TNS
VOXPOP
Where are you using WebAssembly?
Wasm promises to let developers build once and run anywhere. Are you using it yet?
At work, for production apps
0%
At work, but not for production apps
0%
I don’t use WebAssembly but expect to when the technology matures
0%
I have no plans to use WebAssembly
0%
No plans and I get mad whenever I see the buzzword
0%
Linux / Security

An Introduction to Ubuntu’s ‘Uncomplicated’ Firewall

Is the firewall for Ubuntu Linux as easy to use as Canonical claims? You'd be hard-pressed to find an easier firewall system to help lock down your systems.
Dec 30th, 2023 6:00am by
Featued image for: An Introduction to Ubuntu’s ‘Uncomplicated’ Firewall

It’s inevitable. At some point, you’re going to be using Ubuntu, or an Ubuntu-derived, Linux distribution. This could be as an admin with a traditional server or desktop, a virtual machine, or as an image for container deployments.

There’s a good reason for that. Ubuntu is not only a widely used operating system for multiple purposes, but it’s also very user-friendly.

Even the firewall has become quite simple to use. That, of course, hasn’t always been the case. When I first started using Linux, if I wanted to configure the firewall, I had to suck it up and learn iptables, which was no easy feat. In fact (at the time), iptables was one of the most complicated tools to not only master but to simply use.

Imagine, you wanted to secure SSH traffic and you knew to do so would require commands like this:


Not only were the iptables commands a significant challenge to remember, but they were also a bear to type. And with so many options and flags to consider, it was very easy to get things wrong.

I even knew some Linux admins who were prone to tossing their hands in the air and leaving every port on a server open for all to see. That, of course, isn’t just lazy but inviting trouble.

Fortunately, over the years, Ubuntu evolved and adopted a far simpler firewall tool that anyone could learn and use.

The firewall in question is UFW (Uncomplicated Firewall). Like the RHEL-based firewalld, UFW is just a frontend for iptables that focuses on simplicity. Believe me when I say that’s a good thing. And even though UFW is uncomplicated, it still works very well. And for those who prefer a GUI (and have a desktop environment available on their Ubuntu deployments), there’s a graphical option that means you’d never have to run a single command for the firewall.

What I want to do is show you how UFW works and then walk you through the process of installing a GUI.

What You’ll Need

The only things you’ll need to follow along are a running instance of a Ubuntu-based Linux distribution and a user with sudo privileges.

Using UFW from the Command Line

The first thing we’ll do is work with the firewall from the command line. UFW will be installed, by default, on your Ubuntu machines. You can verify this by issuing the command:


You will probably see the following output:


Obviously, that means UFW hasn’t been enabled. To activate the firewall, issue the command:


Now, when you issue the status command, it will report:


Your firewall is now working. You can view even more information with the command:


The above command will report something like:


If you attempt to SSH into that machine, you’ll be blocked. Why? Because out of the box, UFW blocks all incoming traffic.

Open Ports with SSH

Let’s open the SSH port (22), so we can log into the machine via Secure Shell. We can do that either by port or service. Those commands are:


Unlike firewalld on RHEL-based machines, you don’t have to reload the firewall for the changes to take effect.

Now, if you attempt to SSH into that machine, you will be allowed.

You can do the same with any service or port, such as:


It really is that simple.

There are, however, a few more tricks up UFW’s sleeve. Let’s stick with SSH traffic. When you opened port 22 on the machine, it will allow traffic from any machine through that port. What if you want to allow only one machine through that port? If you know the IP address of that machine, you can do that. First, you have to delete the rule you just created with the command:


Let’s say you want to only allow SSH traffic from a machine with IP address 192.168.1.73. The command for that would be:


Once you’ve run the above command, only the machine at IP address 192.168.1.73 will be allowed in through port 22. And since all other ports are blocked, the SSH port is the only thing open and it’s only open to that one machine.

To delete that rule, the command would be:


Or, maybe you want to open the SSH port to all machines on your LAN. Sticking with the same IP address scheme, that command would be:

What about the GUI?

If you want to install the GUI app for UFW, the command is:


Once the installation completes, you’ll find the Firewall GUI in your desktop menu. Open the app, type your sudo password when prompted, and you’ll find a very simple GUI tool for managing UFW (Figure 1).

 

Figure 1: The gufw GUI app makes managing UFW even easier.

Click the Rules tab and you’ll see the last command we ran above listed (Figure 2).

 

Figure 2: Our rule to allow all LAN traffic through SSH is listed.

To create a new rule with the GUI, click + in the Rules tab and use either the Preconfigured, Simple, or Advanced tabs to create your rule. The Simple tab is my favorite, because all you have to do is type a name; select a policy, direction, and protocol, and then type either a port or service (Figure 3).

 

Figure 3: Creating a firewall rule with the Simple tab in gufw.

The Advanced tool is similar to the Simple option, only it adds Interface, Log, From, and To options.

And that’s the gist of working with Uncomplicated Firewall. You’d be hard-pressed to find an easier firewall system on the market to help lock down your systems.

To learn more about UFW, make sure to visit its Ubuntu Wiki page or issue the command man ufw.

Group Created with Sketch.
THE NEW STACK UPDATE A newsletter digest of the week’s most important stories & analyses.