UncomplicatedFirewall

Differences between revisions 70 and 71
Revision 70 as of 2009-04-23 16:46:18
Size: 4144
Editor: pool-71-114-243-118
Comment:
Revision 71 as of 2009-04-23 17:23:20
Size: 5527
Editor: pool-71-114-243-118
Comment: add Advanced Functionality and a few updates
Deletions are marked like this. Additions are marked like this.
Line 15: Line 15:
With 8.04 LTS, Ubuntu introduced the Uncomplicated Firewall (`ufw`). `ufw` is a
frontend for `iptables`, and is installed but not enabled by default in Ubuntu
(users must explicitly enable it). Particularly well-suited for host-based
firewalls, `ufw` provides a framework for managing `netfilter`, as well as a
command-line interface for manipulating the firewall. `ufw` aims to provide an
easy to use interface for people unfamiliar with firewall concepts, while at
the same time simplifies complicated `iptables` commands to help an adminstrator
who knows what he or she is doing. `ufw` is an upstream for other distributions
and graphical frontends.		 The Uncomplicated Firewall (`ufw`) is a frontend for `iptables` and is particularly
well-suited for host-based firewalls. `ufw` provides a framework for
managing `netfilter`, as well as a command-line interface for manipulating the
firewall. `ufw` aims to provide an easy to use interface for people unfamiliar with
firewall concepts, while at the same time simplifies complicated `iptables` commands
to help an adminstrator who knows what he or she is doing. `ufw` is an upstream for
other distributions and graphical frontends.
Line 25: Line 23:
== Basic Usage ==
Getting started with `ufw` is easy. For example, to enable firewall, allow
ssh access, enable logging, and check the status of the firewall, perform:{{{
$ sudo ufw allow ssh/tcp
$ sudo ufw logging on
$ sudo ufw enable
$ sudo ufw status
Firewall loaded		 == UFW in Ubuntu ==
Ubuntu 8.04 LTS introduced `ufw`, and it is available by default in all Ubuntu
installations after 8.04 LTS.
Line 34: Line 27:
To Action From
-- ------ ----
22:tcp ALLOW Anywhere
}}}		 === Available Versions ===
 * '''Ubuntu 8.04 LTS''': 0.16.2
 * '''Ubuntu 8.10''': 0.23.2
 * '''Ubuntu 9.04''': 0.27-0ubuntu2
Line 39: Line 32:
This sets up a default deny (DROP) firewall for incoming connections, with all
outbound connections allowed with connections tracking. See
[[https://wiki.ubuntu.com/UbuntuFirewall#More%20Information|More Information]]
for full details.

== Features ==		 === Features ===
`ufw` has the following features:
Line 63: Line 52:
== Basic Usage ==
Getting started with `ufw` is easy. For example, to enable firewall, allow
ssh access, enable logging, and check the status of the firewall, perform:{{{
$ sudo ufw allow ssh/tcp
$ sudo ufw logging on
$ sudo ufw enable
$ sudo ufw status
Firewall loaded

To Action From
-- ------ ----
22:tcp ALLOW Anywhere
}}}

This sets up a default deny (DROP) firewall for incoming connections, with all
outbound connections allowed with connections tracking.

=== Advanced Functionality ===
As mentioned, the `ufw` framework is capable of doing anything that `iptables` can
do. This is achieved by using several sets of rules files, which are nothing more
than `iptables-restore` compatible text files. Fine-tuning `ufw` and/or adding additional
`iptables` commands not offered via the `ufw` command is a matter of editing various text
files:
 * '''/etc/defaults/ufw''': high level configuration, such as default policies, IPv6 support and kernel modules to use
 * '''/etc/ufw/before[6].rules''': rules in these files are evaluated before any rules added via the `ufw` command
 * '''/etc/ufw/after[6].rules''': rules in these files are evaluated after any rules added via the `ufw` command
 * '''/etc/ufw/sysctl.conf''': kernel network tunables
 * '''/var/lib/ufw/user[6].rules''': rules added via the `ufw` command (should not normally be edited by hand)
 * '''/etc/ufw/ufw.conf''': sets whether or not `ufw` is enabled on boot, and in 9.04 (ufw 0.27) and later, sets the LOGLEVEL

After modifying any of the above files, activate the new setting with:{{{
$ sudo ufw disable
$ sudo ufw enable
}}}

See [[https://wiki.ubuntu.com/UbuntuFirewall#More%20Information|More Information]]
to learn more about the `ufw` command and the `ufw` framework.

Introduction

The Linux kernel in Ubuntu provides a packet filtering system called netfilter, and the traditional interface for manipulating netfilter are the iptables suite of commands. iptables provide a complete firewall solution that is both highly configurable and highly flexible.

Becoming proficient in iptables takes time, and getting started with netfilter firewalling using only iptables can be a daunting task. As a result, many frontends for iptables have been created over the years, each trying to achieve a different result and targeting a different audience.

The Uncomplicated Firewall (ufw) is a frontend for iptables and is particularly well-suited for host-based firewalls. ufw provides a framework for managing netfilter, as well as a command-line interface for manipulating the firewall. ufw aims to provide an easy to use interface for people unfamiliar with firewall concepts, while at the same time simplifies complicated iptables commands to help an adminstrator who knows what he or she is doing. ufw is an upstream for other distributions and graphical frontends.

UFW in Ubuntu

Ubuntu 8.04 LTS introduced ufw, and it is available by default in all Ubuntu installations after 8.04 LTS.

Available Versions

  • Ubuntu 8.04 LTS: 0.16.2

  • Ubuntu 8.10: 0.23.2

  • Ubuntu 9.04: 0.27-0ubuntu2

Features

ufw has the following features:

Feature

8.04 LTS

8.10

9.04

default policy (allow/deny)

yes

yes

yes

allow/deny rules

yes

yes

yes

ipv6

yes

yes

yes

status

yes

yes

yes

logging (on/off)

yes

yes

yes

application integration

--

yes

yes

limit rules (rate limiting)

--

yes

yes

multiport rules

--

yes

yes

debconf/preseeding

--

--

yes

default policy (reject)

--

--

yes

reject rules

--

--

yes

rule insertion

--

--

yes

log levels

--

--

yes

per rule logging

--

--

yes

Basic Usage

Getting started with ufw is easy. For example, to enable firewall, allow ssh access, enable logging, and check the status of the firewall, perform:

$ sudo ufw allow ssh/tcp
$ sudo ufw logging on
$ sudo ufw enable
$ sudo ufw status
Firewall loaded

To                         Action  From
--                         ------  ----
22:tcp                     ALLOW   Anywhere

This sets up a default deny (DROP) firewall for incoming connections, with all outbound connections allowed with connections tracking.

Advanced Functionality

As mentioned, the ufw framework is capable of doing anything that iptables can do. This is achieved by using several sets of rules files, which are nothing more than iptables-restore compatible text files. Fine-tuning ufw and/or adding additional iptables commands not offered via the ufw command is a matter of editing various text files:

  • /etc/defaults/ufw: high level configuration, such as default policies, IPv6 support and kernel modules to use

  • /etc/ufw/before[6].rules: rules in these files are evaluated before any rules added via the ufw command

  • /etc/ufw/after[6].rules: rules in these files are evaluated after any rules added via the ufw command

  • /etc/ufw/sysctl.conf: kernel network tunables

  • /var/lib/ufw/user[6].rules: rules added via the ufw command (should not normally be edited by hand)

  • /etc/ufw/ufw.conf: sets whether or not ufw is enabled on boot, and in 9.04 (ufw 0.27) and later, sets the LOGLEVEL

After modifying any of the above files, activate the new setting with:

$ sudo ufw disable
$ sudo ufw enable

See More Information to learn more about the ufw command and the ufw framework.

More Information

UncomplicatedFirewall (last edited 2025-10-09 17:40:56 by hlibk)