UncomplicatedFirewall

Differences between revisions 64 and 65
Revision 64 as of 2008-08-26 18:37:00
Size: 16689
Editor: 207
Comment: added more comments to application testing
Revision 65 as of 2008-08-27 15:40:52
Size: 16506
Editor: 207
Comment:
Deletions are marked like this. Additions are marked like this.
Line 225: Line 225:
As of Intrepid, ufw supports package integration. Packages can simply add profiles to /etc/ufw/applications.d (see above for examples), then update the maintainer scripts to update the application profile. As of Intrepid, ufw supports package integration. Packages can simply add profiles to /etc/ufw/applications.d (see above for examples), and dpkg triggers will discover the changes and update ufw accordingly (as of ufw 0.21). At this time, the trigger simply calls 'ufw app update all'. When dpkg triggers support arguments, then using '--add-new <profile>' will be possible.
Line 229: Line 229:
 1. Update the package's postinst script:{{{
if [ -x /usr/sbin/ufw ]; then
    ufw app update --add-new <profile> || true
fi
}}} This is usually done as the last step in 'configure'.
 1. Update the package's postrm script to have:{{{
if [ "$1" = "purge" ]; then
    rm -f /etc/ufw/applications.d/<profile name> >/dev/null 2>&1 || true
fi
}}}

Please check the status of this specification in Launchpad before editing it. If it is Approved, contact the Assignee or another knowledgeable person before making changes.

Summary

Initial Release Target: Hardy

Package Integration Release Target: Intrepid

Name: ufw (Uncomplicated Firewall)

Create a tool for host-based iptables firewall configuration. This tool should provide an easy to use interface to the user, as well as support package integration and dynamic-detection of open ports.

Release Note

The tool will not affect users in the default installation as the tool will initially be disabled on installation (ie default ACCEPT policy).

Rationale

Ubuntu currently does not have an integrated firewall in its base installation. The tools that are available to create a firewall are largely based on GUI applications and/or designed for advanced users. Additionally, existing tools also do not provide package integration so that when a network daemon is installed, users have to determine on their own how to integrate the application with the firewall.

Use Cases

Alice uses a desktop system and wants to add a firewall as another layer of protection. Alice can enable the firewall to provide this protection. When new packages are added, Alice can easily enable the services provided by these packages.

Bob installs a server with one network interface and wants to add a firewall as another layer of protection. Bob can enable the firewall to provide this protection, as well as monitor the status of open ports.

Charlie has a cluster of systems with specific applications installed and wants to have an easy to administer firewall on each. Charlie can enable the firewall and use application profiles to allow firewall configuration via packages.

Assumptions

The tool will allow users to specify opening/closing ports explicitly. However, to fully integrate with the system, packages should provide meta-data regarding what protocol and port a particular package will need to operate with a firewall. The tool will still be useful during the transition when packages are not providing this information.

Design

For the implementation status of each feature, please see the 'Status' section, below.

Rules

(Completed: Hardy)

The tool will provide /etc/ufw/before[6].rules and /etc/ufw/after[6].rules. These files can be edited by the administrator if desired. The tool will manage /var/lib/ufw/user[6].rules. All of these files will be used with iptables-restore and ip6tables-restore, and used on boot. The rules files will evaluated in this order: /etc/ufw/before[6].rules, /var/lib/ufw/user[6].rules, then /etc/ufw/after[6].rules.

Boot

(Completed: Hardy)

The package will provide /etc/init.d/ufw to enable the firewall on boot (can't use if-up.d script because /usr must be mounted to use python). It should start before 'networking'.

Policy

(Completed: Hardy)

The default firewall policy will be:

  1. ACCEPT all on loopback
  2. ACCEPT all outgoing
  3. default policy of ACCEPT for incoming (configurable)
  4. LOG all dropped packets (perhaps use --limit 3/min --limit-burst 10 or similar)
  5. Firewall is disabled on installation

Command-line Interface

(Completed: Hardy)

The tool provides the following command-line interface (CLI) interface:

  • Turn firewall on and off ('disable' is default ACCEPT):

    # ufw enable|disable
  • Toggle logging:

    # ufw logging on|off
  • Set the default policy (ie "mostly open" vs "mostly closed":

    # ufw default allow|deny
  • Accept or drop incoming packets to <service> (can see what services are available with 'status' (see below)). <service> can be specified via service name in /etc/services, 'protocol:port', or via package meta-data. 'allow' adds service entry to /etc/ufw/maps and 'deny' removes service entry from /etc/ufw/maps. Basic syntax:

    # ufw allow|deny <service>

    Full PF-style syntax:

     # ufw allow|deny [proto <protocol>] [from <address> [port <port>]] [to <address> [port <port>]]
  • Display status of firewall and open ports (Completed: Hardy), ports the listening state (Target: future), and package integration (Target: Intrepid). Numbers in parenthesis are not displayed to user:

    # ufw status
    Firewall loaded
    
    To                      Action  From
    --                      ------  ----
    Apache                  DENY    Anywhere                             (1)
    OpenSSH                 ALLOW   Anywhere                             (2)
    192.168.0.2 995/tcp     ALLOW   Anywhere                             (3)
    named                   DENY    Anywhere        WARNING: New service (4)
    25/tcp                  ALLOW   192.168.0.0/24                       (5)
    123/udp                 ALLOW*  Anywhere                             (6)
    993/tcp                 ALLOW** Anywhere                             (7)
    23/tcp                  ALLOW** Anywhere                             (8)
    Jabberd2                ALLOW** Anywhere                             (9)
    
    * rule for removed package 'OpenNTPD'
    ** services not running
    1. denied service referencing package meta-data
    2. allowed service referencing package meta-data
    3. allowed service referencing /etc/services
    4. denied service referencing dynamically-detected service
    5. denied service by specifying 'port/protocol'
    6. allowed service referencing removed package meta-data
    7. allowed service referencing /etc/services but the service is not running
    8. allowed service by specifying 'port/protocol' but the service is not running
    9. allowed service referencing package meta-data but the service is not running

Package Integration

(Completed: Intrepid)

External packages will add application profiles to /etc/ufw/applications.d that describe the service. File will use .INI format, will support pipe-separated values for port/protocol combinations, and multiple entries per file. The 'ports' syntax is the same as for the ufw CLI (eg '80', '22/tcp', '80,8080:8088/tcp'), but must be numeric.

Examples:

[Apache]
title=Web Server
description=Apache v2 is the next generation of the omnipresent Apache web server.
ports=80/tcp

[Apache Secure]
title=Web Server (HTTPS)
description=Apache v2 is the next generation of the omnipresent Apache web server.
ports=443/tcp

[Apache Full]
title=Web Server (HTTP,HTTPS)
description=Apache v2 is the next generation of the omnipresent Apache web server.
ports=80,443/tcp

[Samba]
title=LanManager-like file and printer server for Unix
description=The Samba software suite is a collection of programs that implements the SMB/CIFS protocol for unix systems, allowing you to serve files and printers to Windows, NT, OS/2 and DOS clients. This protocol is sometimes also referred to as the LanManager or NetBIOS protocol.
ports=137,138/udp|139,445/tcp

Additionally, ufw will provide the 'app' command in the CLI for package integration information and updates.

List installed application profiles:

# ufw app list

Display information on an application profile:

# ufw app info <profile>

Update firewall with profile:

# ufw app update <profile>

Update firewall with new profile (depends on 'app default <policy>' below):

# ufw app update --add-new <profile>

Change policy of 'app update --add-new' command:

# ufw app default ALLOW

'app update' will automatically update existing firewall rules that reference the profile with updated profile information. To update the firewall and add a new rule to the firewall automatically, use 'app default --add-new <profile>'. Running 'ufw app update --add-new <profile>' with the default 'SKIP' policy is the equivalent of running 'app update <profile>' (ie, no rules are automatically added). If the default application policy is changed to 'ALLOW' or 'DENY', running 'app update --add-new <profile>' will add a new rule to the running firewall using the default policy.

Dynamic Detection

(Not implemented)

Dynamic detection functionality will check that a service is listening on an open port, as well as services that are listening on a port, but there is not an explicit firewall policy for the port.

Migration

As there is currently no default firewall configuration for Ubuntu, there are no mandatory migration issues. The only migration issue is getting network daemon packages to provide the necessary policy files to ubuntu-firewall.

Implementation

Rollout

  • upload to universe (DONE)

  • announce to devel-discuss and ubuntu-server (DONE)

  • MainInclusionReportUFW (ACCEPTED)

  • add to seed (DONE)

Status

Version 0.16.2.3 (Hardy) has the following implemented functionality (as described above):

  • Completed
    • enable/disable
    • default policy
    • logging
    • initscript
    • packaging
    • default /proc adjustments (/etc/ufw/sysctl.conf)
    • allow/deny
    • ipv6
    • status

Version 0.20 (Intrepid) has the following implemented functionality:

  • Completed
    • 'limit' command for IPv4 address
    • dotted netmask support
    • port ranges (multiport)
    • application (package) integration

Not-implemented

  • dynamic detection
  • localization support for application profiles
  • debconf configuration

Integrating UFW with Packages

As of Intrepid, ufw supports package integration. Packages can simply add profiles to /etc/ufw/applications.d (see above for examples), and dpkg triggers will discover the changes and update ufw accordingly (as of ufw 0.21). At this time, the trigger simply calls 'ufw app update all'. When dpkg triggers support arguments, then using '--add-new <profile>' will be possible.

  1. Update debian/control to Suggests ufw
  2. Update the package's dirs file to contain etc/ufw/applications.d
  3. Copy the profile to debian/ufw.profile. See above for profile examples.
  4. Update debian/rules to install the file to /etc/ufw/applications.d/<profile name>. This step will require tailoring specific to the package

  5. Bump the changelog version and describe all the changes made to the package using 'dch'

Profile Recommendations

  1. Keep the number of profiles added to a minimum. The idea is to make things easier for the user, not add confusing choices.
  2. For consistency, profile names should start with a capital letter and the title should be a short, simple phrase.
  3. Use 'ufw app update --add-new' for the 'default' profile only. If there is not a sensible default, simply use 'ufw app update' for each profile changed (technically, running 'ufw app update' is not required, but is likely useful if the defaults in the package change at a later date).

Testing

Testing the profile for general usage is extremely important, as uploading an untested profile may be very disruptive for users. You can simply copy the file to /etc/ufw/applications.d for testing before updating the package. In general, you should:

  1. Verify the profile(s) show up with 'ufw app list'
  2. Verify the profile(s) display correctly with 'ufw app info <profile>'

  3. Verify the profile(s) can be added and deleted correctly:

    $ sudo ufw disable ; sudo ufw enable
    $ sudo ufw app default skip
    $ sudo ufw status (should show that the firewall is loaded with no rules present)
    $ sudo ufw allow <profile>
    $ sudo ufw status (should show new allow rule)
    $ sudo ufw status verbose (should show new allow rule)
    $ sudo ufw delete allow <profile>
    $ sudo ufw status (should not show new allow rule)
    $ sudo ufw status verbose (should not show new allow rule)
    $ sudo ufw app default allow
    $ sudo dpkg-reconfigure <package supplying profile>
    $ sudo ufw status (should show new allow rule)
    $ sudo ufw status verbose (should show new allow rule)
    $ sudo ufw delete allow <profile used in postinst script>
    $ sudo ufw status (should not show new allow rule)
    $ sudo ufw status verbose (should not show new allow rule)

It is also important that these tests be performed on a real host or virtual machine, and not in a chroot.

Test/Demo Plan

The source code has testing scripts. Can use (from the top-level source):

$ cd <top-level source directory>
$ ./run_tests.sh -s
$ sudo ./run_tests.sh -s root

Additionally, once the package is installed, can use:

$ sudo ufw status
$ sudo ufw enable && sudo ufw status
$ sudo ufw disable && sudo ufw status
$ sudo ufw enable
$ sudo ufw logging on && sudo iptables -L -n | grep LOG
$ sudo ufw logging off && sudo iptables -L -n | grep LOG
$ sudo ufw default allow && sudo iptables -L -n | grep 'INPUT (policy'
$ sudo ufw default deny && sudo iptables -L -n | grep 'INPUT (policy'
$ sudo ufw allow 53 && sudo ufw status
$ sudo ufw delete allow 53 && sudo ufw status
$ sudo ufw allow 80/tcp && sudo ufw status
$ sudo ufw delete allow 80/tcp && sudo ufw status
$ sudo ufw allow smtp && sudo ufw status
$ sudo ufw delete allow smtp && sudo ufw status
$ sudo ufw allow from 192.168.254.254 && sudo ufw status
$ sudo ufw delete allow from 192.168.254.254 && sudo ufw status

And for IPv6 testing (need at least ufw 0.10):

$ sudo sed -i 's/^IPV6=no/IPV6=yes/' /etc/default/ufw
$ sudo ufw disable && sudo ufw status
$ sudo ufw enable && sudo ufw status
$ sudo ufw allow proto tcp from 2001:db8::/32 to any port smtp && sudo ufw status
$ sudo ufw delete allow proto tcp from 2001:db8::/32 to any port smtp && sudo ufw status

The README also contains information for testing.

IMPORTANT: When enabling the firewall and/or using '/etc/init.d/ufw start', the chains are necessarily flushed and connections may be dropped (eg ssh connections). You can add rules to the firewall before enabling it however, so if you are testing ufw on a remote machine, it is recommended you perform:

$ sudo ufw allow proto tcp from any to any port 22

before running 'ufw enable'. Once the firewall is enabled, adding and removing rules will not flush the firewall (though modifying an existing rule will).

Outstanding Issues

  • UbuntuFirewallLongTerm describes some ideas for moving forward to extend functionality to include router/gateway configuration, NAT, QoS configuration and /proc adjustments (eg ip_forwarding, rp_filter, et al)

Comments

  • Why not a QoS integration in this application?. It's useful overall if donwload programs use all the bandwidth and use has no option to navigate with commodity. Thanks.
    • ANSWER This may be included in a future release

  • I have a suggestion which probably is out of scope of this spec: add a default IP filtering range, like in peerguardian, which would block RIAA, MPAA, etc. -- AzraelNightwalker 2008-02-07 16:00:04

    • ANSWER ufw 0.19 now supports port ranges, which will aid in developing these sorts of policies

  • What about binary-specific rules? (Maybe that's what the package integration does?). Like this: I have installed Konquerior and Firefox and both packages report they want to surf the web (port 80 and 443) but I want to restrict Konquerior to my own internal subnet only while Firefox will be sllowed to surf to any IP-address. This type of configuration is able to do in other firewalls (like "NetLimiter 2 Pro" for windows) and I would be happy to see something similar in Ubuntu's firewall. -- AndersHäggström

  • Why not create a ufw.d folder? When users install applications the deb would add a entry. An example would be installing Apache, the deb would add an entry to allow incoming connections to port 80.
    • ANSWER This is planned. See 'Package Integration', above.

  • Another option is firehol it has a single configuration file pretty "declarative".
  • What about firewall tool 'X'.
    • ANSWER Users are still free to use whatever firewall tool best fits their needs. ufw is not enabled by default and will not get in the way of other tools when not enabled.

  • GUI for ufw available: http://gufw.tuxfamily.org/


CategorySpec

UncomplicatedFirewall (last edited 2023-10-18 01:29:55 by sbeattie)