POLICY="DROP"
​DEFAULT_APPLICATION_POLICY="SKIP"

It's important to know that each of the above policies can be adjusted with a slightly different default.

  • INPUT/OUTPUT/FORWARD can be set to ACCEPT, DROP, or REJECT
  • APPLICATION can be set to ACCEPT, DROP, REJECT, or SKIP

You can adjust the default policies to suit your needs. Out of the box, UFW denies all incoming traffic and allows all outgoing traffic. Effectively, these would be set with the following two commands:

sudo ufw default deny incoming
​sudo ufw default allow outgoing

If you make any changes to the default policies, check the status of UFW with the command:

sudo ufw status

If UFW reports that it is inactive, you must then activate it with the command:

sudo ufw enable

When you enable UWF, you will be required to reboot your machine before it is activated. Once rebooted, the sudo ufw status command will now report it as being active,

The default policy does work well for both servers and desktops. But what if you want to really lock down a particular machine? When you issue the status command it becomes clear the only rules in place are generated from the default policies. Why? No other rules have been set. Let's take care of that.

Creating a UFW rule

Creating a UFW rule is really simple. You've already had a taste with the setting of the default policy for incoming and outgoing rules. Let's start off with a very simple rule. Say you set the incoming policy to ALLOW (chances are slim you would do this), but know of an IP address that needs to be blocked from reaching your machine; let's say the offending address is 12.13.14.15. You can block this with the command:

sudo ufw deny from 12.13.14.15

If your machine has two network interfaces (eth0 for external and eth1 for internal) and you want to block the above IP from entering the external interface, you could issue the command:

sudo ufw deny in on eth0 from 12.13.14.15

Let's now consider incoming traffic we want to allow. At the moment, no address (neither private or public) can enter our machine. Let's fix that. Say you need to allow secure shell traffic in from a machine on the same network (we'll go with IP address 192.168.1.162). To do this, you would only have to issue a single command:

sudo ufw allow from 192.168.1.162 to any port 22

Now, when we run sudo ufw status, we see our new rule listed (Figure A).

Figure A

Figure A

Our new rule listed with the status command.

If you need to allow secure shell traffic from any address, you can issue the command:

sudo ufw allow ssh

The above command would allow both internal and external addresses to reach the machine (via ssh), so long as the addresses had access to the network.

See how uncomplicated UFW is? It's significantly easier to work with (although not quite as flexible) than iptables.

Keep learning

At this point we have touched on the very basics of UFW. You will want to continue this education and the first place to investigate is the UFW man page. Issue the command man ufw to read about all the options available to the ufw command.

Also see

About Jack Wallen

Jack Wallen is an award-winning writer for TechRepublic and Linux.com. He’s an avid promoter of open source and the voice of The Android Expert. For more news about Jack Wallen, visit his website jackwallen.com.

Editor's Picks

Free Newsletters, In your Inbox