UncomplicatedFirewall

Introduction

The Linux kernel in Ubuntu provides a packet filtering system called netfilter, and the traditional interface for manipulating netfilter are the iptables suite of commands. iptables provide a complete firewall solution that is both highly configurable and highly flexible.

Becoming proficient in iptables takes time, and getting started with netfilter firewalling using only iptables can be a daunting task. As a result, many frontends for iptables have been created over the years, each trying to achieve a different result and targeting a different audience.

The Uncomplicated Firewall (ufw) is a frontend for iptables and is particularly well-suited for host-based firewalls. ufw provides a framework for managing netfilter, as well as a command-line interface for manipulating the firewall. ufw aims to provide an easy to use interface for people unfamiliar with firewall concepts, while at the same time simplifies complicated iptables commands to help an administrator who knows what he or she is doing. ufw is an upstream for other distributions and graphical frontends.

UFW in Ubuntu

Ubuntu 8.04 LTS introduced ufw, and it is available by default in all Ubuntu installations after 8.04 LTS.

Available Versions in supported versions of Ubuntu

  • Ubuntu 14.04 LTS: 0.34~rc-0ubuntu2

  • Ubuntu 16.04 LTS: 0.35-0ubuntu2

  • Ubuntu 18.04 LTS: 0.36-0ubuntu0.18.04.1

  • Ubuntu 20.04: 0.36-6

  • Ubuntu 22.04: 0.36.1-4,

  • Ubuntu 23.04: 0.36.1-4.1

  • Ubuntu 23.10: 0.36.2-1

  • Ubuntu Core: 0.36pre

Features

ufw has the following features:

Feature

0.31.1-1

0.34~rc-0ubuntu2

0.34-2

0.35

default incoming policy (allow/deny)

yes

yes

yes

yes

allow/deny incoming rules

yes

yes

yes

yes

IPv6 (by default)

yes

yes

yes

yes

status

yes

yes

yes

yes

logging (on/off)

yes

yes

yes

yes

extensible framework

yes

yes

yes

yes

python 2.5 support

yes

no

no

no

application integration

yes

yes

yes

yes*

IPv4 rate limiting via 'limit' command

yes

yes

yes

yes

internationalization

yes

yes

yes

yes

multiport incoming rules

yes

yes

yes

yes

debconf/preseeding

yes

yes

yes

yes

default incoming policy (reject)

yes

yes

yes

yes

reject incoming rules

yes

yes

yes

yes

rule insertion

yes

yes

yes

yes

log levels

yes

yes

yes

yes

per rule logging

yes

yes

yes

yes

outgoing filtering (on par with incoming)

yes

yes

yes

yes

filtering by interface

yes

yes

yes

yes

bash completion

yes

yes

yes

yes

upstart support

yes

yes

yes

yes

improved reporting

yes

yes

yes

yes

reset command

yes

yes

yes

yes

rsyslog support

yes

yes

yes

yes

delete by rule number

yes

yes

yes

yes

python 2.6 support

yes

yes

yes

yes

'show listening' report

yes

yes

yes

yes

python 2.7 support

yes

yes

yes

yes

increased protocol support (ah, esp)

yes

yes

yes

yes

IPv6 rate limiting via 'limit' command

--

yes

yes

yes

python 3.2 support

--

yes

yes

no

python 3.3 support

--

yes

yes

yes

'show added' report

--

yes

yes

yes

python 3.4 support

--

yes

yes

yes

before/after extensibility hooks

--

yes

yes

yes

routed packet filtering (FORWARD)

--

yes

yes

yes

systemd support

--

--

yes

yes

increased protocol support (igmp, gre)

--

--

yes

yes

python 3.5 support

--

--

yes

yes

Snappy for Ubuntu Core support

--

--

--

yes

per rule comments

--

--

--

yes

  • support for application integration is limited on Ubuntu Core at this time

Basic Usage

Getting started with ufw is easy. For example, to enable firewall, allow ssh access, enable logging, and check the status of the firewall, perform:

$ sudo ufw allow ssh/tcp
$ sudo ufw logging on
$ sudo ufw enable
$ sudo ufw status
Firewall loaded

To                         Action  From
--                         ------  ----
22:tcp                     ALLOW   Anywhere

This sets up a default deny (DROP) firewall for incoming connections, with all outbound connections allowed with state tracking.

On Ubuntu Core, simply replace 'ufw' with 'ufw.cmd'. Eg:

$ sudo ufw.cmd enable

Advanced Functionality

As mentioned, the ufw application is capable of doing anything that iptables can do. This is achieved by using several sets of rules files, which are nothing more than iptables-restore compatible text files. Fine-tuning ufw and/or adding additional iptables commands not offered via the ufw command is a matter of editing various text files1:

  • /etc/default/ufw: high level configuration, such as default policies, IPv6 support and kernel modules to use

  • /etc/ufw/before[6].rules: rules in these files are evaluated before any rules added via the ufw command

  • /etc/ufw/after[6].rules: rules in these files are evaluated after any rules added via the ufw command

  • /etc/ufw/sysctl.conf: kernel network tunables

  • /var/lib/ufw/user[6].rules or /lib/ufw/user[6].rules (0.28 and later): rules added via the ufw command (should not normally be edited by hand)

  • /etc/ufw/ufw.conf: sets whether or not ufw is enabled on boot, and in 9.04 (ufw 0.27) and later, sets the LOGLEVEL

  • /etc/ufw/after.init: initialization customization script run after ufw is initialized (ufw 0.34 and later)

  • /etc/ufw/before.init: initialization customization script run before ufw is initialized (ufw 0.34 and later)

After modifying any of the above files, activate the new settings with:

$ sudo ufw disable
$ sudo ufw enable

1 On Ubuntu Core, these files are located under /var/lib/apps/ufw*/current. See 'ufw.doc ufw-on-snappy' on an Ubuntu Core system for details.

More Information

UncomplicatedFirewall (last edited 2023-10-18 01:29:55 by sbeattie)