Jan 11, 2011

ufw (uncomplicated firewall)

Uncomplicated firewall (ufw) is the default tool included on Ubuntu distributions used to secure all incoming, outgoing and internal network traffic, providing appropiate IPv4 and IPv6 rules based on iptables.

Its files and directories structure is showed then (I have used an Ubuntu Server 10.10 for the tests).

root@ubuntu-server:~# tree /etc/ufw/
/etc/ufw/
├── after6.rules
├── after.rules
├── applications.d
│   └── openssh-server
├── before6.rules
├── before.rules
├── sysctl.conf
└── ufw.conf

By default, the firewall is disabled. So as to enable it, you must run the following order. If you want to turn off the firewall, you must add the disable parameter.

root@ubuntu-server:~# ufw enable
root@ubuntu-server:~# ufw disable

root@ubuntu-server:~# ufw status verbose
Estado: activo
Acceso: on (low)
Por defecto: deny (Entrada), allow (Salida)

With the 'status verbose', we can see that the default policy is to deny for incoming traffic and to allow for outgoing traffic. We can also change these default policies:

root@ubuntu-server:~# ufw default allow|deny|reject incoming|outgoing

Now we are going to view several examples. For instance, to set up a rule in order to allow the incoming mail traffic (any of the three possibilities is valid - the service names are declared into the /etc/servicies file).

root@ubuntu-server:~# ufw allow 25

root@ubuntu-server:~# ufw allow 25/tcp

root@ubuntu-server:~# ufw allow smtp

To remove the rule:

root@ubuntu-server:~# ufw delete allow 25

To add a rule in a specific position (fourth in the following example):

root@ubuntu-server:~# ufw insert 4 allow 22

To define the protocol, the source and destination addresses in order to deny certain traffic:

root@ubuntu-server:~# ufw deny proto esp from 192.168.1.0/24 to any


With ufw you can also specify the log level (the traces will be dumped to the syslog file with low level by default).

root@ubuntu-server:~# ufw logging on|off|LEVEL

LEVEL can be off, low, medium, high and full.

Another interesting feature of ufw is the possibility to define applications. For example, I am going to create an application named 'myapps' with a series of services:

root@ubuntu-server:~# vim /etc/ufw/applications.d/myapps
[myapps-1]
title=My applications
description=my applications: Artifactory, Hudson, Sonar, Redmine, actiTIME, Daisy
ports=8081,8080,9000,3000,7000,8888/tcp

Then I have to update the firewall with that profile information.

root@ubuntu-server:~# ufw app update myapps-1

And finally, I can already set new rules using this application.

root@ubuntu-server:~# ufw allow from 10.0.0.0/8 to any app myapps-1

In order to list all applications or to show information about a certain profile, we can run the following commands:

root@ubuntu-server:~# ufw app list

root@ubuntu-server:~# ufw info myapps-1


No comments:

Post a Comment

Post a Comment