UncomplicatedFirewall

Differences between revisions 68 and 69
Revision 68 as of 2009-02-19 05:59:26
Size: 17130
Editor: 75
Comment: added comment/question about automatically flushing nat table
Revision 69 as of 2009-04-23 16:40:40
Size: 4063
Editor: pool-71-114-243-118
Comment: total rewrite
Deletions are marked like this. Additions are marked like this.
Line 3: Line 3:
''Please check the status of this specification in Launchpad before editing it. If it is Approved, contact the Assignee or another knowledgeable person before making changes.''
 * '''Launchpad Entry''': UbuntuSpec:ubuntu-firewall
 * '''Code''': [[https://launchpad.net/ufw|https://launchpad.net/ufw]]
 * '''Packages affected''': none
Line 8: Line 4:
== Summary == == Introduction ==
The Linux kernel in Ubuntu provides a packet filtering system called
`netfilter`, and the traditional interface for manipulating `netfilter` are the
`iptables` suite of commands. `iptables` provide a complete firewall solution
that is both highly configurable and highly flexible.
Line 10: Line 10:
'''Initial Release Target''': Hardy Becoming proficient in `iptables` takes time, and getting started with
netfilter firewalling using only `iptables` can be a daunting task. As a
result, many frontends for `iptables` have been created over the years, each
trying to achieve a different result and targeting a different audience.
Line 12: Line 15:
'''Package Integration Release Target''': Intrepid With 8.04 LTS, Ubuntu introduced the Uncomplicated Firewall (ufw). ufw is a
frontend for iptables, and is installed but not enabled by default in Ubuntu
(users must explicitly enable it). Particularly well-suited for host-based
firewalls, ufw provides a framework for managing netfilter, as well as a
command-line interface for manipulating the firewall. ufw aims to provide an
easy to use interface for people unfamiliar with firewall concepts, while at
the same time simplifies complicated iptables commands to help an adminstrator
who knows what he or she is doing. ufw is an upstream for other distributions
and graphical frontends.
Line 14: Line 25:
'''Name''': ufw (Uncomplicated Firewall) == Basic Usage ==
Getting started with ufw is easy. For example, to enable firewall, allow
ssh access, enable logging, and check the status of the firewall, perform:{{{
$ sudo ufw allow ssh/tcp
$ sudo ufw logging on
$ sudo ufw enable
$ sudo ufw status
Firewall loaded
Line 16: Line 34:
Create a tool for host-based iptables firewall configuration. This tool should
provide an easy to use interface to the user, as well as support package
integration and dynamic-detection of open ports.		 To Action From
-- ------ ----
22:tcp ALLOW Anywhere
}}}

This sets up a default deny (DROP) firewall for incoming connections, with all
outbound connections allowed with connections tracking. See 'More Information'
for full details.

== Features ==

|| '''Feature''' || '''8.04 LTS''' || '''8.10''' || '''9.04''' ||
|| default policy (allow/deny) || yes || yes || yes ||
|| allow/deny rules || yes || yes || yes ||
|| ipv6 || yes || yes || yes ||
|| status || yes || yes || yes ||
|| logging (on/off) || yes || yes || yes ||
|| application integration || -- || yes || yes ||
|| limit rules (rate limiting) || -- || yes || yes ||
|| multiport rules || -- || yes || yes ||
|| debconf/preseeding || -- || -- || yes ||
|| default policy (reject) || -- || -- || yes ||
|| reject rules || -- || -- || yes ||
|| rule insertion || -- || -- || yes ||
|| log levels || -- || -- || yes ||
|| per rule logging || -- || -- || yes ||
Line 21: Line 62:
== Release Note == == More Information ==
 * Ubuntu 8.04 LTS (Hardy Heron)
  * [[https://help.ubuntu.com/8.04/serverguide/C/firewall.html|Server Guide - Firewall]]
  * [[http://manpages.ubuntu.com/manpages/hardy/en/man8/ufw.8.html|Man page]]
Line 23: Line 67:
The tool will not affect users in the default installation as the tool will initially be disabled on installation (ie default ACCEPT policy).  * Ubuntu 8.10 (Intrepid Ibex)
  * [[https://help.ubuntu.com/8.10/serverguide/C/firewall.html|Server Guide - Firewall]]
  * [[http://manpages.ubuntu.com/manpages/intrepid/en/man8/ufw.8.html|Man page]]
Line 25: Line 71:
 * Ubuntu 9.04 (Jaunty Jackalope)
  * [[https://help.ubuntu.com/9.04/serverguide/C/firewall.html|Server Guide - Firewall]]
  * [[http://manpages.ubuntu.com/manpages/jaunty/en/man8/ufw.8.html|Man page]]
Line 26: Line 75:
== Rationale ==

Ubuntu currently does not have an integrated firewall in its base installation.
The tools that are available to create a firewall are largely
based on GUI applications and/or designed for advanced users. Additionally,
existing tools also do not provide package integration so that when a network
daemon is installed, users have to determine on their own how to integrate
the application with the firewall.


== Use Cases ==

Alice uses a desktop system and wants to add a firewall as another layer of
protection. Alice can enable the firewall to provide this protection. When
new packages are added, Alice can easily enable the services provided
by these packages.

Bob installs a server with one network interface and wants to add a firewall as another layer of protection. Bob can enable the firewall to provide this protection, as well as monitor the status of open ports.

Charlie has a cluster of systems with specific applications installed and wants to have an easy to administer firewall on each. Charlie can enable the firewall and use application profiles to allow firewall configuration via packages.

== Assumptions ==

The tool will allow users to specify opening/closing ports explicitly. However, to fully integrate with the system, packages should provide meta-data regarding what protocol and port a particular package will need to operate with a firewall. The tool will still be useful during the transition when packages are not providing this information.


== Design ==

For the implementation status of each feature, please see the 'Status' section, below.

=== Rules ===
'''(Completed: Hardy)'''

The tool will provide /etc/ufw/before[6].rules and /etc/ufw/after[6].rules. These files can be edited by the administrator if desired. The tool will manage /var/lib/ufw/user[6].rules. All of these files will be used with iptables-restore and ip6tables-restore, and used on boot. The rules files will evaluated in this order: /etc/ufw/before[6].rules, /var/lib/ufw/user[6].rules, then /etc/ufw/after[6].rules.

=== Boot ===
'''(Completed: Hardy)'''

The package will provide /etc/init.d/ufw to enable the firewall on boot (can't use if-up.d script because /usr must be mounted to use python). It should start before 'networking'.

=== Policy ===
'''(Completed: Hardy)'''

The default firewall policy will be:
 1. ACCEPT all on loopback
 1. ACCEPT all outgoing
 1. default policy of ACCEPT for incoming (configurable)
 1. LOG all dropped packets (perhaps use --limit 3/min --limit-burst 10 or similar)
 1. Firewall is disabled on installation

=== Command-line Interface ===
'''(Completed: Hardy)'''

The tool provides the following command-line interface (CLI) interface:
 * Turn firewall on and off ('disable' is default ACCEPT): {{{
# ufw enable|disable
}}}

 * Toggle logging: {{{
# ufw logging on|off
}}}

 * Set the default policy (ie "mostly open" vs "mostly closed": {{{
# ufw default allow|deny
}}}

 * Accept or drop incoming packets to <service> (can see what services are available with 'status' (see below)). <service> can be specified via service name in /etc/services, 'protocol:port', or via package meta-data. 'allow' adds service entry to /etc/ufw/maps and 'deny' removes service entry from /etc/ufw/maps.
 Basic syntax: {{{
# ufw allow|deny <service>
}}}
 Full PF-style syntax: {{{
 # ufw allow|deny [proto <protocol>] [from <address> [port <port>]] [to <address> [port <port>]]
}}}

 * Display status of firewall and open ports (Completed: Hardy), ports the listening state (Target: future), and package integration (Target: Intrepid). Numbers in parenthesis are not displayed to user: {{{
# ufw status
Firewall loaded

To Action From
-- ------ ----
Apache DENY Anywhere (1)
OpenSSH ALLOW Anywhere (2)
192.168.0.2 995/tcp ALLOW Anywhere (3)
named DENY Anywhere WARNING: New service (4)
25/tcp ALLOW 192.168.0.0/24 (5)
123/udp ALLOW* Anywhere (6)
993/tcp ALLOW** Anywhere (7)
23/tcp ALLOW** Anywhere (8)
Jabberd2 ALLOW** Anywhere (9)

* rule for removed package 'OpenNTPD'
** services not running
}}}
  1. denied service referencing package meta-data
  1. allowed service referencing package meta-data
  1. allowed service referencing /etc/services
  1. denied service referencing dynamically-detected service
  1. denied service by specifying 'port/protocol'
  1. allowed service referencing removed package meta-data
  1. allowed service referencing /etc/services but the service is not running
  1. allowed service by specifying 'port/protocol' but the service is not running
  1. allowed service referencing package meta-data but the service is not running

=== Package Integration ===
'''(Completed: Intrepid)'''

External packages will add application profiles to /etc/ufw/applications.d that describe the service. File will use .INI format, will support pipe-separated values for port/protocol combinations, and multiple entries per file. The 'ports' syntax is the same as for the ufw CLI (eg '80', '22/tcp', '80,8080:8088/tcp'), but must be numeric.

Examples: {{{
[Apache]
title=Web Server
description=Apache v2 is the next generation of the omnipresent Apache web server.
ports=80/tcp

[Apache Secure]
title=Web Server (HTTPS)
description=Apache v2 is the next generation of the omnipresent Apache web server.
ports=443/tcp

[Apache Full]
title=Web Server (HTTP,HTTPS)
description=Apache v2 is the next generation of the omnipresent Apache web server.
ports=80,443/tcp
}}} {{{
[Samba]
title=LanManager-like file and printer server for Unix
description=The Samba software suite is a collection of programs that implements the SMB/CIFS protocol for unix systems, allowing you to serve files and printers to Windows, NT, OS/2 and DOS clients. This protocol is sometimes also referred to as the LanManager or NetBIOS protocol.
ports=137,138/udp|139,445/tcp
}}}

Additionally, ufw will provide the 'app' command in the CLI for package integration information and updates.

List installed application profiles:{{{
# ufw app list
}}}

Display information on an application profile:{{{
# ufw app info <profile>
}}}

Update firewall with profile:{{{
# ufw app update <profile>
}}}

Update firewall with new profile (depends on 'app default <policy>' below):{{{
# ufw app update --add-new <profile>
}}}

Change policy of 'app update --add-new' command:{{{
# ufw app default ALLOW
}}}

'app update' will automatically update existing firewall rules that reference the profile with updated profile information. To update the firewall and add a new rule to the firewall automatically, use 'app default --add-new <profile>'. Running 'ufw app update --add-new <profile>' with the default 'SKIP' policy is the equivalent of running 'app update <profile>' (ie, no rules are automatically added). If the default application policy is changed to 'ALLOW' or 'DENY', running 'app update --add-new <profile>' will add a new rule to the running firewall using the default policy.

=== Dynamic Detection ===
'''(Not implemented)'''

Dynamic detection functionality will check that a service is listening on an open port, as well as services that are listening on a port, but there is not an explicit firewall policy for the port.

== Migration ==

As there is currently no default firewall configuration for Ubuntu, there are no mandatory migration issues. The only migration issue is getting network daemon packages to provide the necessary policy files to ubuntu-firewall.

== Implementation ==

=== Rollout ===

 * upload to universe '''(DONE)'''
 * announce to devel-discuss and ubuntu-server '''(DONE)'''
 * [[MainInclusionReportUFW]] '''(ACCEPTED)'''
 * add to seed '''(DONE)'''

=== Status ===

Version 0.16.2.3 (Hardy) has the following implemented functionality (as described above):
 * Completed
   * enable/disable
   * default policy
   * logging
   * initscript
   * packaging
   * default /proc adjustments (/etc/ufw/sysctl.conf)
   * allow/deny
   * ipv6
   * status

Version 0.23 (Intrepid) has the following implemented functionality:
 * Completed
   * 'limit' command for IPv4 address
   * dotted netmask support
   * port ranges (multiport)
   * application (package) integration

Version 0.26-0ubuntu1 (Jaunty) has the following implemented functionality:
 * Completed
   * debconf configuration/preseeding support (see README.Debian for details):
     * enable
     * common services
     * custom ports (will be in 0.26-0ubuntu2)
   * case-insensitive matches for application rules
   * REJECT rules and default policies

Not-implemented
 * dynamic detection

== Integrating UFW with Packages ==
As of Intrepid, ufw supports package integration. Packages can simply add profiles to /etc/ufw/applications.d (see above for examples), and dpkg triggers will discover the changes and update ufw accordingly (as of ufw 0.21). At this time, the trigger simply calls 'ufw app update all'. When dpkg triggers support arguments, then using '--add-new <profile>' will be possible.

 1. Update debian/control to Suggests ufw
 1. Update the package's dirs file to contain etc/ufw/applications.d
 1. Copy the profile to debian/ufw.profile. See above for profile examples.
 1. Update debian/rules to install the file to /etc/ufw/applications.d/<profile name>. This step will require tailoring specific to the package
 1. Bump the changelog version and describe all the changes made to the package using 'dch'

=== Profile Recommendations ===
 1. Keep the number of profiles added to a minimum. The idea is to make things easier for the user, not add confusing choices.
 1. For consistency, profile names should start with a capital letter and the title should be a short, simple phrase.
 1. Use 'ufw app update --add-new' for the 'default' profile only. If there is not a sensible default, simply use 'ufw app update' for each profile changed (technically, running 'ufw app update' is not required, but is likely useful if the defaults in the package change at a later date).

=== Testing ===
Testing the profile for general usage is extremely important, as uploading an untested profile may be very disruptive for users. You can simply copy the file to /etc/ufw/applications.d for testing before updating the package. In general, you should:

 1. Verify the profile(s) show up with 'ufw app list'
 1. Verify the profile(s) display correctly with 'ufw app info <profile>'
 1. Verify the profile(s) can be added and deleted correctly:{{{
$ sudo ufw disable ; sudo ufw enable
$ sudo ufw app default skip
$ sudo ufw status (should show that the firewall is loaded with no rules present)
$ sudo ufw allow <profile>
$ sudo ufw status (should show new allow rule)
$ sudo ufw status verbose (should show new allow rule)
$ sudo ufw delete allow <profile>
$ sudo ufw status (should not show new allow rule)
$ sudo ufw status verbose (should not show new allow rule)
$ sudo ufw app default allow
$ sudo dpkg-reconfigure <package supplying profile>
$ sudo ufw status (should show new allow rule)
$ sudo ufw status verbose (should show new allow rule)
$ sudo ufw delete allow <profile used in postinst script>
$ sudo ufw status (should not show new allow rule)
$ sudo ufw status verbose (should not show new allow rule)
}}}

It is also important that these tests be performed on a real host or virtual machine, and not in a chroot.

== Test/Demo Plan ==

The source code has testing scripts. Can use (from the top-level source):
{{{
$ cd <top-level source directory>
$ ./run_tests.sh -s
$ sudo ./run_tests.sh -s root
}}}

Additionally, once the package is installed, can use:
{{{
$ sudo ufw status
$ sudo ufw enable && sudo ufw status
$ sudo ufw disable && sudo ufw status
$ sudo ufw enable
$ sudo ufw logging on && sudo iptables -L -n | grep LOG
$ sudo ufw logging off && sudo iptables -L -n | grep LOG
$ sudo ufw default allow && sudo iptables -L -n | grep 'INPUT (policy'
$ sudo ufw default deny && sudo iptables -L -n | grep 'INPUT (policy'
$ sudo ufw allow 53 && sudo ufw status
$ sudo ufw delete allow 53 && sudo ufw status
$ sudo ufw allow 80/tcp && sudo ufw status
$ sudo ufw delete allow 80/tcp && sudo ufw status
$ sudo ufw allow smtp && sudo ufw status
$ sudo ufw delete allow smtp && sudo ufw status
$ sudo ufw allow from 192.168.254.254 && sudo ufw status
$ sudo ufw delete allow from 192.168.254.254 && sudo ufw status
}}}

And for IPv6 testing (need at least ufw 0.10):
{{{
$ sudo sed -i 's/^IPV6=no/IPV6=yes/' /etc/default/ufw
$ sudo ufw disable && sudo ufw status
$ sudo ufw enable && sudo ufw status
$ sudo ufw allow proto tcp from 2001:db8::/32 to any port smtp && sudo ufw status
$ sudo ufw delete allow proto tcp from 2001:db8::/32 to any port smtp && sudo ufw status
}}}

The README also contains information for testing.

'''IMPORTANT:''' When enabling the firewall and/or using '/etc/init.d/ufw start', the chains are necessarily flushed and connections may be dropped (eg ssh connections). You can add rules to the firewall before enabling it however, so if you are testing ufw on a remote machine, it is recommended you perform:
{{{
$ sudo ufw allow proto tcp from any to any port 22
}}}
before running 'ufw enable'. Once the firewall is enabled, adding and removing rules will not flush the firewall (though modifying an existing rule will).

== Outstanding Issues ==

 * UbuntuFirewallLongTerm describes some ideas for moving forward to extend functionality to include router/gateway configuration, NAT, QoS configuration and /proc adjustments (eg ip_forwarding, rp_filter, et al)

== Comments ==
 * Why not a QoS integration in this application?. It's useful overall if donwload programs use all the bandwidth and use has no option to navigate with commodity. Thanks.
  * '''ANSWER''' This may be included in a future release
 * I have a suggestion which probably is out of scope of this spec: add a default IP filtering range, like in peerguardian, which would block RIAA, MPAA, etc. -- AzraelNightwalker <<DateTime(2008-02-07T16:00:04Z)>>
  * '''ANSWER''' ufw 0.19 now supports port ranges, which will aid in developing these sorts of policies
 *What about binary-specific rules? (Maybe that's what the package integration does?). Like this: I have installed Konquerior and Firefox and both packages report they want to surf the web (port 80 and 443) but I want to restrict Konquerior to my own internal subnet only while Firefox will be sllowed to surf to any IP-address. This type of configuration is able to do in other firewalls (like "NetLimiter 2 Pro" for windows) and I would be happy to see something similar in Ubuntu's firewall. -- AndersHäggström
 * Why not create a ufw.d folder? When users install applications the deb would add a entry. An example would be installing Apache, the deb would add an entry to allow incoming connections to port 80.
  * '''ANSWER''' This is planned. See 'Package Integration', above.
 * Another option is firehol it has a single configuration file pretty "declarative".
 * What about firewall tool 'X'.
  * '''ANSWER''' Users are still free to use whatever firewall tool best fits their needs. ufw is not enabled by default and will not get in the way of other tools when not enabled.
 * GUI for ufw available: http://gufw.tuxfamily.org/
 * Is there a simple way to get ufw to flush the nat table when enabling? I have the line "-A POSTROUTING -s 192.168.1.0/24 -o eth1 -j MASQUERADE" in before.rules to enable outbound nat, however after disabling/enabling ufw I get multiple and sometimes conflicting nat and port-forwarding entries showing up at "iptables -L -t nat".

----
CategorySpec CategoryComments		  * '''Specification''': UbuntuFirewallSpec
 * '''Code''': [[https://launchpad.net/ufw|https://launchpad.net/ufw]]

Introduction

The Linux kernel in Ubuntu provides a packet filtering system called netfilter, and the traditional interface for manipulating netfilter are the iptables suite of commands. iptables provide a complete firewall solution that is both highly configurable and highly flexible.

Becoming proficient in iptables takes time, and getting started with netfilter firewalling using only iptables can be a daunting task. As a result, many frontends for iptables have been created over the years, each trying to achieve a different result and targeting a different audience.

With 8.04 LTS, Ubuntu introduced the Uncomplicated Firewall (ufw). ufw is a frontend for iptables, and is installed but not enabled by default in Ubuntu (users must explicitly enable it). Particularly well-suited for host-based firewalls, ufw provides a framework for managing netfilter, as well as a command-line interface for manipulating the firewall. ufw aims to provide an easy to use interface for people unfamiliar with firewall concepts, while at the same time simplifies complicated iptables commands to help an adminstrator who knows what he or she is doing. ufw is an upstream for other distributions and graphical frontends.

Basic Usage

Getting started with ufw is easy. For example, to enable firewall, allow ssh access, enable logging, and check the status of the firewall, perform:

$ sudo ufw allow ssh/tcp
$ sudo ufw logging on
$ sudo ufw enable
$ sudo ufw status
Firewall loaded

To                         Action  From
--                         ------  ----
22:tcp                     ALLOW   Anywhere

This sets up a default deny (DROP) firewall for incoming connections, with all outbound connections allowed with connections tracking. See 'More Information' for full details.

Features

Feature

8.04 LTS

8.10

9.04

default policy (allow/deny)

yes

yes

yes

allow/deny rules

yes

yes

yes

ipv6

yes

yes

yes

status

yes

yes

yes

logging (on/off)

yes

yes

yes

application integration

--

yes

yes

limit rules (rate limiting)

--

yes

yes

multiport rules

--

yes

yes

debconf/preseeding

--

--

yes

default policy (reject)

--

--

yes

reject rules

--

--

yes

rule insertion

--

--

yes

log levels

--

--

yes

per rule logging

--

--

yes

More Information

UncomplicatedFirewall (last edited 2023-10-18 01:29:55 by sbeattie)