Firewall Ubuntu Desktops

Many Ubuntu users are interested in learning how to enable a firewall. The majority of people seem to be interested in filtering in an out bound connections on a Desktop installation.

Without getting into the inevitable debate on the merits of using a firewall, I would like to pass on some basic information. Please understand that discussions about firewalls and understanding the technical details of a firewall can become complicated very fast. The goal of this blog therefore is to enable users to feel comfortable with the basic firewall manipulations on an Ubuntu Desktop installation.

You should also know, by default Ubuntu, unlike some operating systems, has no significant listening servers. You may list your listening servers with any of the following commands:

sudo bash -c “netstat -an | grep LISTEN | grep -v ^unix”
netstat -ntulp
sudo lsof -i -n -P

Alternately you may perform a portscan from a second computer, ie nmap

I strongly advise the use of UFW (Uncomplicated FireWall) as it is installed by default, the syntax is easy to understand, and the defaults are more then adequate for the vast majority of users. If you prefer a graphical front end, install GUFW.

Enable your firewall

This is very easy:

sudo ufw enable

Deny incoming connections

This setting will deny all new incoming connections. Established connections (connections you request) are allowed.

sudo ufw default deny

Since we are not running a server, nothing further is required for incoming connections.

Deny outgoing connections

This is a bit harder as you need to know the services you wish to allow and write rules for outbound traffic you wish to allow. Common services you may wish to allow (and their ports) include:

Basic services:
DNS (Domain Name Service) = protocol udp port 53.
Web browsing = http protocol tcp port 80.
Secure web browsing = https protocol tcp port 443.
Mail = protocol tcp port 25.
FTP = protocol tcp port 20 and 21.
SSH = protocol tcp port 22.
VNC = protocol tcp port 5900.
Samba uses multiple ports , protocol udp ports 137 and 138 as well as tcp ports 139, and 445.
IRC protocol tcp , Ubuntu Servers defaults to 8001.

A listing of ports can be found here.

UFW will block outbound traffic based on the destination port on the server. To allow the outbound traffic listed above use:

sudo ufw allow out 53,137,138/udp
sudo ufw allow out 20,21,22,25,80,139,443,5900,8001/tcp

Then block all other outbound traffic with:

sudo ufw deny out to any

Keep in mind, order of the rules is critical. So if you need to allow additional traffic, you will need to insert a rule.

List your rules by number with:

sudo ufw status numbered

If you used the above syntax you will see :

Status: active

To Action From
-- ------ ----
[ 1] 53,137,138/udp ALLOW OUT Anywhere (out)
[ 2] 20,21,22,25,80,139,443,5900,8001/tcp ALLOW OUT Anywhere (out)
[ 3] Anywhere DENY OUT Anywhere (out)

Say we wish to allow out telnet on port 23. We will need to add this before the third rule (which denies all outbound traffic). We do this using insert.

ufw insert 3 allow out 23

Peer-to-peer (torrents)

Peer-to-peer file sharing via torrents are popular and allowing torrent traffic is a bit complicated. The major reason for this is that IP providers often block common torrent ports, so it is almost impossible to know what ports will be used for the torrent transfer and it may be easier to disable your firewall if you use torrents.

The somewhat more complicated approach is to determine the inbound port for your torrent client, and allow inbound traffic on that port.

Using the “default” torrent ports as an example (bittorrent uses ports 6881-6999), the easiest settings for torrent sharing are to allow these ports in and allow all outbound traffic. Check your torrent application for the inbound port or ports (Transmission, the default client in Ubuntu, uses port 51413 for example).

#This first rule allow ports 6881-6999 inclusive
sudo ufw allow 6881:6999/tcp

# Allow all outbound traffic if we blocked it previously
sudo ufw delete deny out to any

Deleting rules

If you need to delete a rule, simply use “delete”, for example:

sudo ufw delete deny out to all

Logs

ufw logs messages to /var/log/messages and logging is enabled / disabled from the command line.

sudo ufw logging on
sudo ufw logging off

The options are on, off, low, medium, high, and full. on = Low.

From the ufw man pages :

LOGGING

ufw supports multiple logging levels. ufw defaults to a loglevel of
’low’ when a loglevel is not specified. Users may specify a loglevel
with:

ufw logging LEVEL

LEVEL may be ’off’, ’low’, ’medium’, ’high’ and full. Log levels are
defined as:

off disables ufw managed logging

low logs all blocked packets not matching the default policy (with
rate limiting), as well as packets matching logged rules

medium log level low, plus all allowed packets not matching the default
policy, all INVALID packets, and all new connections. All
logging is done with rate limiting.

high log level medium (without rate limiting), plus all packets with
rate limiting

full log level high without rate limiting

Loglevels above medium generate a lot of logging output, and may
quickly fill up your disk. Loglevel medium may generate a lot of
logging output on a busy system.

Specifying ’on’ simply enables logging at log level ’low’ if logging is
currently not enabled.

Additional information

Ubuntu Wiki UFW
Ubuntu Wiki GUFW
Begin linux blog – ubuntu 9.10 ufw firewall

This entry was posted in Linux and tagged . Bookmark the permalink.

25 Responses to Firewall Ubuntu Desktops

  1. Hugo Otto says:

    Very nice, but

    8:47:59-hugo@abacaxi:~$ sudo bash -c “netstat -an | grep LISTEN | grep -v ^unix”
    [sudo] password for hugo:
    -an: “netstat: command not found

  2. bodhi.zazen says:

    Not sure why you do not have netstat installed.

    which netstat
    /bin/netstat

    I have ssh running, so:

    netstat -an | grep LISTEN | grep -v ^unix
    tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
    tcp6 0 0 :::22 :::* LISTEN

    netstat is part of net-tools

    http://packages.ubuntu.com/karmic/net-tools

    sudo apt-get install net-tools

  3. Pingback: Shadows of epiphany » Blog Archive » Firewall Ubuntu Servers

  4. Pingback: Shadows of epiphany » Blog Archive » Firewall Ubuntu Desktops Ubuntu Netbook

  5. Pingback: Bodhi.Zazen: Firewall Ubuntu Servers | TuxWire : The Linux Blog

  6. Pingback: Shadows of epiphany » Blog Archive » Firewall Ubuntu Desktops | Just linux!

  7. Pingback: Tweets that mention Shadows of epiphany » Blog Archive » Firewall Ubuntu Desktops -- Topsy.com

  8. Pingback: uberVU - social comments

  9. Pingback: Bodhi.Zazen: Firewall Ubuntu Servers | L&C Tech Talk

  10. Pingback: Shadows of epiphany » Blog Archive » Firewall Ubuntu GUFW

  11. Pingback: Bodhi.Zazen: Firewall Ubuntu GUFW | L&C Tech Talk

  12. Pingback: Bodhi.Zazen: Firewall Ubuntu GUFW | TuxWire : The Linux Blog

  13. Pingback: Peng’s links for Thursday, 3 December « I’m Just an Avatar

  14. Pingback: Build a secure desktop firewall with ufw-part I « Le Blog de Maurice

  15. Live says:

    Hi, how do I block torrents from our home / office network? I’ve already posted my question here: http://ubuntuforums.org/showthread.php?t=1373079

    Thanks for making such a nice blog.

  16. bodhi.zazen says:

    Blocking torrents is not easy as basically the torrent clients are designed to evade such attempts on your part.

    You have been given some good advice in your thread, I would point you at this thread.

    http://serverfault.com/questions/27088/using-linux-iptables-how-to-block-torrents-or-any-p2p-protocols

    I believe the best solution is to use a proxy server for web access, ie something like squid.

    So, if you are on a low budget, configure a hardware firewall (which is nothing but an inexpensive box with two network cards) and install a firewall specific distro + squid.

    You would then configure the firewall to allow as much internal traffic as you wish, but restrict outbound traffic to http and https (ports 80 and 443) which would be proxied by squid.

    Yes it can still be abused.

    http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch32_:_Controlling_Web_Access_with_Squid

    http://www.linuxjunkies.org/html/Bandwidth-Limiting-HOWTO.html

  17. Live says:

    Hi thank you very much for those enlightenment. I’m sorry I just replied now, after 3 months? Because I was very busy at work to think of security at the moment. Anyway, I read all those things you said above, and I’m very grateful for your answers.

    More power to you sir! :)

  18. osjak says:

    To answer the first commenter, the double quotes in the text are not regular double quotes. So if a reader simply copies the line and attempts to run it, an error pops up. To fix the problem simply substitute the double quotes in the copied line with manually typed ones:
    sudo bash -c “netstat -lpn | grep LISTEN | grep -v ^unix”

    bodhi.zazen, thanks for this blog, very helpful.

  19. just_shark says:

    Hello, im from Russia.
    i’ve searched for manual like this for hours at russian-languaged websites and finally find the solution here.
    thank you very much, mysterious friend.

    Cyril, Russia, Saint-Petersburg.

    PS:
    sorry if there is mistakes in my comment.

  20. Mörgæs says:

    Hi, thanks for a good guide.

    Is there an easy way for obtaining the following:

    I would like an ssh server to be accessible for everyone on the local net (192.168.x.x.), but not for access from outside.

    Thanks in advance.

  21. bodhi.zazen says:

    @ Mörgæs

    sudo ufw allow proto tcp from 192.186.x.x/24 to your_ip_address port 22

    Example (assuming your ssh server is at 192.168.0.10):

    ufw allow proto tcp from 192.168.0.0/24 to 192.168.0.10 port 22

  22. Live says:

    Hi bodhi, always learning a lot from you, which is more powerful, UFW or iptables? For a beginner or SOHO environment?

    Also, do you think GUFW is severely limited? The reason I’m asking is, I can’t configure NAT’ing in GUFW.

  23. bodhi.zazen says:

    Thank you for your kind words Live.

    Personally I encourage you start with UFW. UFW is sufficient for most desktop users and is easy to implement.

    More important, the syntax of UFW is close to iptables, so if you learn how to use UFW it is easier to then use iptables.

    iptables is more “powerful” as it has many options that are simply not easily available in UFW. Allowing outbound traffic per user and NAT would be two examples.

    Personally I tend to use ufw on mobile devices (laptops / netbooks) and iptables on servers.

    HTH =)

  24. Pingback: ubuntu ufw firewall configuration reference | A good host

  25. Pingback: Firewalling Ubuntu desktops | 0ddn1x: tricks with *nix

Add Comment Register



Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>