This is the third in my Firewall series, is in follow up to my previous 2 blogs about firewalls, and is intended to introduce GUFW, a graphical front end to UFW.
Although the GUFW GUI may seem deceptively simple, the graphical front end is both easy to use and capable of performing the most common firewall configuration options. The graphical tool is a perfect place to start if you find ufw and iptables overwhelming.
Again the most difficult part of managing a firewall is knowing who you wish to allow or restrict (by ip address) and what service and port you need to allow (open) or deny (close). Gufw can help as many of these options are preconfigured. If you need further assistance, start with gufw, configure as much as you can, and then review the other two links.
GUFW is an option if you installed a few simple servers on your desktop (torrents for example) or if you installed a graphical desktop/ window manager (Gnome, Fluxbox, etc) to help you administrate a server.
Although ufw is installed by default, gufw is not.
First, Enable the Universe repository.
Then, using any method, install gufw (apt-get shown here).
sudo apt-get update
sudo apt-get -y install gufw
In Ubuntu 9.10, UFW is then located under System -> Administration -> Firewall configuration.
Enable your firewall
Simply click (check off) the “Enabled” button and select “Deny” in the “By Default” pull down menu.
The default settings are probably sufficient for the vast majority of Desktop users and, unless you are running a server, nothing further needs to be done. Simply close the GUFW window and your firewall will remain active, even if you reboot.
IMO, The most common servers used on desktops would include torrents, VNC, Samba, Apache, and SSH. If you are wanting to allow access to one or more of these servers you will need to configure GUFW as outlined below.
Allow inbound connections
UFW manages NEW INBOUND connections. Gufw allows all outbound traffic (see limitations below).
Use the following options if you are running servers and you wish to allow inbound connections from other computers.
To add a rule, first click the “Add” box on the bottom left. You will get a dialog box which will allow you a number of options.
GUFW has a number of common services preconfigured. You allow a service by program name (perhaps most useful on Desktops). As you can see common servers used on desktops, such as Transmission, are included (surprise, torrents are servers).
Or by service (perhaps most useful on servers).
In the “Simple” tab you can open a specific port, by tcp, udp, or both. Simply add the port you wish to open in the box.
You may specify multiple ports, comma delineated
Or a range of ports with a : , so to allow bittorrent, open ports 6881 – 6999, use
You may use the “Advanced” tab to allow or deny traffic from a specific ip address or subnet (LAN). Keep in mind order of your rules counts, so deny first then allow.
You may blacklist an ip address by denying all traffic from that IP.
In this example, all traffic from your LAN is allowed to connect to Apache (sorry the first part of “192.168.0.0/24” was outside the box).
Firewall rules are displayed in the main GUFW window. The rule displayed in this example allows all traffic on the LAN (192.168.0.0/24) to access Apache ( port 80/tcp) on the server (ip address 192.168.1.10).
Remove a rule
Simply select your rule and click the “Remove” button on the bottom.
Logging is enabled by default. Under the menu, select Edit -> Preferences
Enable logging by selecting (checking off) your “Enable Gufw Logging” and “Enable ufw Logging”.
View the log
Under File -> Select the option “Log” with the magnifying glass icon
And you will see your logs. Although not displayed, any denied traffic will be logged.
You may clear the logs from this menu as well.
Limitations of GUFW
IMO GUFW is designed for users who wish to enable a firewall and do not feel they need to know the dirty details. As such it is simple and effective, although it does not offer all of the available options from either ufw or iptables.
- GUFW does not manage (limit) outbound traffic.
- GUFW only manages NEW connections.
- GUFW does not give the option to block ping or limit connections.
You will need to user either ufw from the command line, learn iptables, or use another configuration tool if you need these options.