Firewall Ubuntu GUFW
This is the third in my Firewall series, is in follow up to my previous 2 blogs about firewalls, and is intended to introduce GUFW, a graphical front end to UFW.
Firewall Ubuntu Desktops
Firewall Ubuntu Servers
Although the GUFW GUI may seem deceptively simple, the graphical front end is both easy to use and capable of performing the most common firewall configuration options. The graphical tool is a perfect place to start if you find ufw and iptables overwhelming.
Again the most difficult part of managing a firewall is knowing who you wish to allow or restrict (by ip address) and what service and port you need to allow (open) or deny (close). Gufw can help as many of these options are preconfigured. If you need further assistance, start with gufw, configure as much as you can, and then review the other two links.
GUFW is an option if you installed a few simple servers on your desktop (torrents for example) or if you installed a graphical desktop/ window manager (Gnome, Fluxbox, etc) to help you administrate a server.
As a side note, server side, rather then installing a GUI, some people probably use either the command line or web tools such as webmin, phpMyAdmin, etc to manage servers.
Install GUFW
Although ufw is installed by default, gufw is not.
First, Enable the Universe repository.
Then, using any method, install gufw (apt-get shown here).
sudo apt-get update
sudo apt-get -y install gufw
In Ubuntu 9.10, UFW is then located under System -> Administration -> Firewall configuration.
Enable your firewall
Simply click (check off) the “Enabled” button and select “Deny” in the “By Default” pull down menu.
The default settings are probably sufficient for the vast majority of Desktop users and, unless you are running a server, nothing further needs to be done. Simply close the GUFW window and your firewall will remain active, even if you reboot.
IMO, The most common servers used on desktops would include torrents, VNC, Samba, Apache, and SSH. If you are wanting to allow access to one or more of these servers you will need to configure GUFW as outlined below.
Allow inbound connections
UFW manages NEW INBOUND connections. Gufw allows all outbound traffic (see limitations below).
Use the following options if you are running servers and you wish to allow inbound connections from other computers.
To add a rule, first click the “Add” box on the bottom left. You will get a dialog box which will allow you a number of options.
Preconfigured options
GUFW has a number of common services preconfigured. You allow a service by program name (perhaps most useful on Desktops). As you can see common servers used on desktops, such as Transmission, are included (surprise, torrents are servers).
Or by service (perhaps most useful on servers).
By port
In the “Simple” tab you can open a specific port, by tcp, udp, or both. Simply add the port you wish to open in the box.
You may specify multiple ports, comma delineated
22,80,443
Or a range of ports with a : , so to allow bittorrent, open ports 6881 – 6999, use
6881:6999
Limit traffic
You may use the “Advanced” tab to allow or deny traffic from a specific ip address or subnet (LAN). Keep in mind order of your rules counts, so deny first then allow.
You may blacklist an ip address by denying all traffic from that IP.
In this example, all traffic from your LAN is allowed to connect to Apache (sorry the first part of “192.168.0.0/24″ was outside the box).
Firewall rules are displayed in the main GUFW window. The rule displayed in this example allows all traffic on the LAN (192.168.0.0/24) to access Apache ( port 80/tcp) on the server (ip address 192.168.1.10).
Remove a rule
Simply select your rule and click the “Remove” button on the bottom.
Logs
Logging is enabled by default. Under the menu, select Edit -> Preferences
Enable logging by selecting (checking off) your “Enable Gufw Logging” and “Enable ufw Logging”.
View the log
Under File -> Select the option “Log” with the magnifying glass icon
And you will see your logs. Although not displayed, any denied traffic will be logged.
You may clear the logs from this menu as well.
Limitations of GUFW
IMO GUFW is designed for users who wish to enable a firewall and do not feel they need to know the dirty details. As such it is simple and effective, although it does not offer all of the available options from either ufw or iptables.
- GUFW does not manage (limit) outbound traffic.
- GUFW only manages NEW connections.
- GUFW does not give the option to block ping or limit connections.
You will need to user either ufw from the command line, learn iptables, or use another configuration tool if you need these options.
Posted in Linux
[...] Here is the original post: Shadows of epiphany » Blog Archive » Firewall Ubuntu GUFW [...]
Pingback by Shadows of epiphany » Blog Archive » Firewall Ubuntu GUFW | Just linux! — November 24, 2009 @ 8:25 pm
[...] is the original: Shadows of epiphany » Blog Archive » Firewall Ubuntu GUFW By admin | category: ubuntu install | tags: before-installing, boot-disc, gksu-gedit, [...]
Pingback by Shadows of epiphany » Blog Archive » Firewall Ubuntu GUFW Ubuntu Netbook — November 25, 2009 @ 12:10 am
Social comments and analytics for this post…
This post was mentioned on Twitter by planetubuntu: Bodhi.Zazen: Firewall Ubuntu GUFW: This is the third in my Firewall series, is in follow up to my previous 2 blogs … http://bit.ly/6U13EE...
Trackback by uberVU - social comments — November 25, 2009 @ 4:49 am
GUFW ?
It’s unfortunate such nice application’s names are impossible to pronounce and difficult to spell in all three languages I speak.
There must be some way to come up with better names!
Comment by Fabian Rodriguez — November 25, 2009 @ 7:35 am
GUFW is an acronym for Graphical Uncomplicated FireWall
So the name is not bad, just long
Comment by bodhi.zazen — November 25, 2009 @ 8:23 am
[...] Firewall Ubuntu GUFW [...]
Pingback by Destillat KW48-2009 | duetsch.info - GNU/Linux, Open Source, Softwareentwicklung, Selbstmanagement, Vim ... — November 27, 2009 @ 3:35 am
I was wondering how I configured GUFW after installing it from day 1 of Karmic. Now I got a decent how-to
Comment by Nigel Babu — December 10, 2009 @ 1:22 am
Glad it helped. I enjoy your blog by the way =)
Comment by bodhi.zazen — December 10, 2009 @ 9:49 am
This is a great tutorial and I have added it to my UF sig. I am currently studying for my AS (I do plan to move to higher levels, but gotta start somewhere.) in Networking Security. Reading your threads on the forums and your blogs is sure to help make me a better network engineer.
Thanks,
Ronnie
Comment by Ronnie aka running_rabbit07 — January 12, 2010 @ 8:00 pm
Thank your for your kind words, glad you are headed in the right direction. I am sure you will be teaching the rest of us in short order.
Comment by bodhi.zazen — January 13, 2010 @ 3:27 pm
You say ordering of rules is important and so deny first and then allow. Shouldn’t it be other way round. First allow then deny. So if someone checks rules in the order, allow rules come before deny rules and it does what you expect it to do. Or am I missing anything
Comment by Tridgell — January 28, 2010 @ 1:42 am
Tridgell: Sorry for the confusion.
On my ufw/gufw blogs I am referring to “default deny” and the big “Deny” button.
These settings set the default policy and as such are not rules in a chain.
They are the same as “sudo iptables -P INPUT DROP”
The default policy basically tells iptables what to do with a packet that does not match any rules.
This is related, but not the same as the order of rules within a chain.
Hope that clarifies things for you, if not, stop ufw and open a terminal. Look at teh output and effect of these commands :
sudo iptables -L -v
sudo iptables -P INPUT DROP
sudo iptables -L -v
sudo iptables -P INPUT ACCEPT
sudo iptables -L -v
Comment by bodhi.zazen — January 28, 2010 @ 4:07 pm
Cool! I think it is much better now after you clarified
Comment by Tridgell — January 29, 2010 @ 12:24 am