What rules to use for UFW?

security firewall ufw

27,089

Solution 1

If you've set ufw to enabled then you've enabled the preset rules, so it means ufw (via iptables) is actively blocking packets.

If you want more details, run

sudo ufw status verbose

and you will see something like this

$ sudo ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing)
New profiles: skip

which basically means that all incoming is denied and all outgoing allowed. It's a bit more complicated than that (for example ESTABLISHED - requested - packets are allowed in), and if you're interested in the full set of rules, see the output of sudo iptables -L.

If you have a public IP, you can use an online test to get an idea how good the filtering is, for example www.grc.com (look for ShieldsUP) or nmap-online.

You should also see messages about blocked/allowed packets in logs (/var/log/syslog and /var/log/ufw.log).

Solution 2

See https://wiki.ubuntu.com/UncomplicatedFirewall.

Features

ufw has the following features:

Getting started with ufw is easy. For example, to enable firewall, allow ssh access, enable logging, and check the status of the firewall, perform:

$ sudo ufw allow ssh/tcp
$ sudo ufw logging on
$ sudo ufw enable
$ sudo ufw status
Firewall loaded

To                         Action  From
--                         ------  ----
22:tcp                     ALLOW   Anywhere

This sets up a default deny (DROP) firewall for incoming connections, with all outbound connections allowed with state tracking.

Advanced Functionality

As mentioned, the ufw framework is capable of doing anything that iptables can do. This is achieved by using several sets of rules files, which are nothing more than iptables-restore compatible text files. Fine-tuning ufw and/or adding additional iptables commands not offered via the ufw command is a matter of editing various text files:

/etc/default/ufw: high level configuration, such as default policies, IPv6 support and kernel modules to use
/etc/ufw/before[6].rules: rules in these files are evaluated before any rules added via the ufw command
/etc/ufw/after[6].rules: rules in these files are evaluated after any rules added via the ufw command
/etc/ufw/sysctl.conf: kernel network tunables
/var/lib/ufw/user[6].rules or /lib/ufw/user[6].rules (0.28 and later): rules added via the ufw command (should not normally be edited by hand)
/etc/ufw/ufw.conf: sets whether or not ufw is enabled on boot, and in 9.04 (ufw 0.27) and later, sets the LOGLEVEL

After modifying any of the above files, activate the new settings with:

$ sudo ufw disable
$ sudo ufw enable

Solution 3

A firewall can provide two quite different levels of protection.

ONE: -- It can block any external attempt to connect to a given host.

TWO: -- It can control, limit, and obfuscate any available connections.

You need to start with ONE, and think about TWO later ..

STEPS:

A. Create the script file

gedit ~/ufw-MyRules.sh

draft contents:

#!/bin/sh

# -------------------------------------
#
#  firewall settings  
#
#    ver: 00.01
#    rev: 30-Nov-2011
#
#  for Ubuntu 11.10
#
# -------------------------------------

# -------------------------------------
#  reset rules

# disable firewall
sudo ufw disable

# reset all firewall rules
sudo ufw reset --force

# set default rules: deny all incoming traffic, allow all outgoing traffic
sudo ufw default deny incoming
sudo ufw default allow outgoing


# -------------------------------------
#  My rules  (CURRENTLY DISABLED)

# open port for SSH (remote support)
#  from: 111.222.333.444, port OpenSSH, limit
#sudo ufw limit log from 111.222.333.444 to any port 22

# open port for network time protocol (ntpq)
#sudo ufw allow ntp



# -------------------------------------
#  re-start

# enable firewall
sudo ufw enable

# list all firewall rules
sudo ufw status verbose

B. Set file permission (needed only once)

chmod a+x ufw-MyRules.sh

C. Run the script

./ufw-MyRules.sh

27,089

Icedrake

Updated on September 18, 2022

Comments

Icedrake over 1 year

I've decided to enable the UFW that comes with Ubuntu just to make my system even more secure (especially after watching a video of a person whose computer actually got infected!), and I've enabled UFW and installed GUFW, but I'm not sure what to do next. When I check the status of the firewall, it says that it is active. What are some rules that I should configure to actually make use of the firewall, since right now I'm assuming it's allowing everything, basically acting like it isn't there.
- david6 over 12 years
  
  What version of Ubuntu ? There are minor changes between 10.04 LTS and 11.10 (and other recent).
- Icedrake over 12 years
  
  11.10 is the version that I'm using.
- Anonymous over 12 years
  
  Basically just run sudo ufw enable and it will enable the firewall with a default deny policy.
- david6 over 12 years
  
  There are real limitation to gufw, which can NOT limit or manage outbound connections or any existing settings (not created by gufw). See: blog.bodhizazen.net/linux/firewall-ubuntu-gufw (at bottom of page) I have provided a simple script (see answers, below).
Icedrake over 12 years

So there are rules that are enabled by default when you enable the firewall?
samme4life over 12 years

Well, it could mean that you don't have a public IP, or that you don't have any services running, which is the Ubuntu default.