What rules to use for UFW?
I've decided to enable the UFW that comes with Ubuntu just to make my system even more secure (especially after watching a video of a person whose computer actually got infected!), and I've enabled UFW and installed GUFW, but I'm not sure what to do next. When I check the status of the firewall, it says that it is active. What are some rules that I should configure to actually make use of the firewall, since right now I'm assuming it's allowing everything, basically acting like it isn't there.
If you've set ufw
to enabled then you've enabled the preset rules, so it means ufw
(via iptables
) is actively blocking packets.
If you want more details, run
sudo ufw status verbose
and you will see something like this
$ sudo ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing)
New profiles: skip
which basically means that all incoming is denied and all outgoing allowed. It's a bit more complicated than that (for example ESTABLISHED - requested - packets are allowed in), and if you're interested in the full set of rules, see the output of sudo iptables -L
.
If you have a public IP, you can use an online test to get an idea how good the filtering is, for example www.grc.com (look for ShieldsUP) or nmap-online.
You should also see messages about blocked/allowed packets in logs (/var/log/syslog and /var/log/ufw.log).
See https://wiki.ubuntu.com/UncomplicatedFirewall.
Features
ufw has the following features:
Getting started with ufw is easy. For example, to enable firewall, allow ssh access, enable logging, and check the status of the firewall, perform:
$ sudo ufw allow ssh/tcp
$ sudo ufw logging on
$ sudo ufw enable
$ sudo ufw status
Firewall loaded
To Action From
-- ------ ----
22:tcp ALLOW Anywhere
This sets up a default deny (DROP) firewall for incoming connections, with all outbound connections allowed with state tracking.
Advanced Functionality
As mentioned, the ufw framework is capable of doing anything that iptables can do. This is achieved by using several sets of rules files, which are nothing more than iptables-restore compatible text files. Fine-tuning ufw and/or adding additional iptables commands not offered via the ufw command is a matter of editing various text files:
-
/etc/default/ufw
: high level configuration, such as default policies, IPv6 support and kernel modules to use -
/etc/ufw/before[6].rules
: rules in these files are evaluated before any rules added via the ufw command -
/etc/ufw/after[6].rules
: rules in these files are evaluated after any rules added via the ufw command -
/etc/ufw/sysctl.conf
: kernel network tunables -
/var/lib/ufw/user[6].rules
or/lib/ufw/user[6].rules
(0.28 and later): rules added via the ufw command (should not normally be edited by hand) -
/etc/ufw/ufw.conf
: sets whether or not ufw is enabled on boot, and in 9.04 (ufw 0.27) and later, sets the LOGLEVEL
After modifying any of the above files, activate the new settings with:
$ sudo ufw disable
$ sudo ufw enable
A firewall can provide two quite different levels of protection.
ONE: -- It can block any external attempt to connect to a given host.
TWO: -- It can control, limit, and obfuscate any available connections.
You need to start with ONE, and think about TWO later ..
STEPS:
A. Create the script file
gedit ~/ufw-MyRules.sh
draft contents:
#!/bin/sh
# -------------------------------------
#
# firewall settings
#
# ver: 00.01
# rev: 30-Nov-2011
#
# for Ubuntu 11.10
#
# -------------------------------------
# -------------------------------------
# reset rules
# disable firewall
sudo ufw disable
# reset all firewall rules
sudo ufw reset --force
# set default rules: deny all incoming traffic, allow all outgoing traffic
sudo ufw default deny incoming
sudo ufw default allow outgoing
# -------------------------------------
# My rules (CURRENTLY DISABLED)
# open port for SSH (remote support)
# from: 111.222.333.444, port OpenSSH, limit
#sudo ufw limit log from 111.222.333.444 to any port 22
# open port for network time protocol (ntpq)
#sudo ufw allow ntp
# -------------------------------------
# re-start
# enable firewall
sudo ufw enable
# list all firewall rules
sudo ufw status verbose
B. Set file permission (needed only once)
chmod a+x ufw-MyRules.sh
C. Run the script
./ufw-MyRules.sh