It has long been said that Linux is a far superior platform to the competition. One reason so many take that stance is security. Although no operating system is 100% secure, Linux does a great job of protecting your data. Even better, if you’re not happy with the job Linux does, you can easily change it. For example, if you don’t like the complexity of iptables, you can install and make use of the much easier, Uncomplicated Firewall.
Uncomplicated Firewall (UFW) is one of the most user-friendly command line firewall tools you’ll find on Linux or any other platform. It makes securing a system easy enough that nearly anyone can use it.
I want to walk you through the process of installing UFW and then setting up default policies as well as allowing a few select protocols through. In the end, you’ll have complete control over the security of your system, without having to go through the far more complex iptables system.
SEE: Network security policy (Tech Pro Research)
What is UFW?
In a nutshell, UFW is a front end for iptables (which is a means to manipulate the netfilter subsystem). This firewall system is perfectly suited for host-based firewalls that anyone can use, without having to bother with fully understanding the concepts of firewalls (or the far more complicated commands found in iptables).
Of course, any IT pro who deals with security, should understand the concepts of firewalls (as well as iptables); however, there are times when having the ability to manage a complex system with a bit of simplicity can make for a much faster “win”.
With that said, let’s install and use UFW.
I’ll be demonstrating the installation of ufw on Ubuntu 17.10 desktop (don’t fret, UFW can be installed on most Linux distributions). The installation is incredibly simple (as UFW is found in the standard repositories). To install, open up a terminal window and issue the command:
sudo apt install ufw
Once the installation completes, issue the command sudo ufw status and you should see the status as inactive (Figure A).
In order to enable UFW, issue the command:
sudo ufw enable
You should then see that the Firewall is active and enabled (which means, if you have to restart your system, the firewall will automatically start – Figure B).
Setting default policies
There are two default policies to be set: incoming and outgoing. What we want to do is create one policy that will deny any incoming traffic and one to allow any outgoing traffic. For each of these, we will run a command. The first policy we’ll set is the incoming. To deny any incoming traffic, we issue the command:
sudo ufw default deny incoming
Once that command runs, UFW will remind you to update your rules accordingly. Why? Because at this point, nothing can get into your system (which means you have to manually allow certain traffic in).
Let’s enable outgoing traffic as a default policy. The command for this is:
sudo ufw default allow outgoing
Now your machine should function normally. Unless you need to enable specific incoming traffic.
SEE: Essential reading for IT leaders: 10 books on cybersecurity (free PDF) (TechRepublic)
Allowing specific traffic in
Say, for example, you need to allow SSH traffic into the system in which you just denied all incoming traffic? For that, you have to create a rule to enable that particular protocol through. Since we’re talking SSH, the command for this would be:
sudo ufw allow ssh
Issue the command sudo ufw status and you can see that port 22 is open for incoming traffic (Figure C).
Say you want to allow HTTP traffic in? For that, the command would be:
sudo ufw allow www
What if you want to allow specific port ranges into the system? UFW allows for that as well. Say, for instance, you want to allow VNC into the machine on ports 5900-5902. For this the command would be:
sudo ufw allow 5900:5902/tcp
Notice we’ve added the tcp protocol to the ports. If you need to use UDP, simply replace tcp with udp.
It really is that simple.
Firewalling made easy
UFW makes configuring your Linux system firewall incredibly easy. I would, however, recommend you give the UFW man page a read (man ufw), to find out more about what the system can do. Even without that extra information, you are ready to use Uncomplicated Firewall.