Many Ubuntu users are interested in learning how to enable a firewall. The majority of people seem to be interested in filtering in an out bound connections on a Desktop installation.
Without getting into the inevitable debate on the merits of using a firewall, I would like to pass on some basic information. Please understand that discussions about firewalls and understanding the technical details of a firewall can become complicated very fast. The goal of this blog therefore is to enable users to feel comfortable with the basic firewall manipulations on an Ubuntu Desktop installation.
You should also know, by default Ubuntu, unlike some operating systems, has no significant listening servers. You may list your listening servers with any of the following commands:
sudo bash -c “netstat -an | grep LISTEN | grep -v ^unix”
sudo lsof -i -n -P
Alternately you may perform a portscan from a second computer, ie nmap
I strongly advise the use of UFW (Uncomplicated FireWall) as it is installed by default, the syntax is easy to understand, and the defaults are more then adequate for the vast majority of users. If you prefer a graphical front end, install GUFW.
Enable your firewall
This is very easy:
sudo ufw enable
Deny incoming connections
This setting will deny all new incoming connections. Established connections (connections you request) are allowed.
sudo ufw default deny
Since we are not running a server, nothing further is required for incoming connections.
Deny outgoing connections
This is a bit harder as you need to know the services you wish to allow and write rules for outbound traffic you wish to allow. Common services you may wish to allow (and their ports) include:
DNS (Domain Name Service) = protocol udp port 53.
Web browsing = http protocol tcp port 80.
Secure web browsing = https protocol tcp port 443.
Mail = protocol tcp port 25.
FTP = protocol tcp port 20 and 21.
SSH = protocol tcp port 22.
VNC = protocol tcp port 5900.
Samba uses multiple ports , protocol udp ports 137 and 138 as well as tcp ports 139, and 445.
IRC protocol tcp , Ubuntu Servers defaults to 8001.
A listing of ports can be found here.
UFW will block outbound traffic based on the destination port on the server. To allow the outbound traffic listed above use:
sudo ufw allow out 53,137,138/udp
sudo ufw allow out 20,21,22,25,80,139,443,5900,8001/tcp
Then block all other outbound traffic with:
sudo ufw deny out to any
Keep in mind, order of the rules is critical. So if you need to allow additional traffic, you will need to insert a rule.
List your rules by number with:
sudo ufw status numbered
If you used the above syntax you will see :
To Action From
-- ------ ----
[ 1] 53,137,138/udp ALLOW OUT Anywhere (out)
[ 2] 20,21,22,25,80,139,443,5900,8001/tcp ALLOW OUT Anywhere (out)
[ 3] Anywhere DENY OUT Anywhere (out)
Say we wish to allow out telnet on port 23. We will need to add this before the third rule (which denies all outbound traffic). We do this using insert.
ufw insert 3 allow out 23
Peer-to-peer file sharing via torrents are popular and allowing torrent traffic is a bit complicated. The major reason for this is that IP providers often block common torrent ports, so it is almost impossible to know what ports will be used for the torrent transfer and it may be easier to disable your firewall if you use torrents.
The somewhat more complicated approach is to determine the inbound port for your torrent client, and allow inbound traffic on that port.
Using the “default” torrent ports as an example (bittorrent uses ports 6881-6999), the easiest settings for torrent sharing are to allow these ports in and allow all outbound traffic. Check your torrent application for the inbound port or ports (Transmission, the default client in Ubuntu, uses port 51413 for example).
#This first rule allow ports 6881-6999 inclusive
sudo ufw allow 6881:6999/tcp
# Allow all outbound traffic if we blocked it previously
sudo ufw delete deny out to any
If you need to delete a rule, simply use “delete”, for example:
sudo ufw delete deny out to all
ufw logs messages to /var/log/messages and logging is enabled / disabled from the command line.
sudo ufw logging on
sudo ufw logging off
The options are on, off, low, medium, high, and full. on = Low.
From the ufw man pages :
ufw supports multiple logging levels. ufw defaults to a loglevel of
’low’ when a loglevel is not specified. Users may specify a loglevel
ufw logging LEVEL
LEVEL may be ’off’, ’low’, ’medium’, ’high’ and full. Log levels are
off disables ufw managed logging
low logs all blocked packets not matching the default policy (with
rate limiting), as well as packets matching logged rules
medium log level low, plus all allowed packets not matching the default
policy, all INVALID packets, and all new connections. All
logging is done with rate limiting.
high log level medium (without rate limiting), plus all packets with
full log level high without rate limiting
Loglevels above medium generate a lot of logging output, and may
quickly fill up your disk. Loglevel medium may generate a lot of
logging output on a busy system.
Specifying ’on’ simply enables logging at log level ’low’ if logging is
currently not enabled.