Simplify your firewall setup
Detours
Since version 0.34, ufw now also supports routing. This means that the firewall can wave through incoming packets and, for example, forward all requests arriving on network interface enp0s3
to the interface enp0s8
(shown in Listing 4).
Listing 4
Forwarding Requests
$ sudo ufw route allow in on enp0s3 out on enp0s8
For IP forwarding to work, the corresponding function must be enabled in the sysctl.conf
configuration file. On Ubuntu, you use the /etc/ufw/sysctl.conf
file for this purpose; enter the lines from Listing 5 or – if they already exist – enable them by removing the preceding hashtags (#
). If you made some changes, restart ufw by typing
sudo ufw disable
Listing 5
Enable Forwarding
net/ipv4/ip_forward=1 net/ipv6/conf/default/forwarding=1 net/ipv6/conf/all/forwarding=1
followed by
sudo ufw enable
This more or less brings us to the end of ufw's feature set. In particular, ufw does not yet support masquerading, where the firewall changes, among other things, the source and destination ports in the packets that pass through the firewall. But, as mentioned earlier, more complex rules can be added using iptables. The corresponding configuration is stored either in the /etc/ufw/before.rules
file or in /etc/ufw/after.rules
. These rules are applied by the firewall before or after the rules that you defined with the ufw
command-line program.
Gufw
It is even easier to configure the firewall with Gufw [3], the ufw's graphical user interface. However, since it is not officially part of the ufw project, you usually have to install it in a second step. On Ubuntu, you can install Gufw with:
sudo apt install gufw
After starting Gufw, click the button next to Status to fire up the firewall. Then, in Inbound and Outbound, set the respective default rules. The Report tab (Figure 4), an extremely practical feature, displays the running services more clearly than the matching ufw show listening
command. Clicking the plus icon also automatically creates a matching firewall rule.
All existing rules can be found in the Rules tab. Use the gear icon to edit the currently selected rule and the plus icon to add another rule. Under Preconfigured, you can select an application profile; Gufw sorts the applications into categories. CUPS, for example, can be found below Network in the Print subcategory. If you don't want to use application profiles, switch to the Simple tab. Even more granular settings are allowed by the Advanced tab (Figure 5).
Conclusions
With the comparatively simple ufw, a firewall can be configured far faster than with the more complex iptables. The simple ufw rules also reduce the risk of misconfiguration and simplify maintenance. Nevertheless, ufw provides all the critical functions required to harden popular services. If you reach ufw's limits, you can add further rules with iptables. However, ufw and iptables' different syntax does prove to be a hindrance here. The bottom line, however, is that ufw makes setting up a firewall far easier.
Infos
- ufw: https://launchpad.net/ufw
- ufw source code: https://code.launchpad.net/ufw
- Gufw: http://gufw.org
« Previous 1 2 3
Buy this article as PDF
(incl. VAT)