Firewall Ubuntu Desktops
Many Ubuntu users are interested in learning how to enable a firewall. The majority of people seem to be interested in filtering in an out bound connections on a Desktop installation.
Without getting into the inevitable debate on the merits of using a firewall, I would like to pass on some basic information. Please understand that discussions about firewalls and understanding the technical details of a firewall can become complicated very fast. The goal of this blog therefore is to enable users to feel comfortable with the basic firewall manipulations on an Ubuntu Desktop installation.
You should also know, by default Ubuntu, unlike some operating systems, has no significant listening servers. You may list your listening servers with any of the following commands:
sudo bash -c “netstat -an | grep LISTEN | grep -v ^unix”
netstat -ntulp
sudo lsof -i -n -P
Alternately you may perform a portscan from a second computer, ie nmap
I strongly advise the use of UFW (Uncomplicated FireWall) as it is installed by default, the syntax is easy to understand, and the defaults are more then adequate for the vast majority of users. If you prefer a graphical front end, install GUFW.
Enable your firewall
This is very easy:
sudo ufw enable
Deny incoming connections
This setting will deny all new incoming connections. Established connections (connections you request) are allowed.
sudo ufw default deny
Since we are not running a server, nothing further is required for incoming connections.
Deny outgoing connections
This is a bit harder as you need to know the services you wish to allow and write rules for outbound traffic you wish to allow. Common services you may wish to allow (and their ports) include:
Basic services:
DNS (Domain Name Service) = protocol udp port 53.
Web browsing = http protocol tcp port 80.
Secure web browsing = https protocol tcp port 443.
Mail = protocol tcp port 25.
FTP = protocol tcp port 20 and 21.
SSH = protocol tcp port 22.
VNC = protocol tcp port 5900.
Samba uses multiple ports , protocol udp ports 137 and 138 as well as tcp ports 139, and 445.
IRC protocol tcp , Ubuntu Servers defaults to 8001.
A listing of ports can be found here.
UFW will block outbound traffic based on the destination port on the server. To allow the outbound traffic listed above use:
sudo ufw allow out 53,137,138/udp
sudo ufw allow out 20,21,22,25,80,139,443,5900,8001/tcp
Then block all other outbound traffic with:
sudo ufw deny out to any
Keep in mind, order of the rules is critical. So if you need to allow additional traffic, you will need to insert a rule.
List your rules by number with:
sudo ufw status numbered
If you used the above syntax you will see :
Status: active
To Action From
-- ------ ----
[ 1] 53,137,138/udp ALLOW OUT Anywhere (out)
[ 2] 20,21,22,25,80,139,443,5900,8001/tcp ALLOW OUT Anywhere (out)
[ 3] Anywhere DENY OUT Anywhere (out)
Say we wish to allow out telnet on port 23. We will need to add this before the third rule (which denies all outbound traffic). We do this using insert.
ufw insert 3 allow out 23
Peer-to-peer (torrents)
Peer-to-peer file sharing via torrents are popular and allowing torrent traffic is a bit complicated. The major reason for this is that IP providers often block common torrent ports, so it is almost impossible to know what ports will be used for the torrent transfer and it may be easier to disable your firewall if you use torrents.
The somewhat more complicated approach is to determine the inbound port for your torrent client, and allow inbound traffic on that port.
Using the “default” torrent ports as an example (bittorrent uses ports 6881-6999), the easiest settings for torrent sharing are to allow these ports in and allow all outbound traffic. Check your torrent application for the inbound port or ports (Transmission, the default client in Ubuntu, uses port 51413 for example).
#This first rule allow ports 6881-6999 inclusive
sudo ufw allow 6881:6999/tcp
# Allow all outbound traffic if we blocked it previously
sudo ufw delete deny out to any
Deleting rules
If you need to delete a rule, simply use “delete”, for example:
sudo ufw delete deny out to all
Additional information
Ubuntu Wiki UFW
Ubuntu Wiki GUFW
Begin linux blog – ubuntu 9.10 ufw firewall
Posted in Linux
Very nice, but
8:47:59-hugo@abacaxi:~$ sudo bash -c “netstat -an | grep LISTEN | grep -v ^unix”
[sudo] password for hugo:
-an: “netstat: command not found
Comment by Hugo Otto — November 23, 2009 @ 11:55 am
Not sure why you do not have netstat installed.
which netstat
/bin/netstat
I have ssh running, so:
netstat -an | grep LISTEN | grep -v ^unix
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp6 0 0 :::22 :::* LISTEN
netstat is part of net-tools
http://packages.ubuntu.com/karmic/net-tools
sudo apt-get install net-tools
Comment by bodhi.zazen — November 23, 2009 @ 12:38 pm
[...] This post is in follow up to my post on firewalls on Ubuntu Desktops. [...]
Pingback by Shadows of epiphany » Blog Archive » Firewall Ubuntu Servers — November 23, 2009 @ 5:43 pm
[...] the original post here: Shadows of epiphany » Blog Archive » Firewall Ubuntu Desktops By admin | category: ubuntu desktop | tags: basic, desktop, enable-users, [...]
Pingback by Shadows of epiphany » Blog Archive » Firewall Ubuntu Desktops Ubuntu Netbook — November 23, 2009 @ 5:51 pm
[...] This post is in follow up to my post on firewalls on Ubuntu Desktops. [...]
Pingback by Bodhi.Zazen: Firewall Ubuntu Servers | TuxWire : The Linux Blog — November 23, 2009 @ 7:00 pm
[...] Read more here: Shadows of epiphany » Blog Archive » Firewall Ubuntu Desktops [...]
Pingback by Shadows of epiphany » Blog Archive » Firewall Ubuntu Desktops | Just linux! — November 23, 2009 @ 7:41 pm
[...] This post was mentioned on Twitter by Planet Ubuntu and Billy Bonkoski, aadilanis. aadilanis said: Shadows of epiphany » Blog Archive » Firewall Ubuntu Desktops: Firewall Ubuntu Desktops. November 23rd, 2009 by.. http://bit.ly/5Ozlk9 [...]
Pingback by Tweets that mention Shadows of epiphany » Blog Archive » Firewall Ubuntu Desktops -- Topsy.com — November 23, 2009 @ 11:05 pm
Social comments and analytics for this post…
This post was mentioned on Twitter by planetubuntu: Bodhi.Zazen: Firewall Ubuntu Desktops: Many Ubuntu users are interested in learning how to enable a firewall. The m… http://bit.ly/5Ozlk9...
Trackback by uberVU - social comments — November 24, 2009 @ 2:52 am
[...] Bodhi.Zazen: Firewall Ubuntu Servers November 23rd, 2009 by dondavanzo This post is in follow up to my post on firewalls on Ubuntu Desktops. [...]
Pingback by Bodhi.Zazen: Firewall Ubuntu Servers | L&C Tech Talk — November 24, 2009 @ 10:48 am
[...] Firewall Ubuntu Desktops Firewall Ubuntu Servers [...]
Pingback by Shadows of epiphany » Blog Archive » Firewall Ubuntu GUFW — November 24, 2009 @ 6:01 pm
[...] Firewall Ubuntu Desktops Firewall Ubuntu Servers [...]
Pingback by Bodhi.Zazen: Firewall Ubuntu GUFW | L&C Tech Talk — November 24, 2009 @ 8:27 pm
[...] Firewall Ubuntu Desktops Firewall Ubuntu Servers [...]
Pingback by Bodhi.Zazen: Firewall Ubuntu GUFW | TuxWire : The Linux Blog — November 24, 2009 @ 9:12 pm
[...] Firewall Ubuntu Desktops. Windows users have gotten use to the idea that they should always use a firewall on their system [...]
Pingback by Peng’s links for Thursday, 3 December « I’m Just an Avatar — December 3, 2009 @ 1:33 pm
[...] ufw firewall setting by hand http://beginlinux.com/blog/2009/10/advanced-ufw-settings/ http://blog.bodhizazen.net/linux/firewall-ubuntu-desktops/ Editing ufw rules by [...]
Pingback by Build a secure desktop firewall with ufw-part I « Le Blog de Maurice — December 14, 2009 @ 10:26 am
Hi, how do I block torrents from our home / office network? I’ve already posted my question here: http://ubuntuforums.org/showthread.php?t=1373079
Thanks for making such a nice blog.
Comment by Live — January 11, 2010 @ 7:44 pm
Blocking torrents is not easy as basically the torrent clients are designed to evade such attempts on your part.
You have been given some good advice in your thread, I would point you at this thread.
http://serverfault.com/questions/27088/using-linux-iptables-how-to-block-torrents-or-any-p2p-protocols
I believe the best solution is to use a proxy server for web access, ie something like squid.
So, if you are on a low budget, configure a hardware firewall (which is nothing but an inexpensive box with two network cards) and install a firewall specific distro + squid.
You would then configure the firewall to allow as much internal traffic as you wish, but restrict outbound traffic to http and https (ports 80 and 443) which would be proxied by squid.
Yes it can still be abused.
http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch32_:_Controlling_Web_Access_with_Squid
http://www.linuxjunkies.org/html/Bandwidth-Limiting-HOWTO.html
Comment by bodhi.zazen — January 11, 2010 @ 11:51 pm