Ubuntu Wiki

Please check the status of this specification in Launchpad before editing it. If it is Approved, contact the Assignee or another knowledgeable person before making changes.

• Launchpad Entry: ubuntu-firewall

• Code: https://launchpad.net/ufw

• Packages affected: none

Summary

Release Target: Hardy

Release Target (package integration): Intrepid

Name: ufw (Uncomplicated Firewall)

Create a tool for host-based iptables firewall configuration. This tool should provide an easy to use interface to the user, as well as support package integration and dynamic-detection of open ports.

Release Note

The tool will not affect users in the default installation as the tool will initially be disabled on installation (ie default ACCEPT policy).

Rationale

Ubuntu currently does not have an integrated firewall in its base installation. The tools that are available to create a firewall are largely based on GUI applications and/or designed for advanced users. Additionally, existing tools also do not provide package integration so that when a network daemon is installed, users have to determine on their own how to integrate the application with the firewall.

Use Cases

Alice uses a desktop system and wants to add a firewall as another layer of protection. Alice can enable the firewall to provide this protection. When new packages are added, Alice can easily enable the services provided by these packages.

Bob installs a server with one network interface and wants to add a firewall as another layer of protection. Bob can enable the firewall to provide this protection, as well as monitor the status of open ports.

Assumptions

The tool will allow users to specify opening a port explicitly as well as choosing from a list of open ports. However, to fully integrate with the system, packages should provide meta-data regarding what protocol and port a particular package will need to operate with a firewall. The tool will still be useful during the transition when packages are not providing this information.

Design

For the implementation status of each feature, please see the 'Status' section, below.

Rules (Completed: Hardy)

The tool will provide /etc/ufw/before[6].rules and /etc/ufw/after[6].rules. These files can be edited by the administrator if desired. The tool will manage /var/lib/ufw/user[6].rules. All of these files will be used with iptables-restore and ip6tables-restore, and used on boot. The rules files will evaluated in this order: /etc/ufw/before[6].rules, /var/lib/ufw/user[6].rules, then /etc/ufw/after[6].rules.

Boot (Completed: Hardy)

The package will provide /etc/init.d/ufw to enable the firewall on boot (can't use if-up.d script because /usr must be mounted to use python). It should start before 'networking'.

Policy (Completed: Hardy)

The firewall policy will be:

1. ACCEPT all on loopback
2. ACCEPT all outgoing
3. default policy of ACCEPT for incoming (configurable)
4. LOG all dropped packets (perhaps use --limit 3/min --limit-burst 10 or similar)

Command-line Interface (Completed: Hardy)

The tool provides the following command-line interface (CLI) interface:

• Turn firewall on and off ('disable' is default ACCEPT):

  # ufw enable|disable

• Toggle logging:

  # ufw logging on|off

• Set the default policy (ie "mostly open" vs "mostly closed":

  # ufw default allow|deny

• Accept or drop incoming packets to <service> (can see what services are available with 'status' (see below)). <service> can be specified via service name in /etc/services, 'protocol:port', or via package meta-data. 'allow' adds service entry to /etc/ufw/maps and 'deny' removes service entry from /etc/ufw/maps. Basic syntax:

  # ufw allow|deny <service>

  Full PF-style syntax:

   # ufw allow|deny [proto <protocol>] [from <address> [port <port>]] [to <address> [port <port>]]

• Display status of firewall and open ports (Completed: Hardy), ports the listening state (Target: future), and package integration (Target: Intrepid). Numbers in parenthesis are not displayed to user:

  # ufw status
  Firewall loaded
  
  To                      Action  From
  --                      ------  ----
  apache2                 DENY    Anywhere        Apache Webserver     (1)
  openssh-server          ALLOW   Anywhere        SSH Logins           (2)
  192.168.0.2 pop3s       ALLOW   Anywhere                             (3)
  named                   DENY    Anywhere        WARNING: New service (4)
  tcp:8082                DENY    10.0.0.0/8                           (5)
  tcp:25                  ALLOW   192.168.0.0/24                       (6)
  ntp                     ALLOW*  Anywhere                             (7)
  imaps                   ALLOW** Anywhere                             (8)
  tcp:23                  ALLOW** Anywhere                             (9)
  jabberd2                ALLOW** Anywhere                             (10)
  
  * rule for removed package 'ntpd'
  ** services not running

  1. denied service referencing package meta-data
  2. allowed service referencing package meta-data
  3. allowed service referencing /etc/services
  4. denied service referencing dynamically-detected service
  5. denied service by specifying 'protocol:port'
  6. allowed service referencing a package with supplied meta-data, but was replaced by one that does not
  7. allowed service referencing removed package meta-data
  8. allowed service referencing /etc/services but the service is not running
  9. allowed service by specifying 'protocol:port' but the service is not running
  10. allowed service referencing package meta-data but the service is not running

Package Integration (Release Target: Intrepid)

External packages will add application profiles to /etc/ufw/applications.d that describe the service. File will use .INI format, will support pipe-separated values for port/protocol combinations, and multiple entries per file. The 'ports' syntax is the same as for the ufw CLI (eg '80', '22/tcp', '80,8080:8088/tcp'), but must be numeric.

Examples:

[Apache]
title=Web Server
description=Apache v2 is the next generation of the omnipresent Apache web server.
ports=80/tcp

[Apache Secure]
title=Web Server (HTTPS)
description=Apache v2 is the next generation of the omnipresent Apache web server.
ports=443/tcp

[Apache Full]
title=Web Server (HTTP,HTTPS)
description=Apache v2 is the next generation of the omnipresent Apache web server.
ports=80,443/tcp

[Samba]
title=LanManager-like file and printer server for Unix
description=The Samba software suite is a collection of programs that implements the SMB/CIFS protocol for unix systems, allowing you to serve files and printers to Windows, NT, OS/2 and DOS clients. This protocol is sometimes also referred to as the LanManager or NetBIOS protocol.
ports=137,138/udp|139,445/tcp

Additionally, ufw will provide the 'app' command in the CLI for package integration information and updates.

List installed application profiles:

# ufw app list

Display information on an application profile:

# ufw app info <profile>

Update firewall with profile (depends on policy, see below):

# ufw app update <profile>

Change policy of 'app update' command:

# ufw app default ALLOW

The default policy when running 'ufw app update <profile>' is to change nothing in the running firewall (the SKIP policy). The policy can be changed to 'ALLOW' or 'DENY' so when 'ufw app update <profile>' is run, the profile is applied to the running firewall with the given default policy.

Migration

As there is currently no default firewall configuration for Ubuntu, there are no mandatory migration issues. The only migration issue is getting network daemon packages to provide the necessary policy files to ubuntu-firewall.

Implementation

Rollout

• upload to universe (DONE)

• announce to devel-discuss and ubuntu-server (DONE)

• MainInclusionReportUFW (ACCEPTED)

• add to seed (DONE)

Status

Version 0.16 has the following implemented functionality (as described above):

• Completed
  • enable/disable
  • default policy
  • logging
  • initscript
  • packaging
  • default /proc adjustments (/etc/ufw/sysctl.conf)
  • allow/deny
  • ipv6
  • status
• Not-implemented
  • package integration (Target: Intrepid)
  • dynamic detection

Test/Demo Plan

The source code has testing scripts. Can use (from the top-level source):

$ cd <top-level source directory>
$ ./run_tests.sh -s
$ sudo ./run_tests.sh -s root

Additionally, once the package is installed, can use:

$ sudo ufw status
$ sudo ufw enable && sudo ufw status
$ sudo ufw disable && sudo ufw status
$ sudo ufw enable
$ sudo ufw logging on && sudo iptables -L -n | grep LOG
$ sudo ufw logging off && sudo iptables -L -n | grep LOG
$ sudo ufw default allow && sudo iptables -L -n | grep 'INPUT (policy'
$ sudo ufw default deny && sudo iptables -L -n | grep 'INPUT (policy'
$ sudo ufw allow 53 && sudo ufw status
$ sudo ufw delete allow 53 && sudo ufw status
$ sudo ufw allow 80/tcp && sudo ufw status
$ sudo ufw delete allow 80/tcp && sudo ufw status
$ sudo ufw allow smtp && sudo ufw status
$ sudo ufw delete allow smtp && sudo ufw status
$ sudo ufw allow from 192.168.254.254 && sudo ufw status
$ sudo ufw delete allow from 192.168.254.254 && sudo ufw status

And for IPv6 testing (need at least ufw 0.10):

$ sudo sed -i 's/^IPV6=no/IPV6=yes/' /etc/default/ufw
$ sudo ufw disable && sudo ufw status
$ sudo ufw enable && sudo ufw status
$ sudo ufw allow proto tcp from 2001:db8::/32 to any port smtp && sudo ufw status
$ sudo ufw delete allow proto tcp from 2001:db8::/32 to any port smtp && sudo ufw status

The README also contains information for testing.

IMPORTANT: When enabling the firewall and/or using '/etc/init.d/ufw start', the chains are necessarily flushed and connections may be dropped (eg ssh connections). You can add rules to the firewall before enabling it however, so if you are testing ufw on a remote machine, it is recommended you perform:

$ sudo ufw allow proto tcp from any to any port 22

before running 'ufw enable'. Once the firewall is enabled, adding and removing rules will not flush the firewall (though modifying an existing rule will).

Outstanding Issues

• UbuntuFirewallLongTerm describes some ideas for moving forward to extend functionality to include router/gateway configuration, NAT, QoS configuration and /proc adjustments (eg ip_forwarding, rp_filter, et al)

Comments

• Why not a QoS integration in this application?. It's useful overall if donwload programs use all the bandwidth and use has no option to navigate with commodity. Thanks.

  • ANSWER This may be included in a future release

• I have a suggestion which probably is out of scope of this spec: add a default IP filtering range, like in peerguardian, which would block RIAA, MPAA, etc. -- AzraelNightwalker 2008-02-07 16:00:04

  • ANSWER ufw 0.19 now supports port ranges, which will aid in developing these sorts of policies

• What about binary-specific rules? (Maybe that's what the package integration does?). Like this: I have installed Konquerior and Firefox and both packages report they want to surf the web (port 80 and 443) but I want to restrict Konquerior to my own internal subnet only while Firefox will be sllowed to surf to any IP-address. This type of configuration is able to do in other firewalls (like "NetLimiter 2 Pro" for windows) and I would be happy to see something similar in Ubuntu's firewall. -- AndersHäggström

• Why not create a ufw.d folder? When users install applications the deb would add a entry. An example would be installing Apache, the deb would add an entry to allow incoming connections to port 80.

  • ANSWER This is planned. See 'Package Integration', above.

• Another option is firehol it has a single configuration file pretty "declarative".
• What about firewall tool 'X'.

  • ANSWER Users are still free to use whatever firewall tool best fits their needs. ufw is not enabled by default and will not get in the way of other tools when not enabled.

• GUI for ufw available: http://gufw.tuxfamily.org/

CategorySpec