Diff for "UncomplicatedFirewall"

UncomplicatedFirewall

Differences between revisions 53 and 131 (spanning 78 versions)

Contents

Introduction
UFW in Ubuntu
1. Available Versions in supported versions of Ubuntu
2. Features
Basic Usage
1. Advanced Functionality
More Information

Introduction

The Linux kernel in Ubuntu provides a packet filtering system called netfilter, and the traditional interface for manipulating netfilter are the iptables suite of commands. iptables provide a complete firewall solution that is both highly configurable and highly flexible.

Becoming proficient in iptables takes time, and getting started with netfilter firewalling using only iptables can be a daunting task. As a result, many frontends for iptables have been created over the years, each trying to achieve a different result and targeting a different audience.

The Uncomplicated Firewall (ufw) is a frontend for iptables and is particularly well-suited for host-based firewalls. ufw provides a framework for managing netfilter, as well as a command-line interface for manipulating the firewall. ufw aims to provide an easy to use interface for people unfamiliar with firewall concepts, while at the same time simplifies complicated iptables commands to help an administrator who knows what he or she is doing. ufw is an upstream for other distributions and graphical frontends.

UFW in Ubuntu

Ubuntu 8.04 LTS introduced ufw, and it is available by default in all Ubuntu installations after 8.04 LTS.

Available Versions in supported versions of Ubuntu

Ubuntu 14.04 LTS: 0.34~rc-0ubuntu2
Ubuntu 16.04 LTS: 0.35-0ubuntu2
Ubuntu 18.04 LTS: 0.36-0ubuntu0.18.04.1
Ubuntu 20.04: 0.36-6
Ubuntu 22.04: 0.36.1-4,
Ubuntu 23.04: 0.36.1-4.1
Ubuntu 23.10: 0.36.2-1
Ubuntu Core: 0.36pre

Features

ufw has the following features:

Feature	0.31.1-1	0.34~rc-0ubuntu2	0.34-2	0.35
default incoming policy (allow/deny)	yes	yes	yes	yes
allow/deny incoming rules	yes	yes	yes	yes
IPv6 (by default)	yes	yes	yes	yes
status	yes	yes	yes	yes
logging (on/off)	yes	yes	yes	yes
extensible framework	yes	yes	yes	yes
python 2.5 support	yes	no	no	no
application integration	yes	yes	yes	yes*
IPv4 rate limiting via 'limit' command	yes	yes	yes	yes
internationalization	yes	yes	yes	yes
multiport incoming rules	yes	yes	yes	yes
debconf/preseeding	yes	yes	yes	yes
default incoming policy (reject)	yes	yes	yes	yes
reject incoming rules	yes	yes	yes	yes
rule insertion	yes	yes	yes	yes
log levels	yes	yes	yes	yes
per rule logging	yes	yes	yes	yes
outgoing filtering (on par with incoming)	yes	yes	yes	yes
filtering by interface	yes	yes	yes	yes
bash completion	yes	yes	yes	yes
upstart support	yes	yes	yes	yes
improved reporting	yes	yes	yes	yes
reset command	yes	yes	yes	yes
rsyslog support	yes	yes	yes	yes
delete by rule number	yes	yes	yes	yes
python 2.6 support	yes	yes	yes	yes
'show listening' report	yes	yes	yes	yes
python 2.7 support	yes	yes	yes	yes
increased protocol support (ah, esp)	yes	yes	yes	yes
IPv6 rate limiting via 'limit' command	--	yes	yes	yes
python 3.2 support	--	yes	yes	no
python 3.3 support	--	yes	yes	yes
'show added' report	--	yes	yes	yes
python 3.4 support	--	yes	yes	yes
before/after extensibility hooks	--	yes	yes	yes
routed packet filtering (FORWARD)	--	yes	yes	yes
systemd support	--	--	yes	yes
increased protocol support (igmp, gre)	--	--	yes	yes
python 3.5 support	--	--	yes	yes
Snappy for Ubuntu Core support	--	--	--	yes
per rule comments	--	--	--	yes

support for application integration is limited on Ubuntu Core at this time

Basic Usage

Getting started with ufw is easy. For example, to enable firewall, allow ssh access, enable logging, and check the status of the firewall, perform:

$ sudo ufw allow ssh/tcp
$ sudo ufw logging on
$ sudo ufw enable
$ sudo ufw status
Firewall loaded

To                         Action  From
--                         ------  ----
22:tcp                     ALLOW   Anywhere

This sets up a default deny (DROP) firewall for incoming connections, with all outbound connections allowed with state tracking.

On Ubuntu Core, simply replace 'ufw' with 'ufw.cmd'. Eg:

$ sudo ufw.cmd enable

Advanced Functionality

As mentioned, the ufw application is capable of doing anything that iptables can do. This is achieved by using several sets of rules files, which are nothing more than iptables-restore compatible text files. Fine-tuning ufw and/or adding additional iptables commands not offered via the ufw command is a matter of editing various text files¹:

/etc/default/ufw: high level configuration, such as default policies, IPv6 support and kernel modules to use
/etc/ufw/before[6].rules: rules in these files are evaluated before any rules added via the ufw command
/etc/ufw/after[6].rules: rules in these files are evaluated after any rules added via the ufw command
/etc/ufw/sysctl.conf: kernel network tunables
/var/lib/ufw/user[6].rules or /lib/ufw/user[6].rules (0.28 and later): rules added via the ufw command (should not normally be edited by hand)
/etc/ufw/ufw.conf: sets whether or not ufw is enabled on boot, and in 9.04 (ufw 0.27) and later, sets the LOGLEVEL
/etc/ufw/after.init: initialization customization script run after ufw is initialized (ufw 0.34 and later)
/etc/ufw/before.init: initialization customization script run before ufw is initialized (ufw 0.34 and later)

After modifying any of the above files, activate the new settings with:

$ sudo ufw disable
$ sudo ufw enable

¹ On Ubuntu Core, these files are located under /var/lib/apps/ufw*/current. See 'ufw.doc ufw-on-snappy' on an Ubuntu Core system for details.

More Information

Ubuntu 16.04 LTS (Xenial Xerus)
Ubuntu 18.04 LTS (Bionic Beaver)
Ubuntu 20.04 (Focal Fossa)
Ubuntu 21.04 (Hirsute Hippo)
- ufw manual
- ufw framework manual
Ubuntu 21.10 (Impish Indri)
- ufw manual
- ufw framework manual
Ubuntu 22.04 (Jammy Jellyfish)
- ufw manual
- ufw framework manual
Ubuntu Core
- See 'ufw.doc' on your Ubuntu Core system, specifically 'ufw.doc ufw-on-snappy | less' to see how ufw differs on Ubuntu Core.
Ubuntu Community Documentation on UFW
Specification: UbuntuFirewallSpec
Code: https://launchpad.net/ufw
Graphic User Interface for UFW: Gufw.

UncomplicatedFirewall (last edited 2023-10-18 01:29:55 by sbeattie)

-  ⇤ ← Revision 53 as of 2008-08-11 14:21:29 → 
  Size: 11479
  Editor: c-76-26-203-136
  Comment: update Samba ports
+   ← Revision 131 as of 2023-10-18 01:29:55 → ⇥
  Size: 11529
  Editor: sbeattie
  Comment: add ufw versions for lunar and jammy
-Deletions are marked like this.
+Additions are marked like this.
 Line 1:
+## page was renamed from UbuntuFirewall
-Line 3:
+Line 4:
-''Please check the status of this specification in Launchpad before editing it.  If it is Approved, contact the Assignee or another knowledgeable person before making changes.''
 * '''Launchpad Entry''': UbuntuSpec:ubuntu-firewall
 * '''Code''': [[https://launchpad.net/ufw|https://launchpad.net/ufw]]
 * '''Packages affected''': none
-Line 8:
+Line 5:
-== Summary ==
+== Introduction ==
The Linux kernel in Ubuntu provides a packet filtering system called
`netfilter`, and the traditional interface for manipulating `netfilter` are the
`iptables` suite of commands. `iptables` provide a complete firewall solution
that is both highly configurable and highly flexible.
-Line 10:
+Line 11:
-'''Release Target''': Hardy
+Becoming proficient in `iptables` takes time, and getting started with
`netfilter` firewalling using only `iptables` can be a daunting task. As a
result, many frontends for `iptables` have been created over the years, each
trying to achieve a different result and targeting a different audience.
-Line 12:
+Line 16:
-'''Name''': ufw (Uncomplicated Firewall)
+The Uncomplicated Firewall (`ufw`) is a frontend for `iptables` and is particularly
well-suited for host-based firewalls. `ufw` provides a framework for
managing `netfilter`, as well as a command-line interface for manipulating the
firewall. `ufw` aims to provide an easy to use interface for people unfamiliar with
firewall concepts, while at the same time simplifies complicated `iptables` commands
to help an administrator who knows what he or she is doing. `ufw` is an upstream for
other distributions and graphical frontends.
-Line 14:
+Line 24:
-Create a tool for host-based iptables firewall configuration. This tool should
provide an easy to use interface to the user, as well as support package
integration and dynamic-detection of open ports.
+== UFW in Ubuntu ==
Ubuntu 8.04 LTS introduced `ufw`, and it is available by default in all Ubuntu
installations after 8.04 LTS.
-Line 18:
+Line 28:
+=== Available Versions in supported versions of Ubuntu ===
 * '''Ubuntu 14.04 LTS''': 0.34~rc-0ubuntu2
 * '''Ubuntu 16.04 LTS''': 0.35-0ubuntu2
 * '''Ubuntu 18.04 LTS''': 0.36-0ubuntu0.18.04.1
 * '''Ubuntu 20.04''': 0.36-6
 * '''Ubuntu 22.04''': 0.36.1-4,
 * '''Ubuntu 23.04''': 0.36.1-4.1
 * '''Ubuntu 23.10''': 0.36.2-1
 * '''Ubuntu Core''': 0.36pre
-Line 19:
+Line 38:
-== Release Note ==
+=== Features ===
`ufw` has the following features:
-Line 21:
+Line 41:
-The tool will not affect users in the default installation as the tool will initially be disabled on installation (ie default ACCEPT policy).
+|| '''Feature'''                             || '''0.31.1-1'''  || '''0.34~rc-0ubuntu2''' || '''0.34-2''' || '''0.35''' ||
|| default incoming policy (allow/deny)      || yes             || yes                    || yes          || yes        ||
|| allow/deny incoming rules                 || yes             || yes                    || yes          || yes        ||
|| IPv6 (by default)                         || yes             || yes                    || yes          || yes        ||
|| status                                    || yes             || yes                    || yes          || yes        ||
|| logging (on/off)                          || yes             || yes                    || yes          || yes        ||
|| extensible framework                      || yes             || yes                    || yes          || yes        ||
|| python 2.5 support                        || yes             || no                     || no           || no         ||
|| application integration                   || yes             || yes                    || yes          || yes*       ||
|| IPv4 rate limiting via 'limit' command    || yes             || yes                    || yes          || yes        ||
|| internationalization                      || yes             || yes                    || yes          || yes        ||
|| multiport incoming rules                  || yes             || yes                    || yes          || yes        ||
|| debconf/preseeding                        || yes             || yes                    || yes          || yes        ||
|| default incoming policy (reject)          || yes             || yes                    || yes          || yes        ||
|| reject incoming rules                     || yes             || yes                    || yes          || yes        ||
|| rule insertion                            || yes             || yes                    || yes          || yes        ||
|| log levels                                || yes             || yes                    || yes          || yes        ||
|| per rule logging                          || yes             || yes                    || yes          || yes        ||
|| outgoing filtering (on par with incoming) || yes             || yes                    || yes          || yes        ||
|| filtering by interface                    || yes             || yes                    || yes          || yes        ||
|| bash completion                           || yes             || yes                    || yes          || yes        ||
|| upstart support                           || yes             || yes                    || yes          || yes        ||
|| improved reporting                        || yes             || yes                    || yes          || yes        ||
|| reset command                             || yes             || yes                    || yes          || yes        ||
|| rsyslog support                           || yes             || yes                    || yes          || yes        ||
|| delete by rule number                     || yes             || yes                    || yes          || yes        ||
|| python 2.6 support                        || yes             || yes                    || yes          || yes        ||
|| 'show listening' report                   || yes             || yes                    || yes          || yes        ||
|| python 2.7 support                        || yes             || yes                    || yes          || yes        ||
|| increased protocol support (ah, esp)      || yes             || yes                    || yes          || yes        ||
|| IPv6 rate limiting via 'limit' command    || --              || yes                    || yes          || yes        ||
|| python 3.2 support                        || --              || yes                    || yes          || no         ||
|| python 3.3 support                        || --              || yes                    || yes          || yes        ||
|| 'show added' report                       || --              || yes                    || yes          || yes        ||
|| python 3.4 support                        || --              || yes                    || yes          || yes        ||
|| before/after extensibility hooks          || --              || yes                    || yes          || yes        ||
|| routed packet filtering (FORWARD)         || --              || yes                    || yes          || yes        ||
|| systemd support                           || --              || --                     || yes          || yes        ||
|| increased protocol support (igmp, gre)    || --              || --                     || yes          || yes        ||
|| python 3.5 support                        || --              || --                     || yes          || yes        ||
|| Snappy for Ubuntu Core support            || --              || --                     || --           || yes        ||
|| per rule comments                         || --              || --                     || --           || yes        ||
-Line 23:
+Line 84:
+ * support for application integration is limited on Ubuntu Core at this time
-Line 24:
+Line 86:
-== Rationale ==
+== Basic Usage ==
Getting started with `ufw` is easy. For example, to enable firewall, allow
ssh access, enable logging, and check the status of the firewall, perform:{{{
$ sudo ufw allow ssh/tcp
$ sudo ufw logging on
$ sudo ufw enable
$ sudo ufw status
Firewall loaded
-Line 26:
+Line 95:
-Ubuntu currently does not have an integrated firewall in its base installation.
The tools that are available to create a firewall are largely
based on GUI applications and/or designed for advanced users. Additionally,
existing tools also do not provide package integration so that when a network
daemon is installed, users have to determine on their own how to integrate
the application with the firewall.


== Use Cases ==

Alice uses a desktop system and wants to add a firewall as another layer of
protection.  Alice can enable the firewall to provide this protection.  When
new packages are added, Alice can easily enable the services provided
by these packages.

Bob installs a server with one network interface and wants to add a firewall as another layer of protection. Bob can enable the firewall to provide this protection, as well as monitor the status of open ports.

== Assumptions ==

The tool will allow users to specify opening a port explicitly as well as choosing from a list of open ports. However, to fully integrate with the system, packages should provide meta-data regarding what protocol and port a particular package will need to operate with a firewall.  The tool will still be useful during the transition when packages are not providing this information.


== Design ==

For the implementation status of each feature, please see the 'Status' section, below.

=== Rules ===
The tool will provide /etc/ufw/before[6].rules and /etc/ufw/after[6].rules. These files can be edited by the administrator if desired. The tool will manage /var/lib/ufw/user[6].rules. All of these files will be used with iptables-restore and ip6tables-restore, and used on boot. The rules files will evaluated in this order: /etc/ufw/before[6].rules, /var/lib/ufw/user[6].rules, then /etc/ufw/after[6].rules.

=== Boot ===
The package will provide /etc/init.d/ufw to enable the firewall on boot (can't use if-up.d script because /usr must be mounted to use python).  It should start before 'networking'.

=== Policy ===
The firewall policy will be:
 1. ACCEPT all on loopback
 1. ACCEPT all outgoing
 1. default policy of ACCEPT for incoming (configurable)
 1. LOG all dropped packets (perhaps use --limit 3/min --limit-burst 10 or similar)

=== Command-line Interface ===
The tool provides the following interface:
 * Turn firewall on and off ('disable' is default ACCEPT): {{{
# ufw enable|disable
+To                         Action  From
--                         ------  ----
22:tcp                     ALLOW   Anywhere
-Line 71:
+Line 100:
- * Toggle logging: {{{
# ufw logging on|off
+This sets up a default deny (DROP) firewall for incoming connections, with all
outbound connections allowed with state tracking.

On Ubuntu Core, simply replace '`ufw`' with '`ufw.cmd`'. Eg: {{{
$ sudo ufw.cmd enable
-Line 75:
+Line 107:
- * Set the default policy (ie "mostly open" vs "mostly closed": {{{
# ufw default allow|deny
+=== Advanced Functionality ===
As mentioned, the `ufw` application is capable of doing anything that `iptables` can
do. This is achieved by using several sets of rules files, which are nothing more
than `iptables-restore` compatible text files. Fine-tuning `ufw` and/or adding additional
`iptables` commands not offered via the `ufw` command is a matter of editing various text
files^1^:
 * '''/etc/default/ufw''': high level configuration, such as default policies, IPv6 support and kernel modules to use
 * '''/etc/ufw/before[6].rules''': rules in these files are evaluated before any rules added via the `ufw` command
 * '''/etc/ufw/after[6].rules''': rules in these files are evaluated after any rules added via the `ufw` command
 * '''/etc/ufw/sysctl.conf''': kernel network tunables
 * '''/var/lib/ufw/user[6].rules''' or '''/lib/ufw/user[6].rules''' (0.28 and later): rules added via the `ufw` command (should not normally be edited by hand)
 * '''/etc/ufw/ufw.conf''': sets whether or not `ufw` is enabled on boot, and in 9.04 (ufw 0.27) and later, sets the LOGLEVEL
 * '''/etc/ufw/after.init''': initialization customization script run after ufw is initialized (ufw 0.34 and later)
 * '''/etc/ufw/before.init''': initialization customization script run before ufw is initialized (ufw 0.34 and later)

After modifying any of the above files, activate the new settings with:{{{
$ sudo ufw disable
$ sudo ufw enable
-Line 79:
+Line 127:
- * Accept or drop incoming packets to <service> (can see what services are available with 'status' (see below)).  <service> can be specified via service name in /etc/services, 'protocol:port', or via package meta-data. 'allow' adds service entry to /etc/ufw/maps and 'deny' removes service entry from /etc/ufw/maps.
 Basic syntax: {{{
# ufw allow|deny <service>
}}}
 Full PF-style syntax: {{{
 # ufw allow|deny [proto <protocol>] [from <address> [port <port>]] [to <address> [port <port>]]
}}}
+^1^ On Ubuntu Core, these files are located under `/var/lib/apps/ufw*/current`. See '`ufw.doc ufw-on-snappy`' on an Ubuntu Core system for details.
-Line 87:
+Line 129:
- * Display status of firewall and ports in the listening state, referencing /var/lib/ufw/maps.  Numbers in parenthesis are not displayed to user: {{{
# ufw status
Firewall loaded
+== More Information ==
 * Ubuntu 16.04 LTS (Xenial Xerus)
  * [[https://help.ubuntu.com/16.04/serverguide/firewall.html|Server Guide - Firewall]]
  * [[http://manpages.ubuntu.com/manpages/xenial/en/man8/ufw.8.html|ufw manual]]
  * [[http://manpages.ubuntu.com/manpages/xenial/en/man8/ufw-framework.8.html|ufw framework manual]]
-Line 91:
+Line 135:
-To			Action	From
--			------	----
apache2			DENY	Anywhere	Apache Webserver     (1)
openssh-server		ALLOW	Anywhere	SSH Logins           (2)
192.168.0.2 pop3s	ALLOW	Anywhere	                     (3)
named			DENY	Anywhere	WARNING: New service (4)
tcp:8082		DENY	10.0.0.0/8                           (5)
tcp:25			ALLOW	192.168.0.0/24                       (6)
ntp			ALLOW*	Anywhere                             (7)
imaps			ALLOW**	Anywhere                             (8)
tcp:23			ALLOW**	Anywhere                             (9)
jabberd2		ALLOW**	Anywhere                             (10)
+ * Ubuntu 18.04 LTS (Bionic Beaver)
  * [[https://help.ubuntu.com/18.04/serverguide/firewall.html|Server Guide - Firewall]]
  * [[http://manpages.ubuntu.com/manpages/bionic/en/man8/ufw.8.html|ufw manual]]
  * [[http://manpages.ubuntu.com/manpages/bionic/en/man8/ufw-framework.8.html|ufw framework manual]]
-Line 104:
+Line 140:
+ * Ubuntu 20.04 (Focal Fossa)
  * [[https://ubuntu.com/server/docs/security-firewall | Ubuntu Server Guide - Firewall]]
  * [[http://manpages.ubuntu.com/manpages/focal/en/man8/ufw.8.html|ufw manual]]
  * [[http://manpages.ubuntu.com/manpages/focal/en/man8/ufw-framework.8.html|ufw framework manual]]
-Line 105:
+Line 145:
-* rule for removed package 'ntpd'
** services not running
}}}
  1. denied service referencing package meta-data
  1. allowed service referencing package meta-data
  1. allowed service referencing /etc/services
  1. denied service referencing dynamically-detected service
  1. denied service by specifying 'protocol:port'
  1. allowed service referencing a package with supplied meta-data, but was replaced by one that does not
  1. allowed service referencing removed package meta-data
  1. allowed service referencing /etc/services but the service is not running
  1. allowed service by specifying 'protocol:port' but the service is not running
  1. allowed service referencing package meta-data but the service is not running
+ * Ubuntu 21.04 (Hirsute Hippo)
  * [[http://manpages.ubuntu.com/manpages/hirsute/en/man8/ufw.8.html|ufw manual]]
  * [[http://manpages.ubuntu.com/manpages/hirsute/en/man8/ufw-framework.8.html|ufw framework manual]]
-Line 119:
+Line 149:
-=== Package Integration ===
External packages will add files to /etc/ufw/applications.d that describe the service. File will use .INI format. Will support comma-separated values for protocols and ports, ranges for ports, and multiple entries per file.  Examples: {{{
[Apache]
title=Web Server
description=Apache v2 is the next generation of the omnipresent Apache web server.
ports=80/tcp
+ * Ubuntu 21.10 (Impish Indri)
  * [[http://manpages.ubuntu.com/manpages/impish/en/man8/ufw.8.html|ufw manual]]
  * [[http://manpages.ubuntu.com/manpages/impish/en/man8/ufw-framework.8.html|ufw framework manual]]
-Line 126:
+Line 153:
-[Apache Secure]
title=Web Server (HTTPS)
description=Apache v2 is the next generation of the omnipresent Apache web server.
ports=443/tcp
+ * Ubuntu 22.04 (Jammy Jellyfish)
  * [[http://manpages.ubuntu.com/manpages/jammy/en/man8/ufw.8.html|ufw manual]]
  * [[http://manpages.ubuntu.com/manpages/jammy/en/man8/ufw-framework.8.html|ufw framework manual]]
-Line 131:
+Line 157:
-[Apache Full]
title=Web Server (HTTP,HTTPS)
description=Apache v2 is the next generation of the omnipresent Apache web server.
ports=80,443/tcp
}}} {{{
[Samba]
title=LanManager-like file and printer server for Unix
description=The Samba software suite is a collection of programs that implements the SMB/CIFS protocol for unix systems, allowing you to serve files and printers to Windows, NT, OS/2 and DOS clients. This protocol is sometimes also referred to as the LanManager or NetBIOS protocol.
ports=137,138/udp|139,445/tcp
}}}
+ * Ubuntu Core
  * See '`ufw.doc`' on your Ubuntu Core system, specifically '`ufw.doc ufw-on-snappy | less`' to see how ufw differs on Ubuntu Core.
-Line 142:
+Line 160:
+ * [[https://help.ubuntu.com/community/UFW|Ubuntu Community Documentation on UFW]]
-Line 143:
+Line 162:
-== Migration ==

As there is currently no default firewall configuration for Ubuntu, there are no mandatory migration issues. The only migration issue is getting network daemon packages to provide the necessary policy files to ubuntu-firewall.

== Implementation ==

=== Rollout ===

 * upload to universe '''(DONE)'''
 * announce to devel-discuss and ubuntu-server '''(DONE)'''
 * [[MainInclusionReportUFW]] '''(ACCEPTED)'''
 * add to seed '''(DONE)'''

=== Status ===

Version 0.16 has the following implemented functionality (as described above):
 * Completed
   * enable/disable 
   * default policy
   * logging
   * initscript
   * packaging
   * default /proc adjustments (/etc/ufw/sysctl.conf)
   * allow/deny
   * ipv6
   * status
 * Not-implemented
   * package integration
   * /var/lib/ufw/maps
   * dynamic detection


== Test/Demo Plan ==

The source code has testing scripts.  Can use (from the top-level source):
{{{
$ cd <top-level source directory>
$ ./run_tests.sh -s
$ sudo ./run_tests.sh -s root
}}}

Additionally, once the package is installed, can use:
{{{
$ sudo ufw status
$ sudo ufw enable && sudo ufw status
$ sudo ufw disable && sudo ufw status
$ sudo ufw enable
$ sudo ufw logging on && sudo iptables -L -n | grep LOG
$ sudo ufw logging off && sudo iptables -L -n | grep LOG
$ sudo ufw default allow && sudo iptables -L -n | grep 'INPUT (policy'
$ sudo ufw default deny && sudo iptables -L -n | grep 'INPUT (policy'
$ sudo ufw allow 53 && sudo ufw status
$ sudo ufw delete allow 53 && sudo ufw status
$ sudo ufw allow 80/tcp && sudo ufw status
$ sudo ufw delete allow 80/tcp && sudo ufw status
$ sudo ufw allow smtp && sudo ufw status
$ sudo ufw delete allow smtp && sudo ufw status
$ sudo ufw allow from 192.168.254.254 && sudo ufw status
$ sudo ufw delete allow from 192.168.254.254 && sudo ufw status
}}}

And for IPv6 testing (need at least ufw 0.10):
{{{
$ sudo sed -i 's/^IPV6=no/IPV6=yes/' /etc/default/ufw
$ sudo ufw disable && sudo ufw status
$ sudo ufw enable && sudo ufw status
$ sudo ufw allow proto tcp from 2001:db8::/32 to any port smtp && sudo ufw status
$ sudo ufw delete allow proto tcp from 2001:db8::/32 to any port smtp && sudo ufw status
}}}

The README also contains information for testing.

'''IMPORTANT:''' When enabling the firewall and/or using '/etc/init.d/ufw start', the chains are necessarily flushed and connections may be dropped (eg ssh connections). You can add rules to the firewall before enabling it however, so if you are testing ufw on a remote machine, it is recommended you perform:
{{{
$ sudo ufw allow proto tcp from any to any port 22
}}}
before running 'ufw enable'. Once the firewall is enabled, adding and removing rules will not flush the firewall (though modifying an existing rule will).

== Outstanding Issues ==

 * UbuntuFirewallLongTerm describes some ideas for moving forward to extend functionality to include router/gateway configuration, NAT, QoS configuration and /proc adjustments (eg ip_forwarding, rp_filter, et al)

== Comments ==
 * Why not a QoS integration in this application?. It's useful overall if donwload programs use all the bandwidth and use has no option to navigate with commodity. Thanks.
  * '''ANSWER''' This may be included in a future release
 *I have a suggestion which probably is out of scope of this spec: add a default IP filtering range, like in peerguardian, which would block RIAA, MPAA, etc. -- AzraelNightwalker <<DateTime(2008-02-07T16:00:04Z)>> 
 *What about binaryspecific rules? (Maby that's what the packageintegration does?). Like this: I have installed Konquerior and Firefox and both packages report they want to surf the web (port 80 and 443) but I want to restrict Konquerior to my own internal subnet only while Firefox will be sllowed to surf to any IP-address. This type of configuration is able to do in other firewalls (like "NetLimiter 2 Pro" for windows) and I would be happy to see something similar in Ubuntu's firewall. -- AndersHäggström
 * Why not create a ufw.d folder? When users install applications the deb would add a entry. An example would be installing Apache, the deb would add an entry to allow incoming connections to port 80. 
  * '''ANSWER''' This is planned. See 'Package Integration', above.
 * Another option is firehol it has a single configuration file pretty "declarative".
 * What about firewall tool 'X'.
  * '''ANSWER''' Users are still free to use whatever firewall tool best fits their needs. ufw is not enabled by default and will not get in the way of other tools when not enabled.
 * GUI for ufw available: http://gufw.tuxfamily.org/

----
CategorySpec
+ * '''Specification''': UbuntuFirewallSpec
 * '''Code''': [[https://launchpad.net/ufw|https://launchpad.net/ufw]]
 * Graphic User Interface for UFW: [[https://help.ubuntu.com/community/Gufw|Gufw]].

Ubuntu Wiki