UncomplicatedFirewall
12672
Comment: comments section updates
|
← Revision 132 as of 2024-10-15 04:19:08 ⇥
11991
update noble and oracular links
|
Deletions are marked like this. | Additions are marked like this. |
Line 1: | Line 1: |
## page was renamed from UbuntuFirewall | |
Line 3: | Line 4: |
''Please check the status of this specification in Launchpad before editing it. If it is Approved, contact the Assignee or another knowledgeable person before making changes.'' * '''Launchpad Entry''': UbuntuSpec:ubuntu-firewall * '''Code''': [[https://launchpad.net/ufw|https://launchpad.net/ufw]] * '''Packages affected''': none |
|
Line 8: | Line 5: |
== Summary == | == Introduction == The Linux kernel in Ubuntu provides a packet filtering system called `netfilter`, and the traditional interface for manipulating `netfilter` are the `iptables` suite of commands. `iptables` provide a complete firewall solution that is both highly configurable and highly flexible. |
Line 10: | Line 11: |
'''Release Target''': Hardy | Becoming proficient in `iptables` takes time, and getting started with `netfilter` firewalling using only `iptables` can be a daunting task. As a result, many frontends for `iptables` have been created over the years, each trying to achieve a different result and targeting a different audience. |
Line 12: | Line 16: |
'''Release Target (package integration)''': Intrepid | The Uncomplicated Firewall (`ufw`) is a frontend for `iptables` and is particularly well-suited for host-based firewalls. `ufw` provides a framework for managing `netfilter`, as well as a command-line interface for manipulating the firewall. `ufw` aims to provide an easy to use interface for people unfamiliar with firewall concepts, while at the same time simplifies complicated `iptables` commands to help an administrator who knows what he or she is doing. `ufw` is an upstream for other distributions and graphical frontends. |
Line 14: | Line 24: |
'''Name''': ufw (Uncomplicated Firewall) | == UFW in Ubuntu == Ubuntu 8.04 LTS introduced `ufw`, and it is available by default in all Ubuntu installations after 8.04 LTS. |
Line 16: | Line 28: |
Create a tool for host-based iptables firewall configuration. This tool should provide an easy to use interface to the user, as well as support package integration and dynamic-detection of open ports. |
=== Available Versions in supported versions of Ubuntu === * '''Ubuntu 14.04 LTS''': 0.34~rc-0ubuntu2 * '''Ubuntu 16.04 LTS''': 0.35-0ubuntu2 * '''Ubuntu 18.04 LTS''': 0.36-0ubuntu0.18.04.1 * '''Ubuntu 20.04 LTS''': 0.36-6 * '''Ubuntu 22.04 LTS''': 0.36.1-4 * '''Ubuntu 24.04 LTS''': 0.36.2-6 * '''Ubuntu 24.10''': 0.36.2-6 * '''Ubuntu Core''': 0.36pre |
Line 20: | Line 38: |
=== Features === `ufw` has the following features: |
|
Line 21: | Line 41: |
== Release Note == | || '''Feature''' || '''0.31.1-1''' || '''0.34~rc-0ubuntu2''' || '''0.34-2''' || '''0.35''' || || default incoming policy (allow/deny) || yes || yes || yes || yes || || allow/deny incoming rules || yes || yes || yes || yes || || IPv6 (by default) || yes || yes || yes || yes || || status || yes || yes || yes || yes || || logging (on/off) || yes || yes || yes || yes || || extensible framework || yes || yes || yes || yes || || python 2.5 support || yes || no || no || no || || application integration || yes || yes || yes || yes* || || IPv4 rate limiting via 'limit' command || yes || yes || yes || yes || || internationalization || yes || yes || yes || yes || || multiport incoming rules || yes || yes || yes || yes || || debconf/preseeding || yes || yes || yes || yes || || default incoming policy (reject) || yes || yes || yes || yes || || reject incoming rules || yes || yes || yes || yes || || rule insertion || yes || yes || yes || yes || || log levels || yes || yes || yes || yes || || per rule logging || yes || yes || yes || yes || || outgoing filtering (on par with incoming) || yes || yes || yes || yes || || filtering by interface || yes || yes || yes || yes || || bash completion || yes || yes || yes || yes || || upstart support || yes || yes || yes || yes || || improved reporting || yes || yes || yes || yes || || reset command || yes || yes || yes || yes || || rsyslog support || yes || yes || yes || yes || || delete by rule number || yes || yes || yes || yes || || python 2.6 support || yes || yes || yes || yes || || 'show listening' report || yes || yes || yes || yes || || python 2.7 support || yes || yes || yes || yes || || increased protocol support (ah, esp) || yes || yes || yes || yes || || IPv6 rate limiting via 'limit' command || -- || yes || yes || yes || || python 3.2 support || -- || yes || yes || no || || python 3.3 support || -- || yes || yes || yes || || 'show added' report || -- || yes || yes || yes || || python 3.4 support || -- || yes || yes || yes || || before/after extensibility hooks || -- || yes || yes || yes || || routed packet filtering (FORWARD) || -- || yes || yes || yes || || systemd support || -- || -- || yes || yes || || increased protocol support (igmp, gre) || -- || -- || yes || yes || || python 3.5 support || -- || -- || yes || yes || || Snappy for Ubuntu Core support || -- || -- || -- || yes || || per rule comments || -- || -- || -- || yes || |
Line 23: | Line 84: |
The tool will not affect users in the default installation as the tool will initially be disabled on installation (ie default ACCEPT policy). | * support for application integration is limited on Ubuntu Core at this time |
Line 25: | Line 86: |
== Basic Usage == Getting started with `ufw` is easy. For example, to enable firewall, allow ssh access, enable logging, and check the status of the firewall, perform:{{{ $ sudo ufw allow ssh/tcp $ sudo ufw logging on $ sudo ufw enable $ sudo ufw status Firewall loaded |
|
Line 26: | Line 95: |
== Rationale == Ubuntu currently does not have an integrated firewall in its base installation. The tools that are available to create a firewall are largely based on GUI applications and/or designed for advanced users. Additionally, existing tools also do not provide package integration so that when a network daemon is installed, users have to determine on their own how to integrate the application with the firewall. == Use Cases == Alice uses a desktop system and wants to add a firewall as another layer of protection. Alice can enable the firewall to provide this protection. When new packages are added, Alice can easily enable the services provided by these packages. Bob installs a server with one network interface and wants to add a firewall as another layer of protection. Bob can enable the firewall to provide this protection, as well as monitor the status of open ports. == Assumptions == The tool will allow users to specify opening a port explicitly as well as choosing from a list of open ports. However, to fully integrate with the system, packages should provide meta-data regarding what protocol and port a particular package will need to operate with a firewall. The tool will still be useful during the transition when packages are not providing this information. == Design == For the implementation status of each feature, please see the 'Status' section, below. === Rules (Completed: Hardy) === The tool will provide /etc/ufw/before[6].rules and /etc/ufw/after[6].rules. These files can be edited by the administrator if desired. The tool will manage /var/lib/ufw/user[6].rules. All of these files will be used with iptables-restore and ip6tables-restore, and used on boot. The rules files will evaluated in this order: /etc/ufw/before[6].rules, /var/lib/ufw/user[6].rules, then /etc/ufw/after[6].rules. === Boot (Completed: Hardy) === The package will provide /etc/init.d/ufw to enable the firewall on boot (can't use if-up.d script because /usr must be mounted to use python). It should start before 'networking'. === Policy (Completed: Hardy) === The firewall policy will be: 1. ACCEPT all on loopback 1. ACCEPT all outgoing 1. default policy of ACCEPT for incoming (configurable) 1. LOG all dropped packets (perhaps use --limit 3/min --limit-burst 10 or similar) === Command-line Interface (Completed: Hardy) === The tool provides the following command-line interface (CLI) interface: * Turn firewall on and off ('disable' is default ACCEPT): {{{ # ufw enable|disable |
To Action From -- ------ ---- 22:tcp ALLOW Anywhere |
Line 73: | Line 100: |
* Toggle logging: {{{ # ufw logging on|off |
This sets up a default deny (DROP) firewall for incoming connections, with all outbound connections allowed with state tracking. On Ubuntu Core, simply replace '`ufw`' with '`ufw.cmd`'. Eg: {{{ $ sudo ufw.cmd enable |
Line 77: | Line 107: |
* Set the default policy (ie "mostly open" vs "mostly closed": {{{ # ufw default allow|deny |
=== Advanced Functionality === As mentioned, the `ufw` application is capable of doing anything that `iptables` can do. This is achieved by using several sets of rules files, which are nothing more than `iptables-restore` compatible text files. Fine-tuning `ufw` and/or adding additional `iptables` commands not offered via the `ufw` command is a matter of editing various text files^1^: * '''/etc/default/ufw''': high level configuration, such as default policies, IPv6 support and kernel modules to use * '''/etc/ufw/before[6].rules''': rules in these files are evaluated before any rules added via the `ufw` command * '''/etc/ufw/after[6].rules''': rules in these files are evaluated after any rules added via the `ufw` command * '''/etc/ufw/sysctl.conf''': kernel network tunables * '''/var/lib/ufw/user[6].rules''' or '''/lib/ufw/user[6].rules''' (0.28 and later): rules added via the `ufw` command (should not normally be edited by hand) * '''/etc/ufw/ufw.conf''': sets whether or not `ufw` is enabled on boot, and in 9.04 (ufw 0.27) and later, sets the LOGLEVEL * '''/etc/ufw/after.init''': initialization customization script run after ufw is initialized (ufw 0.34 and later) * '''/etc/ufw/before.init''': initialization customization script run before ufw is initialized (ufw 0.34 and later) After modifying any of the above files, activate the new settings with:{{{ $ sudo ufw disable $ sudo ufw enable |
Line 81: | Line 127: |
* Accept or drop incoming packets to <service> (can see what services are available with 'status' (see below)). <service> can be specified via service name in /etc/services, 'protocol:port', or via package meta-data. 'allow' adds service entry to /etc/ufw/maps and 'deny' removes service entry from /etc/ufw/maps. Basic syntax: {{{ # ufw allow|deny <service> }}} Full PF-style syntax: {{{ # ufw allow|deny [proto <protocol>] [from <address> [port <port>]] [to <address> [port <port>]] }}} |
^1^ On Ubuntu Core, these files are located under `/var/lib/apps/ufw*/current`. See '`ufw.doc ufw-on-snappy`' on an Ubuntu Core system for details. |
Line 89: | Line 129: |
* Display status of firewall and open ports (Completed: Hardy), ports the listening state (Target: future), and package integration (Target: Intrepid). Numbers in parenthesis are not displayed to user: {{{ # ufw status Firewall loaded |
== More Information == * Ubuntu 16.04 LTS (Xenial Xerus) * [[https://help.ubuntu.com/16.04/serverguide/firewall.html|Server Guide - Firewall]] * [[http://manpages.ubuntu.com/manpages/xenial/en/man8/ufw.8.html|ufw manual]] * [[http://manpages.ubuntu.com/manpages/xenial/en/man8/ufw-framework.8.html|ufw framework manual]] |
Line 93: | Line 135: |
To Action From -- ------ ---- apache2 DENY Anywhere Apache Webserver (1) openssh-server ALLOW Anywhere SSH Logins (2) 192.168.0.2 pop3s ALLOW Anywhere (3) named DENY Anywhere WARNING: New service (4) tcp:8082 DENY 10.0.0.0/8 (5) tcp:25 ALLOW 192.168.0.0/24 (6) ntp ALLOW* Anywhere (7) imaps ALLOW** Anywhere (8) tcp:23 ALLOW** Anywhere (9) jabberd2 ALLOW** Anywhere (10) |
* Ubuntu 18.04 LTS (Bionic Beaver) * [[https://help.ubuntu.com/18.04/serverguide/firewall.html|Server Guide - Firewall]] * [[http://manpages.ubuntu.com/manpages/bionic/en/man8/ufw.8.html|ufw manual]] * [[http://manpages.ubuntu.com/manpages/bionic/en/man8/ufw-framework.8.html|ufw framework manual]] |
Line 106: | Line 140: |
* rule for removed package 'ntpd' ** services not running }}} 1. denied service referencing package meta-data 1. allowed service referencing package meta-data 1. allowed service referencing /etc/services 1. denied service referencing dynamically-detected service 1. denied service by specifying 'protocol:port' 1. allowed service referencing a package with supplied meta-data, but was replaced by one that does not 1. allowed service referencing removed package meta-data 1. allowed service referencing /etc/services but the service is not running 1. allowed service by specifying 'protocol:port' but the service is not running 1. allowed service referencing package meta-data but the service is not running |
* Ubuntu 20.04 LTS (Focal Fossa) * [[https://ubuntu.com/server/docs/security-firewall | Ubuntu Server Guide - Firewall]] * [[http://manpages.ubuntu.com/manpages/focal/en/man8/ufw.8.html|ufw manual]] * [[http://manpages.ubuntu.com/manpages/focal/en/man8/ufw-framework.8.html|ufw framework manual]] |
Line 120: | Line 145: |
=== Package Integration (Release Target: Intrepid) === | * Ubuntu 21.04 (Hirsute Hippo) * [[http://manpages.ubuntu.com/manpages/hirsute/en/man8/ufw.8.html|ufw manual]] * [[http://manpages.ubuntu.com/manpages/hirsute/en/man8/ufw-framework.8.html|ufw framework manual]] |
Line 122: | Line 149: |
External packages will add application profiles to /etc/ufw/applications.d that describe the service. File will use .INI format, will support pipe-separated values for port/protocol combinations, and multiple entries per file. The 'ports' syntax is the same as for the ufw CLI (eg '80', '22/tcp', '80,8080:8088/tcp'), but must be numeric. | * Ubuntu 21.10 (Impish Indri) * [[http://manpages.ubuntu.com/manpages/impish/en/man8/ufw.8.html|ufw manual]] * [[http://manpages.ubuntu.com/manpages/impish/en/man8/ufw-framework.8.html|ufw framework manual]] |
Line 124: | Line 153: |
Examples: {{{ [Apache] title=Web Server description=Apache v2 is the next generation of the omnipresent Apache web server. ports=80/tcp |
* Ubuntu 22.04 LTS (Jammy Jellyfish) * [[http://manpages.ubuntu.com/manpages/jammy/en/man8/ufw.8.html|ufw manual]] * [[http://manpages.ubuntu.com/manpages/jammy/en/man8/ufw-framework.8.html|ufw framework manual]] |
Line 130: | Line 157: |
[Apache Secure] title=Web Server (HTTPS) description=Apache v2 is the next generation of the omnipresent Apache web server. ports=443/tcp |
* Ubuntu 24.04 LTS (Noble Numbat) * [[http://manpages.ubuntu.com/manpages/noble/en/man8/ufw.8.html|ufw manual]] * [[http://manpages.ubuntu.com/manpages/noble/en/man8/ufw-framework.8.html|ufw framework manual]] |
Line 135: | Line 161: |
[Apache Full] title=Web Server (HTTP,HTTPS) description=Apache v2 is the next generation of the omnipresent Apache web server. ports=80,443/tcp }}} {{{ [Samba] title=LanManager-like file and printer server for Unix description=The Samba software suite is a collection of programs that implements the SMB/CIFS protocol for unix systems, allowing you to serve files and printers to Windows, NT, OS/2 and DOS clients. This protocol is sometimes also referred to as the LanManager or NetBIOS protocol. ports=137,138/udp|139,445/tcp }}} |
* Ubuntu 24.10 (Oracular Oriole) * [[http://manpages.ubuntu.com/manpages/oracular/en/man8/ufw.8.html|ufw manual]] * [[http://manpages.ubuntu.com/manpages/oracular/en/man8/ufw-framework.8.html|ufw framework manual]] |
Line 146: | Line 165: |
Additionally, ufw will provide the 'app' command in the CLI for package integration information and updates. | * Ubuntu Core * See '`ufw.doc`' on your Ubuntu Core system, specifically '`ufw.doc ufw-on-snappy | less`' to see how ufw differs on Ubuntu Core. |
Line 148: | Line 168: |
List installed application profiles:{{{ # ufw app list }}} |
* [[https://help.ubuntu.com/community/UFW|Ubuntu Community Documentation on UFW]] |
Line 152: | Line 170: |
Display information on an application profile:{{{ # ufw app info <profile> }}} Update firewall with profile (depends on policy, see below):{{{ # ufw app update <profile> }}} Change policy of 'app update' command:{{{ # ufw app default ALLOW }}} The default policy when running 'ufw app update <profile>' is to change nothing in the running firewall (the SKIP policy). The policy can be changed to 'ALLOW' or 'DENY' so when 'ufw app update <profile>' is run, the profile is applied to the running firewall with the given default policy. == Migration == As there is currently no default firewall configuration for Ubuntu, there are no mandatory migration issues. The only migration issue is getting network daemon packages to provide the necessary policy files to ubuntu-firewall. == Implementation == === Rollout === * upload to universe '''(DONE)''' * announce to devel-discuss and ubuntu-server '''(DONE)''' * [[MainInclusionReportUFW]] '''(ACCEPTED)''' * add to seed '''(DONE)''' === Status === Version 0.16 has the following implemented functionality (as described above): * Completed * enable/disable * default policy * logging * initscript * packaging * default /proc adjustments (/etc/ufw/sysctl.conf) * allow/deny * ipv6 * status * Not-implemented * package integration (Target: Intrepid) * dynamic detection == Test/Demo Plan == The source code has testing scripts. Can use (from the top-level source): {{{ $ cd <top-level source directory> $ ./run_tests.sh -s $ sudo ./run_tests.sh -s root }}} Additionally, once the package is installed, can use: {{{ $ sudo ufw status $ sudo ufw enable && sudo ufw status $ sudo ufw disable && sudo ufw status $ sudo ufw enable $ sudo ufw logging on && sudo iptables -L -n | grep LOG $ sudo ufw logging off && sudo iptables -L -n | grep LOG $ sudo ufw default allow && sudo iptables -L -n | grep 'INPUT (policy' $ sudo ufw default deny && sudo iptables -L -n | grep 'INPUT (policy' $ sudo ufw allow 53 && sudo ufw status $ sudo ufw delete allow 53 && sudo ufw status $ sudo ufw allow 80/tcp && sudo ufw status $ sudo ufw delete allow 80/tcp && sudo ufw status $ sudo ufw allow smtp && sudo ufw status $ sudo ufw delete allow smtp && sudo ufw status $ sudo ufw allow from 192.168.254.254 && sudo ufw status $ sudo ufw delete allow from 192.168.254.254 && sudo ufw status }}} And for IPv6 testing (need at least ufw 0.10): {{{ $ sudo sed -i 's/^IPV6=no/IPV6=yes/' /etc/default/ufw $ sudo ufw disable && sudo ufw status $ sudo ufw enable && sudo ufw status $ sudo ufw allow proto tcp from 2001:db8::/32 to any port smtp && sudo ufw status $ sudo ufw delete allow proto tcp from 2001:db8::/32 to any port smtp && sudo ufw status }}} The README also contains information for testing. '''IMPORTANT:''' When enabling the firewall and/or using '/etc/init.d/ufw start', the chains are necessarily flushed and connections may be dropped (eg ssh connections). You can add rules to the firewall before enabling it however, so if you are testing ufw on a remote machine, it is recommended you perform: {{{ $ sudo ufw allow proto tcp from any to any port 22 }}} before running 'ufw enable'. Once the firewall is enabled, adding and removing rules will not flush the firewall (though modifying an existing rule will). == Outstanding Issues == * UbuntuFirewallLongTerm describes some ideas for moving forward to extend functionality to include router/gateway configuration, NAT, QoS configuration and /proc adjustments (eg ip_forwarding, rp_filter, et al) == Comments == * Why not a QoS integration in this application?. It's useful overall if donwload programs use all the bandwidth and use has no option to navigate with commodity. Thanks. * '''ANSWER''' This may be included in a future release * I have a suggestion which probably is out of scope of this spec: add a default IP filtering range, like in peerguardian, which would block RIAA, MPAA, etc. -- AzraelNightwalker <<DateTime(2008-02-07T16:00:04Z)>> * '''ANSWER''' ufw 0.19 now supports port ranges, which will aid in developing these sorts of policies *What about binary-specific rules? (Maybe that's what the package integration does?). Like this: I have installed Konquerior and Firefox and both packages report they want to surf the web (port 80 and 443) but I want to restrict Konquerior to my own internal subnet only while Firefox will be sllowed to surf to any IP-address. This type of configuration is able to do in other firewalls (like "NetLimiter 2 Pro" for windows) and I would be happy to see something similar in Ubuntu's firewall. -- AndersHäggström * Why not create a ufw.d folder? When users install applications the deb would add a entry. An example would be installing Apache, the deb would add an entry to allow incoming connections to port 80. * '''ANSWER''' This is planned. See 'Package Integration', above. * Another option is firehol it has a single configuration file pretty "declarative". * What about firewall tool 'X'. * '''ANSWER''' Users are still free to use whatever firewall tool best fits their needs. ufw is not enabled by default and will not get in the way of other tools when not enabled. * GUI for ufw available: http://gufw.tuxfamily.org/ ---- CategorySpec |
* '''Specification''': UbuntuFirewallSpec * '''Code''': [[https://launchpad.net/ufw|https://launchpad.net/ufw]] * Graphic User Interface for UFW: [[https://help.ubuntu.com/community/Gufw|Gufw]]. |
Introduction
The Linux kernel in Ubuntu provides a packet filtering system called netfilter, and the traditional interface for manipulating netfilter are the iptables suite of commands. iptables provide a complete firewall solution that is both highly configurable and highly flexible.
Becoming proficient in iptables takes time, and getting started with netfilter firewalling using only iptables can be a daunting task. As a result, many frontends for iptables have been created over the years, each trying to achieve a different result and targeting a different audience.
The Uncomplicated Firewall (ufw) is a frontend for iptables and is particularly well-suited for host-based firewalls. ufw provides a framework for managing netfilter, as well as a command-line interface for manipulating the firewall. ufw aims to provide an easy to use interface for people unfamiliar with firewall concepts, while at the same time simplifies complicated iptables commands to help an administrator who knows what he or she is doing. ufw is an upstream for other distributions and graphical frontends.
UFW in Ubuntu
Ubuntu 8.04 LTS introduced ufw, and it is available by default in all Ubuntu installations after 8.04 LTS.
Available Versions in supported versions of Ubuntu
Ubuntu 14.04 LTS: 0.34~rc-0ubuntu2
Ubuntu 16.04 LTS: 0.35-0ubuntu2
Ubuntu 18.04 LTS: 0.36-0ubuntu0.18.04.1
Ubuntu 20.04 LTS: 0.36-6
Ubuntu 22.04 LTS: 0.36.1-4
Ubuntu 24.04 LTS: 0.36.2-6
Ubuntu 24.10: 0.36.2-6
Ubuntu Core: 0.36pre
Features
ufw has the following features:
Feature |
0.31.1-1 |
0.34~rc-0ubuntu2 |
0.34-2 |
0.35 |
default incoming policy (allow/deny) |
yes |
yes |
yes |
yes |
allow/deny incoming rules |
yes |
yes |
yes |
yes |
IPv6 (by default) |
yes |
yes |
yes |
yes |
status |
yes |
yes |
yes |
yes |
logging (on/off) |
yes |
yes |
yes |
yes |
extensible framework |
yes |
yes |
yes |
yes |
python 2.5 support |
yes |
no |
no |
no |
application integration |
yes |
yes |
yes |
yes* |
IPv4 rate limiting via 'limit' command |
yes |
yes |
yes |
yes |
internationalization |
yes |
yes |
yes |
yes |
multiport incoming rules |
yes |
yes |
yes |
yes |
debconf/preseeding |
yes |
yes |
yes |
yes |
default incoming policy (reject) |
yes |
yes |
yes |
yes |
reject incoming rules |
yes |
yes |
yes |
yes |
rule insertion |
yes |
yes |
yes |
yes |
log levels |
yes |
yes |
yes |
yes |
per rule logging |
yes |
yes |
yes |
yes |
outgoing filtering (on par with incoming) |
yes |
yes |
yes |
yes |
filtering by interface |
yes |
yes |
yes |
yes |
bash completion |
yes |
yes |
yes |
yes |
upstart support |
yes |
yes |
yes |
yes |
improved reporting |
yes |
yes |
yes |
yes |
reset command |
yes |
yes |
yes |
yes |
rsyslog support |
yes |
yes |
yes |
yes |
delete by rule number |
yes |
yes |
yes |
yes |
python 2.6 support |
yes |
yes |
yes |
yes |
'show listening' report |
yes |
yes |
yes |
yes |
python 2.7 support |
yes |
yes |
yes |
yes |
increased protocol support (ah, esp) |
yes |
yes |
yes |
yes |
IPv6 rate limiting via 'limit' command |
-- |
yes |
yes |
yes |
python 3.2 support |
-- |
yes |
yes |
no |
python 3.3 support |
-- |
yes |
yes |
yes |
'show added' report |
-- |
yes |
yes |
yes |
python 3.4 support |
-- |
yes |
yes |
yes |
before/after extensibility hooks |
-- |
yes |
yes |
yes |
routed packet filtering (FORWARD) |
-- |
yes |
yes |
yes |
systemd support |
-- |
-- |
yes |
yes |
increased protocol support (igmp, gre) |
-- |
-- |
yes |
yes |
python 3.5 support |
-- |
-- |
yes |
yes |
Snappy for Ubuntu Core support |
-- |
-- |
-- |
yes |
per rule comments |
-- |
-- |
-- |
yes |
- support for application integration is limited on Ubuntu Core at this time
Basic Usage
Getting started with ufw is easy. For example, to enable firewall, allow ssh access, enable logging, and check the status of the firewall, perform:
$ sudo ufw allow ssh/tcp $ sudo ufw logging on $ sudo ufw enable $ sudo ufw status Firewall loaded To Action From -- ------ ---- 22:tcp ALLOW Anywhere
This sets up a default deny (DROP) firewall for incoming connections, with all outbound connections allowed with state tracking.
On Ubuntu Core, simply replace 'ufw' with 'ufw.cmd'. Eg:
$ sudo ufw.cmd enable
Advanced Functionality
As mentioned, the ufw application is capable of doing anything that iptables can do. This is achieved by using several sets of rules files, which are nothing more than iptables-restore compatible text files. Fine-tuning ufw and/or adding additional iptables commands not offered via the ufw command is a matter of editing various text files1:
/etc/default/ufw: high level configuration, such as default policies, IPv6 support and kernel modules to use
/etc/ufw/before[6].rules: rules in these files are evaluated before any rules added via the ufw command
/etc/ufw/after[6].rules: rules in these files are evaluated after any rules added via the ufw command
/etc/ufw/sysctl.conf: kernel network tunables
/var/lib/ufw/user[6].rules or /lib/ufw/user[6].rules (0.28 and later): rules added via the ufw command (should not normally be edited by hand)
/etc/ufw/ufw.conf: sets whether or not ufw is enabled on boot, and in 9.04 (ufw 0.27) and later, sets the LOGLEVEL
/etc/ufw/after.init: initialization customization script run after ufw is initialized (ufw 0.34 and later)
/etc/ufw/before.init: initialization customization script run before ufw is initialized (ufw 0.34 and later)
After modifying any of the above files, activate the new settings with:
$ sudo ufw disable $ sudo ufw enable
1 On Ubuntu Core, these files are located under /var/lib/apps/ufw*/current. See 'ufw.doc ufw-on-snappy' on an Ubuntu Core system for details.
More Information
- Ubuntu 16.04 LTS (Xenial Xerus)
- Ubuntu 18.04 LTS (Bionic Beaver)
- Ubuntu 20.04 LTS (Focal Fossa)
- Ubuntu 21.04 (Hirsute Hippo)
- Ubuntu 21.10 (Impish Indri)
- Ubuntu 22.04 LTS (Jammy Jellyfish)
- Ubuntu 24.04 LTS (Noble Numbat)
- Ubuntu 24.10 (Oracular Oriole)
- Ubuntu Core
See 'ufw.doc' on your Ubuntu Core system, specifically 'ufw.doc ufw-on-snappy | less' to see how ufw differs on Ubuntu Core.
Specification: UbuntuFirewallSpec
Graphic User Interface for UFW: Gufw.
UncomplicatedFirewall (last edited 2024-10-15 04:19:08 by 0xnishit)