How to configure UFW for a basic desktop / laptop?

security firewall ufw
5,893

A basic Desktop firewall is going to deny inbound and allow outbound 'traffic' in a basic setup. Essentially, while Windows can incorporate application-based filtering, it's default rulesets are to permit outbound and reject inbound except where the outbound traffic is getting a response. This is the typical "desktop" firewall setup usually observed in the wild on the typical end user's desktops.

(Ideally, you are using ufw for simplicity, but a truly useful ruleset will use pure iptables instead.)

The ufw way. And probably the most basic but effective ufw setup for a Desktop computer that doesn't need any special inbound connections or special restrictions going outbound:

In theory, you will want to deny inbound traffic, and permit outbound, and allow incoming traffic related to your actions going outbound. ufw pretty much does this by default.

Note that I do not have any additional allow rules here. You don't need any additional allow rules - ufw by default does what my manually installed iptables set below does - it accepts inbound traffic related to an established outgoing connection, so web browser connections and email clients, which initialize their outgoing communications in the high port numbers which are the 'random ports range', will work, and you won't need to accept http (80), https (443), etc. traffic on their ports back in because it's already transparently handled. To add additional ALLOW IN rules like Boris's answer does only opens the typical desktop user to unneeded connections on those ports, which a Desktop would not need.

 

(1) Enable UFW

Turn on ufw rules

ufw enable

This should really be all you need to do for ufw. But, you can continue on if you want.

(2) Deny Inbound Traffic

Pretty sure this is default, but to make sure, run this to make sure it denies incoming traffic by default (except that related to outgoing, such as web browser stuff):

ufw default deny incoming

(3) Permit Outbound Traffic

This should also be the default, but run it and make sure that outgoing traffic is allowed:

ufw default allow outgoing

That should be all you need to do!

(I will spot check this later today)

And then, there is my way, with iptables and manual manipulation of the netfilter/iptables rules instead of ufw (which does that silently)

From what I can tell, ufw has a default ruleset and that should be all you need for the typical desktop.

However, I prefer the iptables approach because I know iptables pretty well so far, and because I like manually configuring my firewall rather than let ufw or random firewall control software build my rules for me.

This is my ruleset for iptables (NOT ufw) on my basic desktops with no other things listening, and is not being locked down like my personal laptop computer is. It also achieves pretty much almost exactly the same thing that the UFW stuff does:

iptables -A INPUT -i lo -j ACCEPT - Gotta allow localhost, no?

iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED - Allow already established traffic to finish coming in. Allow traffic related to outgoing communications through.

iptables -A INPUT -p icmp -j ACCEPT - Allow ICMP packets in (ping, etc.). You don't need this, but you can have it if you want it.

iptables -A INPUT -j REJECT --reject-with icmp-host-unreachable - This denies everything else coming towards the computer.

The system default for iptables without ufw rules or any other rules enabled is "ACCEPT" for INPUT, OUTPUT, and FORWARD. So I manually add the 'Reject all other traffic' rule there at the end myself.

(Note that this is almost exactly what the IPtables HowTo on the Ubuntu help pages produces. Plus some minor minor tweaks)

Share:
5,893

Related videos on Youtube

Boris
Author by

Boris

Updated on September 18, 2022

Comments

  • Boris
    Boris over 1 year

    Reading this answer about enabling UFW, I understand that a computer without firewall can be safe in my local network, but this same safe configuration on a laptop used outside of my local network could be risky.

    As ufw is installed by default, I would like to turn it on, and I would like to configure it for my "basic desktop / laptop configuration".

    By "basic desktop / laptop configuration" I mean that my computer is used to:

    • use Firefox
    • read emails on Thundurbird
    • communicate with Skype
    • play games on Steam and Minecraft for my children
    • share documents by my local NFS network
    • zeridon
      zeridon almost 9 years
      Default config should be fine. For reference ufw enable should be enough
  • Boris
    Boris almost 9 years
    Thank you, this is the kind of answer I expect (+10). As you can see I barely know ufw, but I have no knowledge about iptables. Is there a way to do it with ufw ?
  • Thomas Ward
    Thomas Ward almost 9 years
    @Boris i already give you the answer for achieving this with ufw - in the first section titled "Probably the most basic ufw setup for a Desktop". That's the ufw way. Then there's my manually-manipulate-the-firewall way.
  • Thomas Ward
    Thomas Ward almost 9 years
    @Boris what purpose does that serve, except to bloat the question with multiple answers
  • Panther
    Panther almost 9 years
    +1 or using REJECT rather then DROP
  • Thomas Ward
    Thomas Ward almost 9 years
    @Boris what you prefer and what's permitted on the site are therefore in conflict. There are many many examples of multiple solutions in an answer, strewn throughout the site. There's a reason I made big bold headings - so the people who care to read that section can. Books, instruction manuals, etc. do the same thing. There's ZERO need to bloat the question with two answers. Your approach would be for that of a poll or a forum. That does not fit with the Q/A style format here. (We typically have one answer from one individual, not multiple answers from one individual here).

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

I can't use ufw on WSL-Ubuntu
Why UFW has to be (re)started at boot time if it's only iptables rule manager?
What rules to use for UFW?
How do I allow multiple ports simultaneously in UFW?
What are ICMP redirects and should they be blocked?
Why is the firewall disabled by default?
Rate limiting with UFW: setting limits
Why does Debian come without a firewall enabled by default?
UFW: Allow traffic only from a domain with dynamic IP address
UFW as an active service on Ubuntu