Sunday, March 15, 2009

Configuring Ubuntu's firewall

Ubuntu comes bundled with a firewall but it is not enabled by default. Since the Ubuntu project prides itself on being the Linux for everyone, the included firewall is intended to be uncomplicated and relatively easy to use. It is called ufw, which stands for "uncomplicated firewall." Getting it up and running is simple enough; turn it on with:
sudo ufw enable
This turns the firewall on and sets it to activate at boot. To turn it back off, swich the keyword enable for disable. This firewall is based upon rules. You set rules to either allow or deny services or ports. To enable a service, like SSH, for example, enter this command:
sudo ufw allow ssh
To explicitly deny a service, switch the allow keyword for deny. To remove this rule, type:
sudo ufw delete allow ssh
To explicitly allow a specific port:
sudo ufw allow [port]
You can optionally specify the protocol to allow following the port number. For example, to allow TCP connections on port 231 you would type:
sudo ufw allow 231/tcp
To set the default behavior for services and ports that have do not have explicit rules:
sudo ufw default deny
If you wish to allow connections by default, switch the deny keyword for allow. You can check the status of the firewall and the existing rules with:
ufw status
These might be some other useful services to enable:
  • mysql (database included as part of the LAMP stack)
  • www (allows connections to your webserver)
  • microsoft-ds (Windows file sharing a.k.a. Samba)
A listing of services you can specify by name is located at "/etc/services". If the service you're looking for isn't listed there, a pretty complete list of services and the ports they use is available here.

When configuring your firewall, general rule of thumb is to make it as restrictive as possible. That means to only open those ports you have to and other keep the system locked down. For this reason the default behavior on my firewall is to deny all connections except for those that are explicitly allowed.

If you are interested in a firewall with a GUI, you may find this article to be helpful.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.