Firewall Ubuntu GUFW

This is the third in my Firewall series, is in follow up to my previous 2 blogs about firewalls, and is intended to introduce GUFW, a graphical front end to UFW.

Firewall Ubuntu Desktops
Firewall Ubuntu Servers

Although the GUFW GUI may seem deceptively simple, the graphical front end is both easy to use and capable of performing the most common firewall configuration options. The graphical tool is a perfect place to start if you find ufw and iptables overwhelming.

Again the most difficult part of managing a firewall is knowing who you wish to allow or restrict (by ip address) and what service and port you need to allow (open) or deny (close). Gufw can help as many of these options are preconfigured. If you need further assistance, start with gufw, configure as much as you can, and then review the other two links.

GUFW is an option if you installed a few simple servers on your desktop (torrents for example) or if you installed a graphical desktop/ window manager (Gnome, Fluxbox, etc) to help you administrate a server.

As a side note, server side, rather then installing a GUI, some people probably use either the command line or web tools such as webmin, phpMyAdmin, etc to manage servers.

Install GUFW

Although ufw is installed by default, gufw is not.

First, Enable the Universe repository.

Then, using any method, install gufw (apt-get shown here).

sudo apt-get update
sudo apt-get -y install gufw

In Ubuntu 9.10, UFW is then located under System -> Administration -> Firewall configuration.

Enable your firewall

Simply click (check off) the “Enabled” button and select “Deny” in the “By Default” pull down menu.

Enable Firewall

The default settings are probably sufficient for the vast majority of Desktop users and, unless you are running a server, nothing further needs to be done. Simply close the GUFW window and your firewall will remain active, even if you reboot.

IMO, The most common servers used on desktops would include torrents, VNC, Samba, Apache, and SSH. If you are wanting to allow access to one or more of these servers you will need to configure GUFW as outlined below.

Allow inbound connections

UFW manages NEW INBOUND connections. Gufw allows all outbound traffic (see limitations below).

Use the following options if you are running servers and you wish to allow inbound connections from other computers.

To add a rule, first click the “Add” box on the bottom left. You will get a dialog box which will allow you a number of options.

Preconfigured options

GUFW has a number of common services preconfigured. You allow a service by program name (perhaps most useful on Desktops). As you can see common servers used on desktops, such as Transmission, are included (surprise, torrents are servers).

Preconfigured Programs

Or by service (perhaps most useful on servers).

Preconfigured Services

By port

In the “Simple” tab you can open a specific port, by tcp, udp, or both. Simply add the port you wish to open in the box.

Simple

You may specify multiple ports, comma delineated

22,80,443

Or a range of ports with a : , so to allow bittorrent, open ports 6881 – 6999, use

6881:6999

Limit traffic

You may use the “Advanced” tab to allow or deny traffic from a specific ip address or subnet (LAN). Keep in mind order of your rules counts, so deny first then allow.

You may blacklist an ip address by denying all traffic from that IP.

In this example, all traffic from your LAN is allowed to connect to Apache (sorry the first part of “192.168.0.0/24” was outside the box).

Limit traffic

Firewall rules are displayed in the main GUFW window. The rule displayed in this example allows all traffic on the LAN (192.168.0.0/24) to access Apache ( port 80/tcp) on the server (ip address 192.168.1.10).

Allow Apache

Remove a rule

Simply select your rule and click the “Remove” button on the bottom.

Remove Rule

Logs

Logging is enabled by default. Under the menu, select Edit -> Preferences

Enable logs

Enable logging by selecting (checking off) your “Enable Gufw Logging” and “Enable ufw Logging”.

View the log

Under File -> Select the option “Log” with the magnifying glass icon

File - log

And you will see your logs. Although not displayed, any denied traffic will be logged.

View logs

You may clear the logs from this menu as well.

Limitations of GUFW

IMO GUFW is designed for users who wish to enable a firewall and do not feel they need to know the dirty details. As such it is simple and effective, although it does not offer all of the available options from either ufw or iptables.

  • GUFW does not manage (limit) outbound traffic.
  • GUFW only manages NEW connections.
  • GUFW does not give the option to block ping or limit connections.

You will need to user either ufw from the command line, learn iptables, or use another configuration tool if you need these options.

This entry was posted in Linux and tagged . Bookmark the permalink.

26 Responses to Firewall Ubuntu GUFW

  1. Pingback: Shadows of epiphany » Blog Archive » Firewall Ubuntu GUFW | Just linux!

  2. Pingback: Shadows of epiphany » Blog Archive » Firewall Ubuntu GUFW Ubuntu Netbook

  3. Pingback: uberVU - social comments

  4. Fabian Rodriguez says:

    GUFW ?

    It’s unfortunate such nice application’s names are impossible to pronounce and difficult to spell in all three languages I speak.

    There must be some way to come up with better names! :(

  5. bodhi.zazen says:

    GUFW is an acronym for Graphical Uncomplicated FireWall

    So the name is not bad, just long ;)

  6. Pingback: Destillat KW48-2009 | duetsch.info - GNU/Linux, Open Source, Softwareentwicklung, Selbstmanagement, Vim ...

  7. Nigel Babu says:

    I was wondering how I configured GUFW after installing it from day 1 of Karmic. Now I got a decent how-to :)

  8. bodhi.zazen says:

    Glad it helped. I enjoy your blog by the way =)

  9. This is a great tutorial and I have added it to my UF sig. I am currently studying for my AS (I do plan to move to higher levels, but gotta start somewhere.) in Networking Security. Reading your threads on the forums and your blogs is sure to help make me a better network engineer.

    Thanks,
    Ronnie

  10. bodhi.zazen says:

    Thank your for your kind words, glad you are headed in the right direction. I am sure you will be teaching the rest of us in short order.

  11. Tridgell says:

    You say ordering of rules is important and so deny first and then allow. Shouldn’t it be other way round. First allow then deny. So if someone checks rules in the order, allow rules come before deny rules and it does what you expect it to do. Or am I missing anything

  12. bodhi.zazen says:

    Tridgell: Sorry for the confusion.

    On my ufw/gufw blogs I am referring to “default deny” and the big “Deny” button.

    These settings set the default policy and as such are not rules in a chain.

    They are the same as “sudo iptables -P INPUT DROP”

    The default policy basically tells iptables what to do with a packet that does not match any rules.

    This is related, but not the same as the order of rules within a chain.

    Hope that clarifies things for you, if not, stop ufw and open a terminal. Look at teh output and effect of these commands :

    sudo iptables -L -v
    sudo iptables -P INPUT DROP
    sudo iptables -L -v
    sudo iptables -P INPUT ACCEPT
    sudo iptables -L -v

  13. Tridgell says:

    Cool! I think it is much better now after you clarified

  14. Duane says:

    Thanks for your exceptionally informative information on GUFW. Also, your postings in the Ubuntu Forums were extremely helpful. Thanks!

  15. Juegos says:

    It works :-) what I miss is a desktop icon. Thanks for writing this post.

  16. Harish says:

    While installing gufw i’m getting following errors, for the two respective commands listed for gufw installation…Plz help me…

    E: Some index files failed to download, they have been ignored, or old ones used instead.

    E: Unable to locate package gufw

  17. bodhi.zazen says:

    @Harish:

    gufw is in the repositories (universe), check your repositories.

    http://packages.ubuntu.com/cgi-bin/search_packages.pl?keywords=gufw&searchon=name&subword=1&version=all&release=all

    gufw is a graphical application, so it will not run without X.

  18. Brian says:

    Thanks for a great into to this program.
    Hope they add more features to it like “limit ssh/tcp” and other cli commands..

  19. bodhi.zazen says:

    @Brian – They are slowly adding features to ufw / gufw. Submit a feature request on Launchpad.

  20. Paul says:

    Just added GUFW to ubuntu 11.10 but I cannot seem to find it active after reboot, is there a simple way to check that it IS working and installed?

    BR
    Paul

  21. bodhi.zazen says:

    @Paul – the command

    sudo ufw status

    will show if your firewall is active.

  22. rick says:

    Is there a way for a noob to enable GUFW at boot/login as root start job?

    Can I find a conf file to set the preferences to show listening report and notifications so they are not reset each logout/boot?

    Great info and thanks!

  23. bodhi.zazen says:

    @ rick : When you enable gufw, your settings are active when you boot. No further configuration is necessary.

  24. Pingback: Ubuntu Security | alexndeso

  25. Cipher says:

    Thanks, very nice and simple for the beginner!

  26. Pingback: Ensiaskeleita Linux Mintin parissa – Palomuuri käyttöön | Tietokone -blogi

Leave a Reply

Your email address will not be published. Required fields are marked *