Monday, April 6, 2009

UFW Howto in BT4

This is a small howto for UFW the uncomplicated firewall for BT4
The majority of this info comes from the man page.
There are other tutorials on the net for using this.
There is also a gui we will talk about it a bit latter.

First and foremost if you have something to add please do so.
ufw is a front end for iptables.
So in order for us to start ufw go to the command line
Code:
root@bt:~# ufw

Usage: ufw COMMAND
Commands:
enable enables the firewall
disable disables the firewall
default ARG set default policy to ALLOW or DENY
logging ARG set logging to ON or OFF
allow|deny RULE allow or deny RULE
delete allow|deny RULE delete the allow/deny RULE
status show firewall status
version display version information
Application profile commands:
app list list application profiles
app info PROFILE show information on PROFILE
app update PROFILE update PROFILE
app default ARG set profile policy to ALLOW, DENY or SKIP

root@bt:~#

So lets look at some of the usage flags.
enable/disable are self explanatory.
Code:
# ufw enable

we get back
Code:
root@bt:~# ufw enable
Firewall started and enabled on system startup
root@bt:~#

Of course we would then have to reboot. When you do it will show up as enabled in the boot sequence. If it checks out you get the [OK].
Now lets look at default and ALLOW DENY
allow will as it states allow all defaults to take place which right now means that our
firewall really does nothing. deny will stop all incoming and forwarded packets but
it will not stop outgoing packets. So at the minimum this is better than nothing.
Here is what it looks like
Code:
root@bt:~# ufw default deny
Default policy changed to ‘deny’
(be sure to update your rules accordingly)
root@bt:~#

The same reminder is given every time. We will look at rules in a bit, first lets look at logging you can either turn it on or off.
Code:
#ufw logging on
logging enabled

The logs are stored at /var/log/messages or/kern.log and /syslog there is not a seperate log for ufw as of yet.
You can gather information from them by using grep
Code:
#grep ufw /var/log/syslog

Now let’s look at the rules. There are again two options allow/deny rule.
So here is where it can get a bit more complicated, complex. This is how we add certain ports and protocols.
Code:
# ufw allow 80
rule updated

So now port 80 http is open. Close it again with
Code:
# ufw deny 80

Now with just the port it will allow or deny traffic from both tcp and udp.

Now we can specify with the protocol like the following 80/tcp
We can also delete a rule and it will revert to whatever the default policy had at the beginning.
More complicated rules can be made as well. For instance we want to blacklist certain IP address we can by supplying the
address to the rule set.
Code:
# ufw allow from 192.168.1.100

You can also specify certain protocols with certain IP’s like so:
Code:
#ufw allow from 192.168.1.1 to any port 22

This will allow 192.168.1.1 to access port 22 on both tcp and udp.
If you want to allow only tcp append it to the end of the port 22/tcp
You can also use a netmask. Next let’s look at services. You can set services that can be found in
Code:
#cat /etc/services

For instance we want to allow telnet then we simply give
Code:
# ufw allow telnet

That simple.
Probably the best usage flag in ufw is the –dry-run which will not make any real changes but only show what would occur with the new rule in place.

We can also delete a rule and it will revert to whatever the default policy had at the beginning. More complicated rules can be made as well. For instance we want to blacklist certain IP address we can by supplying the
address to the rule set.
Code:
# ufw allow from 192.168.1.100

You can also specify certain protocols with certain IP’s like so:
Code:
#ufw allow from 192.168.1.1 to any port 22

This will allow 192.168.1.1 to access port 22 on both tcp and udp.
If you want to allow only tcp append it to the end of the port 22/tcp
You can also use a netmask. Next let’s look at services. You can set services that can be found in
Code:
#cat /etc/services

For instance we want to allow telnet then we simply give
Code:
# ufw allow telnet

That simple.
One caveat though is that the service must be installed on the host.
Probably the best usage flag in ufw is the –dry-run which will not make any real changes but only show what would occur with the new rule in place.
So for example
Code:
#ufw --dry-run deny ssh

If the rule will not work or the syntax is wrong it will spit back an error.
Also when adding rules the first match wins according to the man page.
So make your specific rules first then the general ones.

There are more to the rules as well as support for applications themselves.

Next thing we can look at is adding the gui interface, if needed.
The link is here, this download is a ".deb" package, you can install it using
Code:
#dpkg -i gufw_0.0.7c-all.deb

There are more things that can be done and if anyone needs help with it make a post here about it.

1 comment:

echo said...

Thanks for this! I've seen iptables lines and even inserted some by myself on working firewalls, but if there is something simpler for beginner then that may be useful one day.

I also noticed that there is copy-paste error in the post, part of it doubled.