When I started using Linux in 1997, working with the built-in firewall wasn’t for everyone. In fact, it was quite complicated. From around 1998, if you wanted to manage the security of a system, you had to learn iptables (which is a suite of commands to manipulate the Netfilter packet filtering system).
For example, if you wanted to allow all incoming Secure Shell (SSH) traffic, you would use commands like this:
sudo iptables -A INPUT -p tcp –dport 22 -m conntrack –ctstate NEW,ESTABLISHED -j ACCEPT sudo iptables -A OUTPUT -p tcp –sport 22 -m conntrack –ctstate ESTABLISHED -j ACCEPT
It’s great if you have time not only to master the Linux operating system, but also to know the intricacies of managing a complex security system. To be fair, I took the time and was finally able to manage my systems security with iptables.
However, the busier I got, the harder it became to maintain the level of proficiency needed to keep up to date with iptables. Over time things started to become more accessible and some Linux distro developers started to realize that there was a need to simplify the system. One of these more accessible Linux firewalls came with the Ubuntu distribution (around version 12.04). This firewall is aptly named Uncomplicated Firewall.
Uncomplicated Firewall (UFW) is a front-end for iptables that emphasizes simplicity. Compared to iptables, UFW can be manipulated by everyone.
Let’s see how easy UFW is to manage your Linux system’s firewall.
There are two things you need to know about UFW:
- It is a command line tool.
- GUI tools are available to make your job easier.
UFW Command Line Basics
The UFW command is actually quite simple. Let’s go back to the idea of SSH mentioned above. Let’s say you want to allow other systems to access your machine through SSH (on port 22).
First, you need to check if UFW is enabled. Guess what… it isn’t by default. Test it by opening a terminal window and running the command:
sudo ufw status
You will likely see the following:
Status: inactive
How to activate it? By sending the command:
sudo ufw enable
The output of the command should be:
The firewall is active and enabled at system startup.
Congratulations, your firewall is now active.
As for the basic usage of UFW, it looks something like this:
sudo ufw ARGUMENT SERVICE
Where ARGUMENT is either ‘allow’, ‘deny’, ‘reject’, ‘limit’, ‘status’, ‘show’, ‘reset’, ‘reload’, ‘enable’, ‘disable’ and SERVICE is the service you are using want to work (such as SSH or HTTP).
Next, we need to allow SSH traffic into the system. Believe it or not, it’s as simple as this:
sudo ufw allow ssh
You can also run the command using the port number, like this:
sudo ufw allow 22
Or, if you are running SSH on port 2022, this command would be:
sudo ufw allow 2022
If you are working on a server and you need to allow HTTP traffic, this command would be:
sudo ufw allow http
Let’s go a little further
One of the advantages of UFW is that even using more advanced functions does not require special knowledge. Let’s say for example that you want to allow SSH traffic, but only from a specific IP address on your network.
If you have already allowed incoming SSH traffic, you will first need to remove this rule with:
sudo ufw delete allow ssh
Now, if you try to SSH into the machine, the firewall will block the attempt. So, let’s allow SSH connections from the IP address 192.168.1.152. To do this, we need to run the command:
sudo ufw allow from 192.168.1.152 to any port ssh
After running the above command, you should be able to login to the machine, via SSH, only from the remote system at IP address 192.168.1.152.
What about the GUI?
If command lines aren’t your cup of tea, there’s always a handy GUI tool to make your job easier. One such tool is GUFW, which lets you point and click UFW firewall rules. If UFW is not installed by default on your Linux distribution, you will find it in your application store. Once installed, open the app and click on the Rules tab:
The GUFW tool makes configuring your firewall even easier. Picture: Jack Wallen.
As you can see I have already added some UFW rules. One thing to keep in mind is that you cannot edit rules that were added through the UFW command line. Let’s add the same rule through the GUI as we just did through the command line. Click on + and then (in the Preconfigured tab) select the following:
- Policy – Allow;
- Direction-In;
- Category – All;
- Subcategory – All;
- App-SSH.
This single action will be enough to create the rule allowing all SSH traffic into your system. If, however, you want to only allow traffic from a single IP address, you need to click on the Advanced tab and fill in the following fields:
- Name – the name of your choice;
- Policy – Allow;
- Direction-In;
- Interface – All Interfaces;
- From – 192.168.1.152.
Added a rule to UFW to only allow SSH traffic from the IP address 192.168.1.62. Picture: Jack Wallen.
Click on Add to insert your rule into the firewall.
That’s it, the introduction to Uncomplicated Firewall is complete. But don’t think UFW is anything more than a very basic firewall system. You can actually get a much more complicated system! But for the most part, UFW is easy enough for everyone to use.
Source: ZDNet.com