Most Linux system comes with iptables – sophisticated software firewall – which is somewhat difficult to configure. Luckily, Ubuntu, as user-friendly community, decided to simplify this task, and so ufw was born.

Ufw stands for “Uncomplicated firewall”. Indeed, to configure iptables using ufw, it’s enough to open terminal window and type in few simple commands.

NOTE: To open terminal, please access Applications > Accessories > Terminal.

If you type in “ufw -?” you’ll see full list of available commands. Below are some examples, for your inquisitive minds.

Usage

To work with ufw, you need to have administrative permissions. So, we append word “sudo” – stands for super user do(es) – so that command like “ufw status” turns into “sudo ufw status”. If you don’t do this, you’ll get the message “ERROR: You need to be root to run this script”.

Service commands:

sudo ufw status – displays status of uncomplicated firewall.
sudo ufw enable – turns firewall on.
sudo ufw disable – turns firewall off.
sudo ufw reload – applies rules to firewall.

Rules control:

NOTE: Adding new rules require firewall to be running, or changes will be lost. To do this, type in “sudo ufwn enable”.

sudo ufw allow 25 – permits all traffic on port 25.
sudo ufw deny 110 – drops all traffic on port 110.
sudo ufw reject http – refuses (notifying the other side) all traffic on http service port (which is 80).
sudo ufw allow in 21 – allows all incoming traffic on port 21.
sudo ufw deny out 8080 – denies all outgoing traffic on port 8080.
sudo ufw allow from 123.45.67.89 – allows any traffic coming from 123.45.67.89.
sudo ufw limit 22/tcp – drops all connections on tcp port 22, if there were over 6 connections to this port with-in last 30 seconds.
sudo ufw reset – clears all rules.

Syntax

Syntax for ufw rules is as follows:

ufw allow|deny|reject|limit in|out port/protocol

Where:
Allow – accepts packets
Deny – drops packets
Reject – refuses packets
Limit – moderates packets
In – sets direction to incoming packets
Out – sets direction to outgoing packets
Port – defines target port. It can be:

• Numeric as 80
• Service name as http (see Services file)
• List as 80,110 (separated by comma, no space allowed)
• Range 8000:8080 (all ports from 8000 to 8080)

NOTE: If you define list of ports, you can define maximum 15 items per rule. Range considered as 2 items.

Protocol – can be “any”, “tcp” or “udp”, depending on what you’re planning to filter.

Advanced syntax

This is also an advanced syntax, which allows you to define interface, manage entries in rule set, configure logging or define custom behavior for specific applications. For example:

sudo ufw deny in on eth0 – drop all incoming packets on eth0 interface.
sudo ufw allow out on eth0 to any port 25 proto tcp – allow all outgoing traffic on eth0 interface, to any address, at port 25 with protocol tcp.

NOTE: To define protocol in complex rule, you should use append word “proto” and space. So, instead of “25/tcp”, you should write “25 proto tcp”.

sudo ufw insert 1 allow 80 – places “allow all traffic on port 80” rule at first place in rule set.
sudo ufw delete 1 – removes rule number 1 from rules list.
sudo ufw show user-rules – displays user-defined rule set. Can be also:

• raw – for displaying of all sets
• builtins – for internal rule set
• before-rules – for rules appended before main rule set
• user-rules – for rules defined by user (you)
• after-rules – for rules appended after main rule set
• logging-rules – for rules with logging enabled
• listening – for displaying listening tcp and open udp ports

sudo ufw delete deny out 8080 – removes rule “deny all outbound traffic on port 8080” from the rule set.
sudo ufw allow log 80/tcp – allows all traffic on tcp port 80, logging new connections only
sudo ufw allow log-all 80/tcp – allows all traffic on tcp port 80, logging all connections

NOTE: Always place “log” command between allowance mode and port.

sudo ufw logging off – turns off logging. Can be also “low”, “medium”, “high” and “full”. Defaults to “low”.

NOTE: Higher logging modes generate more logging information, which can overload your disk with time (especially on busy or overloaded system).

sudo ufw app list – display application profiles list
sudo ufw app info CUPS – display detailed profile for program named CUPS
sudo ufw allow 631 app CUPS – adds “allow all traffic on port 631” to CUPS application profile
sudo ufw app update CUPS – flushes firewall rules, related to CUPS application profile

NOTE: Profiles are generally used by software, essentially for remote management.
 

Default policy

Ufw is based on principle – check against all rules, and if no rule is applicable, follow default policy. This is common principle of iptables firewall, which sometimes causing confusion for new users.

For example, computer receives incoming packet from remote host for port 80. There is no rule defining what to do with incoming packets for port 80, so computer follows default policy.

Policies, by default, are set to “deny” for incoming and “accept” for outgoing, which seems reasonable enough.

See, there are few cases when we need to allow inbound connections, so, naturally, it’s easier to define “what to allow”, instead of defining everything denied. Same applies for outbound connections, since all networking application need remote access.

In rare case, when you would like to change default policy, you can issue one of the following commands:

sudo ufw default allow incoming – sets default policy to “allow inbound packets”
sudo ufw default reject outgoing – sets default policy to “refuse outbound packets”

Indeed a pleasure to see your system secured by sophisticated firewall solution. However, not everyone is ready for a challenge of configuring firewall from command line (or shell).

In this guide, we’ll try to review Gufw frontend for Ubuntu firewall. While there are number of other frontends Gufw, in our opinion, is the easiest to understand, and hence to configure and control the way network security of your computer.
Installation

In case you’re not familiar with process of software installation, please refer to Software installation chapter of our Ubuntu Basics Guide, for detailed graphical guide.

Let’s go:

1. Open Synaptic from System > Administration > Synaptic Package Manager.
2. You’ll be asked to provide your (administrative) password.
3. Type in “gufw” in Quick search box.
4. Locate “gufw” right click on it and select “Mark for Installation”.
5. Click “Mark” on “Mark additional required changes?”, if such dialog is displayed.
6. Press “Apply” button on the top.
7. Press “Apply” on “Apply the following changes” dialog.
8. Gufw is now installing. When it’s done, press close and close Synaptic. NOTE: Installation requires active internet connection, to download Gufw from repository.

Usage

When Gufw is installed, you may launch it from System > Administration > Firewall configuration.

NOTE: Normally, you should be asked to provide your (administrative) password, but since you’ve been already authorized during Synaptic run, you will not be asked for this the first time.

You’ll see “Firewall” window, which is it – Gufw frontend.

To turn firewall on, check “Enabled” button.

Firewall is now active. If you need it, you can now select default policy for incoming and outgoing packets.

Please refer to Default Policy section of Ufw article, in case you need more information about it.

To add new rule, press “Add” button. In “Add Rule” dialog, you can see three tabs – preconfigured, simple and advanced.

Preconfigured tab

Preconfigured tab features simplified configuration mode, where you can choose filtering port by application or service names.

So, for example, if we want to allow Amule program to accept incoming connection, we should select:

• Allow (1st list)
• In (2nd list)
• Program (3rd list)
• Amule (4th list)

And press “Add”.

Congratulations! Your first firewall rule is created.

Simple tab

Supposedly we want to define port to define manually. For this we’ll need to switch to Simple tab, where we’ll find three lists and a field.

First list contains actions to perform with new network packet your system receives. Available options are:

• Allow – to accept the packet
• Deny – to drop the packet
• Reject – to refuse the packet (notify the other side, that the packet is refused)
• Limit – to limit connection rate (for 6 connections in last 30 seconds)

Second list is switch between two modes:

• In – for incoming packets
• Out – for outgoing packets

Third list allows you to select protocol:

• TCP – for connection-based packets
• UDP – for connectionless packets
• Both – for both types of packets

Now field is where we should type the port to filter. It can be done in several ways:

• Numeric – single numeric value, such as 80
• Range – ranged value, such as 8000:8080 (equals to 8000-8080)
• List – multiple numeric or ranged values, through comma, without spaces, such as 25,80,110,5050:5060

NOTE: Total number of ports in list should not be over 15 for compatibility reason. Ranges are counted as two ports (2 items of list).

When you’ve filled all required values, press “Add” to see your rule added to the firewall.

Advanced tab

If you need to filter specific IP address or range, you can do so in Advanced tab.

1. Switch to Advanced tab
2. Select appropriate action
3. Choose the direction
4. Select protocol
5. Type in IP address, network mask, list of IP addresses.
6. Type in Port.

If you noticed, there are two different field sets for IPs and ports – From and To. These are to be used separately, on case-by-case basis.

For example, if you want to disallow inbound traffic from IP address 123.45.67.89, you type this address into From field. Similarly, if you want to deny outgoing connections to that address, you type into To field.

When you’re satisfied with your rule, press “Add” button to apply it.

If you want to remove a rule, locate it in the list of rules and press “Remove” button.

Reset rules

In case you want to reset rules, you can do so by going to Edit > Reset Configuration… .

You will be asked whether you are sure that you want to continue. Press “OK” to remove all the rules.

Preferences

Gufw also contains preferences, where you can define some additional options. To access preferences, go to Edit > Preferences.

Listening Option

• Enable listening report – extends Gufw window to provide Listening reports, or details of all opened ports. That information will be displayed in form of protocol, port, listening address and application that listens.

Log Options

• Enable Gufw logging – turns on Gufw actions logging (see below). It is unchecked by default.
• Enable ufw logging – turns on ufw default logging mode. It is checked by default.
• Set level – allows you to choose how detailed logging is going to be. Available options are “Low”, “Medium”, “High” and “Full”. It is recommended to leave it on “Low”.

Log

To access Gufw actions log, go to File > Log.

Here you can see the list of actions performed by Gufw.

In case you’re planning to use these actions for scripting purpose (eg. for your server), you can check “Show for server script” box. This will remove all verbose information, leaving you with pure ufw commands list.

There are times when you wish to find a solution quickly, yet with possibility of advanced customizations in future.

For firewalls in Ubuntu such solution is FireStarter. When you install it and launch, all you have to do is follow initial setup wizard, and firewall is ready.

In this guide we’ll cover both basic and advanced options you have for FireStarter.

Installation

Note, that in case you’re not really familiar with installing software in Ubuntu, please read chapter 5 of our Ubuntu Basics Guide, where you can learn how to install software in Ubuntu, with step-by-step instructions and snapshots.

Quick setup:

1. Open Synaptic from System > Administration > Synaptic Package Manager.
2. You’ll be asked to provide your (administrative) password.
3. Type in “firestarter” in Quick search box.
4. Locate “firestarter” right click on it and select “Mark for Installation”.
5. Click “Mark” on “Mark additional required changes?”, if such dialog is displayed.
6. Press “Apply” button on the top.
7. Press “Apply” on “Apply the following changes” dialog.
8. Firestarter is now installing. When it’s done, press close and close Synaptic. NOTE: Installation requires active internet connection, to download Firestarter from repository.

Wizard and launching

When Firestarter is installed, you may launch it from System > Administration > Firestarter.

A Firewall wizard will appear welcoming you to firestarter configuration. Press “Forward” button.

NOTE: Normally, you will be asked to provide your (administrative) password, but since you’ve been already authorized during Synaptic run, you will not be asked for this the first time.

You’ll see “Network device setup” page with list of options:

• Detected device(s) – this will normally only list your Ethernet card device. If more than one device is listed, choose yours according to the rule: eth0 – cable connection, wlan0 – wireless connection.
• Start the firewall on dial-out – check to make sure firewall activates each time you connect to Internet.
• IP Address is assigned via DHCP – check this if your computer should automatically acquire IP address from your ISP (which is true for most cases, except LANs with static routing).

Press “Forward” to continue to “Internet connection sharing setup” page.

• Enable internet connection sharing – enable it ONLY if you plan to share your computer’s connection with other computers.
• Local area network device – contains list of your LAN adapters. If you selected eth0 – as your main Ethernet card – and you have another Ethernet card connected, that connects your computer with another computer, you should see eth1, which is one you should select.
• Enable DHCP for local network – turns on automatic IP address assignment for your LAN connection, where your computer is acting as server.

NOTE: Although option for internet connection sharing is present in firestarter, and generally supported by Ubuntu, we still encourage you to share connection using router. For tips on purchasing router, refer to our Router marketing article.

Click “Forward” when you’re done, and you will see “Ready to start your firewall” page.

There is only one checkbox “Start firewall now”, which you should check if you want to active your newly installed firewall immediately.

Now you’ll see Firestarter main window.

If you checked “Start firewall now” in last page of the wizard, it will be active. All you need to do is to close Firestarter window, by click on Firestart icon (blue with Play sign) in icons tray and enjoy your newly installed firewall. To know how to make it minimized on close, see Preferences section below.

Monitoring connections

In Firestarter window, Status tab, which opens by default, you should see:

Firewall section

• Status – which can be “Active” (if it’s enabled) or “Stopped” (if it’s disabled).
• Events – Total and Serious, for both incoming and outgoing traffic. Total events means events regular events – that were allowed by firewall and occurred – while Serious events indicates blocked connections.

Network section

Which lists devices (normally just one), their types, amount of bytes received and sent, and current activity rate.

Active connections section

That is where all active connections are displayed. They are listed by source IP address, destination IP address, port, service and application.

Switch to Events tab, to see passed and blocked events. Those are related exclusively to blocked or permitted by allowance rules connections. They are given by time, port, source address, destination address, protocol and service.

Configuring Firestarter

In order to add policies to firestarter firewall, you should switch to Policy tab. First, choose traffic type from “Editing” list. Then, depending on which type of rule you want to add – address-specific, port-specific or address and port specific, do the following:

Address specific filtering

1. If you want to allow or deny any particular IP, host or network, right click with your mouse in “Allow connections from host” list, and select “Add rule”.
2. Type in desired IP, host or network mask, comment, if needed, and press “Add”.
3. Your new rule is added.

Port and/or address filtering

If you want to allow or deny network access to particular network port, or service, right click with your mouse in “Allow service” list, and select “Add rule”.

• Name – you can select service by name from existing services list.
• Port – or you can type in desired port.
• When source (destination) is – can be “Anyone”, to apply this rule to all hosts; “IP, host or network”, to apply the rule only to specific host or network, which should be then typed in to the following box; LAN clients which only applies when Internet connection sharing is enabled.
• Comment – type in comment, if you need it.

When you are done, just press “Add” to see your rule appeared in rule set. Your new rule is added. It will be applied when you restart firewall (that is start and stop). To know how to make rules applied immediately, see Preference (Policy) section below.

To edit a rule, right click over it and select “Edit rule”.

To delete a rule, right click over it and select “Remove rule”.

Preferences

To access Firestarter preference, go to Edit > Preferences.

Interface

• Enable tray icon – check this box to make Firestarter icon appear in system tray.
• Minimize to tray on window close – check this box to make Firestarter minimize to tray on close.

Events

• Skip redundant entries – checking this box will encapsulate repeating events (eg. several similar events will be displayed as one).
• Skip entries where the destination is not the firewall – checking this box will prevent events not related to firewall filtering from appearing in events list.
• Do not log events for the following – contains two lists for hosts and ports. You can press “Add” button to add host or port to be excluded from logging.

Policy

Apply policy changes immediately – checking this box will make sure that rules are being applied the very moment they’ve created.

Firewall

Start/restart firewall on:

• Program startup – checking this will make firewall enabled when it is started.
• Dial-out – checking this will make firewall enabled when you connect to Internet.
• DHCP lease renewal – checking this will make firewall enabled when your dynamic IP is renewed.

Network Settings

• Detected device(s) – lists your Ethernet adapters. Select one used for Internet access (normally eth0 for cable connection and wlan0 for WiFi).

Local network connected device will appear grayed unless you have more than 1 adapters. In case you do and you still want to share Internet access to another computer thru yours, it contains detected devices, where you should select your secondary network adapter, used to connect your computer to another one. You should also check “Enable Internet connection sharing” box, and “Enable DHCP for the local network”, if you want your computer to automatically assign IP for another computer.

ICMP Filtering

ICMP, which stands for Internet Control Message Protocol, is used mainly by service applications, but can also be used to perform Denial of Service attacks on your computer. Therefore, it is recommended to check box “Enable ICMP filtering”, which will filter all ICMP traffic.

• Echo request (ping) – will allow ping utility requests to pass thru.
• Echo reply (ping) – will allow ping utility replies to pass thru.
• Timestamping – will allow ICMP time stamping.
• MS Traceroute – will allow MS Windows’ trace route utility requests to pass thru.
• Traceroute – will allow generic trace route utilities to work.
• Unreachable – will allow “host unreachable” ICMP message to pass thru.
• Address masking – will allow address masquerading messages to pass thru.
• Redirection – will allow ICMP redirection.
• Source Quenching – will allow ICMP quenching packets to pass thru.

ToS Filtering

ToS, or Type of Service, filtering is actually traffic prioritization function which allows to prioritize one traffic type over another.
Enable Type of Service filtering – enables the function.
Prioritize services commonly used by:

• Workstations – will prioritize browsing, messaging and downloads traffic.
• Servers – will prioritize daemons traffic (such as http and ftp servers).
• The X Window System – will prioritize traffic related to X-Window remote control application. This application is specific for classic Linux uses, and therefore not required much.

In addition, you can choose how to prioritize selected traffic: by Throughput, Reliability or Interactivity.

Note that although you can actually setup traffic prioritization, each system and/or application in your set-up, should support the QoS (Quality of Service standard) function; otherwise it will not work.

Advanced Options

• Preferred packet rejection method – defines how network packets will be blocked. You can set it to “Reject with error packet” to answer to remote hosts, or to “Drop silently” to simply ignore them.
• Broadcast traffic – is an option for filtering packets sent to multiple machines simultaneously. Default setup here is “filter broadcasts from outside, but accept internal broadcasts” and will suit most cases. However, if you have IPTV, which you watch on your computer, it is recommended that you uncheck “Block broadcasts from external network”.
• Traffic validation – is additional security option that allows packets to be evaluated on subject of being reserved, yet coming from Internet. For example, if packet comes with IP address 127.0.0.1 – which is always local host, but comes from Ethernet card. Checking this box will make such packet blocked.

Lock

In addition, Firestart features “Lock” button, which will lock firewall settings from being modified, unless your (administrative) password is provided.