Work and Technology‎ > ‎Security‎ > ‎Firewalls‎ > ‎

ufw

Ubuntu doesn't ship with a firewall turned on. You can configure iptables long-hand, but 'ufw' is the choice for simple control of iptables

(you may need to apt-get it )

Turning it on for ssh

You can use the built-in rule set for secure shell, specify where you want to allow connections from and turn on ufw as follows

$ sudo ufw allow from xxx.xxx.xxx.0/24 to any app openssh
$ sudo ufw enable

To break that down: 
    sudo ufw    allow from xxx/xx       to any               app openssh                                         
         |                        |                            |                            |
        +- You must be root to add rules   |                           +- The application openssh
                                 + -This is who you are letting connect in    
                                                               +- To any ethernet interface 
                                                                                           

Turning it on for other applications

Other rule sets exist as well. To see what you can do, list them like so:

$ sudo ufw app list
Available applications:
  Lighttpd Full
  Lighttpd HTTP
  Lighttpd HTTPS
  OpenSSH
  Postfix
  Postfix Submission
  Samba

You turn these on the same way as above

Creating your own app rule sets

The existing rule sets can be found in the /etc/ufw/applications.d/ folder. 

cd /etc/ufw/applications.d
ls
lighttpd  openssh-server  postfix  samba

Viewing one shows they look like so 

[OpenSSH]
title=Secure shell server, an rshd replacement
description=OpenSSH is a free implementation of the Secure Shell protocol.
ports=22/tcp

You can create your own after the same pattern

[openfire]
title=openfire
description=A XMPP server
ports=5222,5223,9090,9091,7777,7070,7443,3478,3479,5229/tcp

To specify a port range, use a colon

[pure-ftpd]
title=pure-ftpd
description=Simple FTP and FTPS Server
ports=21,4500:4600/tcp

You turn on such a rule set just like in the first example, or to allow connections from anywhere

$ sudo ufw allow pure-ftpd

Removing Rules

To remove a  rule, simply prefix the original rile with the delete parameter.

sudo ufw delete allow from 132.235.0.0/16 to any app openssh

If you don't know what rule it is exactly you need to delete, you can list them and then remove them, but it requires a little analysis

$ sudo ufw status 
To                         Action      From
--                         ------      ----
OpenSSH                    ALLOW       132.235.62.0/23

And based on that

sudo ufw delete allow from 132.235.62.0/23 to any app openssh

Adding an Arbitrary Port

You can of course, skip setting up app definitions and add a port directly

sudo ufw allow from 132.235.62.0/23 to any port 1804

Changing the log location

ufw can log a lot of data when you're in a DMZ. To stop it cluttering up your kern and dmesg logs, exit it's config file that contains instructions on what to do (i.e. log to it's own file and prevent ufw log messages from going to other files)

$ vi /etc/rsyslog.d/20-ufw.conf

Comments