Home / ubuntu / Questions / 83830
Accepted
Icedrake
Asked: 2011-11-30 12:24:39 +0800 CST

What rules to use for UFW?

  • 772

I've decided to enable the UFW that comes with Ubuntu just to make my system even more secure (especially after watching a video of a person whose computer actually got infected!), and I've enabled UFW and installed GUFW, but I'm not sure what to do next. When I check the status of the firewall, it says that it is active. What are some rules that I should configure to actually make use of the firewall, since right now I'm assuming it's allowing everything, basically acting like it isn't there.

security

4 Answers

  1. Best Answer

    If you've set ufw to enabled then you've enabled the preset rules, so it means ufw (via iptables) is actively blocking packets.

    If you want more details, run

    sudo ufw status verbose

    and you will see something like this

    $ sudo ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing)
New profiles: skip

    which basically means that all incoming is denied and all outgoing allowed. It's a bit more complicated than that (for example ESTABLISHED - requested - packets are allowed in), and if you're interested in the full set of rules, see the output of sudo iptables -L.

    If you have a public IP, you can use an online test to get an idea how good the filtering is, for example www.grc.com (look for ShieldsUP) or nmap-online.

    You should also see messages about blocked/allowed packets in logs (/var/log/syslog and /var/log/ufw.log).

    • 11

  2. See https://wiki.ubuntu.com/UncomplicatedFirewall.

    Features

    ufw has the following features:

    Getting started with ufw is easy. For example, to enable firewall, allow ssh access, enable logging, and check the status of the firewall, perform:

    $ sudo ufw allow ssh/tcp
$ sudo ufw logging on
$ sudo ufw enable
$ sudo ufw status
Firewall loaded

To                         Action  From
--                         ------  ----
22:tcp                     ALLOW   Anywhere

    This sets up a default deny (DROP) firewall for incoming connections, with all outbound connections allowed with state tracking.

    Advanced Functionality

    As mentioned, the ufw framework is capable of doing anything that iptables can do. This is achieved by using several sets of rules files, which are nothing more than iptables-restore compatible text files. Fine-tuning ufw and/or adding additional iptables commands not offered via the ufw command is a matter of editing various text files:

    • /etc/default/ufw: high level configuration, such as default policies, IPv6 support and kernel modules to use
    • /etc/ufw/before[6].rules: rules in these files are evaluated before any rules added via the ufw command
    • /etc/ufw/after[6].rules: rules in these files are evaluated after any rules added via the ufw command
    • /etc/ufw/sysctl.conf: kernel network tunables
    • /var/lib/ufw/user[6].rules or /lib/ufw/user[6].rules (0.28 and later): rules added via the ufw command (should not normally be edited by hand)
    • /etc/ufw/ufw.conf: sets whether or not ufw is enabled on boot, and in 9.04 (ufw 0.27) and later, sets the LOGLEVEL

    After modifying any of the above files, activate the new settings with:

    $ sudo ufw disable
$ sudo ufw enable
    • 2

  3. A firewall can provide two quite different levels of protection.

    ONE: -- It can block any external attempt to connect to a given host.

    TWO: -- It can control, limit, and obfuscate any available connections.

    You need to start with ONE, and think about TWO later ..

    STEPS:

    A. Create the script file

    gedit ~/ufw-MyRules.sh

    draft contents: 

    #!/bin/sh

# -------------------------------------
#
#  firewall settings  
#
#    ver: 00.01
#    rev: 30-Nov-2011
#
#  for Ubuntu 11.10
#
# -------------------------------------

# -------------------------------------
#  reset rules

# disable firewall
sudo ufw disable

# reset all firewall rules
sudo ufw reset --force

# set default rules: deny all incoming traffic, allow all outgoing traffic
sudo ufw default deny incoming
sudo ufw default allow outgoing


# -------------------------------------
#  My rules  (CURRENTLY DISABLED)

# open port for SSH (remote support)
#  from: 111.222.333.444, port OpenSSH, limit
#sudo ufw limit log from 111.222.333.444 to any port 22

# open port for network time protocol (ntpq)
#sudo ufw allow ntp



# -------------------------------------
#  re-start

# enable firewall
sudo ufw enable

# list all firewall rules
sudo ufw status verbose

    B. Set file permission (needed only once)

    chmod a+x ufw-MyRules.sh

    C. Run the script

    ./ufw-MyRules.sh
    • 1

  4. Insert ufw -h like this:

    terminal@terminal: ufw -h
Invalid syntax

Usage: ufw COMMAND

Commands:
 enable                          enables the firewall
 disable                         disables the firewall
 default ARG                     set default policy
 logging LEVEL                   set logging to LEVEL
 allow ARGS                      add allow rule
 deny ARGS                       add deny rule
 reject ARGS                     add reject rule
 limit ARGS                      add limit rule
 delete RULE|NUM                 delete RULE
 insert NUM RULE                 insert RULE at NUM
 reset                           reset firewall
 status                          show firewall status
 status numbered                 show firewall status as numbered list of RULES
 status verbose                  show verbose firewall status
 show ARG                        show firewall report
 version                         display version information

Application profile commands:
 app list                        list application profiles
 app info PROFILE                show information on PROFILE
 app update PROFILE              update PROFILE
 app default ARG                 set default application policy
    • 0