Diff for "UncomplicatedFirewall"

UncomplicatedFirewall

Differences between revisions 7 and 130 (spanning 123 versions)

Contents

Introduction
UFW in Ubuntu
1. Available Versions in supported versions of Ubuntu
2. Features
Basic Usage
1. Advanced Functionality
More Information

Introduction

The Linux kernel in Ubuntu provides a packet filtering system called netfilter, and the traditional interface for manipulating netfilter are the iptables suite of commands. iptables provide a complete firewall solution that is both highly configurable and highly flexible.

Becoming proficient in iptables takes time, and getting started with netfilter firewalling using only iptables can be a daunting task. As a result, many frontends for iptables have been created over the years, each trying to achieve a different result and targeting a different audience.

The Uncomplicated Firewall (ufw) is a frontend for iptables and is particularly well-suited for host-based firewalls. ufw provides a framework for managing netfilter, as well as a command-line interface for manipulating the firewall. ufw aims to provide an easy to use interface for people unfamiliar with firewall concepts, while at the same time simplifies complicated iptables commands to help an administrator who knows what he or she is doing. ufw is an upstream for other distributions and graphical frontends.

UFW in Ubuntu

Ubuntu 8.04 LTS introduced ufw, and it is available by default in all Ubuntu installations after 8.04 LTS.

Available Versions in supported versions of Ubuntu

Ubuntu 12.04 ESM: 0.31.1-1
Ubuntu 14.04 ESM: 0.34~rc-0ubuntu2
Ubuntu 16.04 LTS: 0.35-0ubuntu2
Ubuntu 18.04 LTS: 0.36-0ubuntu0.18.04.1
Ubuntu 20.04: 0.36-6
Ubuntu 21.04: 0.36-7.1
Ubuntu 21.10: 0.36.1-1,
Ubuntu 22.04: 0.36.1-4,
Ubuntu Core: 0.36pre

Features

ufw has the following features:

Feature	0.31.1-1	0.34~rc-0ubuntu2	0.34-2	0.35
default incoming policy (allow/deny)	yes	yes	yes	yes
allow/deny incoming rules	yes	yes	yes	yes
IPv6 (by default)	yes	yes	yes	yes
status	yes	yes	yes	yes
logging (on/off)	yes	yes	yes	yes
extensible framework	yes	yes	yes	yes
python 2.5 support	yes	no	no	no
application integration	yes	yes	yes	yes*
IPv4 rate limiting via 'limit' command	yes	yes	yes	yes
internationalization	yes	yes	yes	yes
multiport incoming rules	yes	yes	yes	yes
debconf/preseeding	yes	yes	yes	yes
default incoming policy (reject)	yes	yes	yes	yes
reject incoming rules	yes	yes	yes	yes
rule insertion	yes	yes	yes	yes
log levels	yes	yes	yes	yes
per rule logging	yes	yes	yes	yes
outgoing filtering (on par with incoming)	yes	yes	yes	yes
filtering by interface	yes	yes	yes	yes
bash completion	yes	yes	yes	yes
upstart support	yes	yes	yes	yes
improved reporting	yes	yes	yes	yes
reset command	yes	yes	yes	yes
rsyslog support	yes	yes	yes	yes
delete by rule number	yes	yes	yes	yes
python 2.6 support	yes	yes	yes	yes
'show listening' report	yes	yes	yes	yes
python 2.7 support	yes	yes	yes	yes
increased protocol support (ah, esp)	yes	yes	yes	yes
IPv6 rate limiting via 'limit' command	--	yes	yes	yes
python 3.2 support	--	yes	yes	no
python 3.3 support	--	yes	yes	yes
'show added' report	--	yes	yes	yes
python 3.4 support	--	yes	yes	yes
before/after extensibility hooks	--	yes	yes	yes
routed packet filtering (FORWARD)	--	yes	yes	yes
systemd support	--	--	yes	yes
increased protocol support (igmp, gre)	--	--	yes	yes
python 3.5 support	--	--	yes	yes
Snappy for Ubuntu Core support	--	--	--	yes
per rule comments	--	--	--	yes

support for application integration is limited on Ubuntu Core at this time

Basic Usage

Getting started with ufw is easy. For example, to enable firewall, allow ssh access, enable logging, and check the status of the firewall, perform:

$ sudo ufw allow ssh/tcp
$ sudo ufw logging on
$ sudo ufw enable
$ sudo ufw status
Firewall loaded

To                         Action  From
--                         ------  ----
22:tcp                     ALLOW   Anywhere

This sets up a default deny (DROP) firewall for incoming connections, with all outbound connections allowed with state tracking.

On Ubuntu Core, simply replace 'ufw' with 'ufw.cmd'. Eg:

$ sudo ufw.cmd enable

Advanced Functionality

As mentioned, the ufw application is capable of doing anything that iptables can do. This is achieved by using several sets of rules files, which are nothing more than iptables-restore compatible text files. Fine-tuning ufw and/or adding additional iptables commands not offered via the ufw command is a matter of editing various text files¹:

/etc/default/ufw: high level configuration, such as default policies, IPv6 support and kernel modules to use
/etc/ufw/before[6].rules: rules in these files are evaluated before any rules added via the ufw command
/etc/ufw/after[6].rules: rules in these files are evaluated after any rules added via the ufw command
/etc/ufw/sysctl.conf: kernel network tunables
/var/lib/ufw/user[6].rules or /lib/ufw/user[6].rules (0.28 and later): rules added via the ufw command (should not normally be edited by hand)
/etc/ufw/ufw.conf: sets whether or not ufw is enabled on boot, and in 9.04 (ufw 0.27) and later, sets the LOGLEVEL
/etc/ufw/after.init: initialization customization script run after ufw is initialized (ufw 0.34 and later)
/etc/ufw/before.init: initialization customization script run before ufw is initialized (ufw 0.34 and later)

After modifying any of the above files, activate the new settings with:

$ sudo ufw disable
$ sudo ufw enable

¹ On Ubuntu Core, these files are located under /var/lib/apps/ufw*/current. See 'ufw.doc ufw-on-snappy' on an Ubuntu Core system for details.

More Information

Ubuntu 16.04 LTS (Xenial Xerus)
Ubuntu 18.04 LTS (Bionic Beaver)
Ubuntu 20.04 (Focal Fossa)
Ubuntu 21.04 (Hirsute Hippo)
- ufw manual
- ufw framework manual
Ubuntu 21.10 (Impish Indri)
- ufw manual
- ufw framework manual
Ubuntu 22.04 (Jammy Jellyfish)
- ufw manual
- ufw framework manual
Ubuntu Core
- See 'ufw.doc' on your Ubuntu Core system, specifically 'ufw.doc ufw-on-snappy | less' to see how ufw differs on Ubuntu Core.
Ubuntu Community Documentation on UFW
Specification: UbuntuFirewallSpec
Code: https://launchpad.net/ufw
Graphic User Interface for UFW: Gufw.

UncomplicatedFirewall (last edited 2023-10-18 01:29:55 by sbeattie)

-  ⇤ ← Revision 7 as of 2007-10-30 13:31:55 → 
  Size: 9004
  Editor: 12
  Comment:
+   ← Revision 130 as of 2022-09-28 10:35:36 → ⇥
  Size: 11565
  Editor: dwd-daniel
  Comment: Added " * '''Ubuntu 22.04''': 0.36.1-4," to "Available Versions in supported version of Ubuntu"
-Deletions are marked like this.
+Additions are marked like this.
 Line 1:
-https://blueprints.edge.launchpad.net/ubuntu/+spec/ubuntu-firewall
https://wiki.ubuntu.com/UbuntuFirewall

 * '''Launchpad Entry''': UbuntuSpec:ubuntu-firewall

== Meeting Notes 2007/10/29 ==
 * Goals:
  * flexible, comprehensive and easy to use firewall configuration
  * package integration

 * What this spec doesn't do
  * This spec does not address UI aspects
  * This spec is not about intrusion detection (ie, we don't notify user here)

 * Options
  * OpenBSD has a very convenient interface: http://www.openbsd.org/faq/pf/filter.html
   * With PF - human readable firewall config much fewer lines
   * nothing prevents user from muddling addresses and ports and zones and services, leading to support issues (user shouldn't touch metadata that package provides)
   * OpenBSD is last-match by default, iptables isn't
   * All configuration in one file (rules, /proc adjustments, QoS, etc), text file, easy to audit
  
  * Shorewall - shorewall.net: http://www.shorewall.net/shorewall_setup_guide.htm
   * Define zone in one file, access in another
   * Provides a way to protect you from locking yourself out (backup config)
   * Does not provide per package integration
   * Implementation is pretty horrid maze of shell scripts

  * Other
   * Packages: Firestarter (XML backend), Firehol, fwbuilder
   * SuSe had a series of twisty shell scripts that implemented a higher-level (very simple) - shell variables and such (SuSEfirewall2). Had a way to put crazy iptables stuff between the normal lanugage
   * DrakConf (mentioned outside of meeting)

 * Thoughts on desirable attributes
  * Packages need to provide metadata saying "I use this port", we need an interpreter
    * What about services that change ports inside configuration (/etc/apache2/ports.conf)
  * Proper handling when opening a port (not open everything for a moment...either deny drop or something similar when rerunning whole script)
  * declarative language
  * per package meta-data (.d directory style).
  * Apache package should be able to provide enough meta-data to shape a UI say "Apache on/off"
    * or "limit to internal" or similar
  * compile from an XML file, perhaps without that XML file being made by a GUI
  * Easy to admin by modifying config files on a commmand line
  * Mechanism to test before implementation, especially so you don't lock yourself out  
  * Separation between the service definition and the zone. Seems that pf syntax doesn't provide this.
  * Ability to manually handle iptables stuff between other rules in the higher level language (so you can do insane things -- packages won't do insane things, but admins might)
  * User needs to be able to turn it all off (default should be off, but turn on easy)
   * Packages might break if unaware of firewall before Hardy
  * Simple examples for simple use cases 
  * Also consider simple rules that don't break packages (eg slowing flooding of brute force attacks on port 22)

  * Dynamic discovering of services
   * Could look at services from packages
   * Default open/closed?  Different for packages? Default policy is configurable.
   * Let user set default policy for new services (but allow tweaking per service) but need default for default
   * Firewall should probably not break apache by default install
   * Wouldn't need package metadata if we did it dynamically
     * but may be advantage to having it optional (eg install paranoid rules package, or a package defining a range of ports)
   "<ompaul> if you auto discover it you tell me what you found and I say yes or no and add a comment - if you want me to undestand what I am doing"
  * We are adding a new non-default (installing firewall package and then it)
  * Tie to path to executable or package?  Different policy per executable/package?  (Samba: different binaries, different ports, but tracked as single service)
+## page was renamed from UbuntuFirewall
||<tablestyle="float:right; font-size: 0.9em; width:30%; background:#F1F1ED; background-repeat: no-repeat; background-position:  98% 0.5ex; margin: 0 0 1em 1em; padding: 0.5em;"><<TableOfContents>>||
-Line 63:
+Line 5:
-== Summary ==
+== Introduction ==
The Linux kernel in Ubuntu provides a packet filtering system called
`netfilter`, and the traditional interface for manipulating `netfilter` are the
`iptables` suite of commands. `iptables` provide a complete firewall solution
that is both highly configurable and highly flexible.
-Line 65:
+Line 11:
-Create a high level language for iptables firewall configuration. The language would be based on OpenBSD's PF syntax, along with any improvements to make it easier for users (PF provides a compact, easy to understand firewall language). Initially, the language will consist of only a subset of PF functionality, but eventually could include queuing and traffic optimization.
+Becoming proficient in `iptables` takes time, and getting started with
`netfilter` firewalling using only `iptables` can be a daunting task. As a
result, many frontends for `iptables` have been created over the years, each
trying to achieve a different result and targeting a different audience.
-Line 67:
+Line 16:
-In addition to the higher level language, ubuntu-firewall should provide packaging integration to make it easier for network daemon packages to integrate with the firewall.
+The Uncomplicated Firewall (`ufw`) is a frontend for `iptables` and is particularly
well-suited for host-based firewalls. `ufw` provides a framework for
managing `netfilter`, as well as a command-line interface for manipulating the
firewall. `ufw` aims to provide an easy to use interface for people unfamiliar with
firewall concepts, while at the same time simplifies complicated `iptables` commands
to help an administrator who knows what he or she is doing. `ufw` is an upstream for
other distributions and graphical frontends.
-Line 69:
+Line 24:
-It is important to note that this is not simply 'Yet Another Firewall Tool', but rather a high level firewall language to make firewall configuration easier for users, packaging, and tools.
+== UFW in Ubuntu ==
Ubuntu 8.04 LTS introduced `ufw`, and it is available by default in all Ubuntu
installations after 8.04 LTS.
-Line 71:
+Line 28:
-== Release Note ==
+=== Available Versions in supported versions of Ubuntu ===
 * '''Ubuntu 12.04 ESM''': 0.31.1-1
 * '''Ubuntu 14.04 ESM''': 0.34~rc-0ubuntu2
 * '''Ubuntu 16.04 LTS''': 0.35-0ubuntu2
 * '''Ubuntu 18.04 LTS''': 0.36-0ubuntu0.18.04.1
 * '''Ubuntu 20.04''': 0.36-6
 * '''Ubuntu 21.04''': 0.36-7.1
 * '''Ubuntu 21.10''': 0.36.1-1,
 * '''Ubuntu 22.04''': 0.36.1-4,
 * '''Ubuntu Core''': 0.36pre
-Line 73:
+Line 39:
-ubuntu-firewall will not affect users in the default installation as the tool will not dictate a default firewall policy for all users. Users will have to explicitly enable ubuntu-firewall if they want to use it.
+=== Features ===
`ufw` has the following features:
-Line 75:
+Line 42:
-== Rationale ==
+|| '''Feature'''                             || '''0.31.1-1'''  || '''0.34~rc-0ubuntu2''' || '''0.34-2''' || '''0.35''' ||
|| default incoming policy (allow/deny)      || yes             || yes                    || yes          || yes        ||
|| allow/deny incoming rules                 || yes             || yes                    || yes          || yes        ||
|| IPv6 (by default)                         || yes             || yes                    || yes          || yes        ||
|| status                                    || yes             || yes                    || yes          || yes        ||
|| logging (on/off)                          || yes             || yes                    || yes          || yes        ||
|| extensible framework                      || yes             || yes                    || yes          || yes        ||
|| python 2.5 support                        || yes             || no                     || no           || no         ||
|| application integration                   || yes             || yes                    || yes          || yes*       ||
|| IPv4 rate limiting via 'limit' command    || yes             || yes                    || yes          || yes        ||
|| internationalization                      || yes             || yes                    || yes          || yes        ||
|| multiport incoming rules                  || yes             || yes                    || yes          || yes        ||
|| debconf/preseeding                        || yes             || yes                    || yes          || yes        ||
|| default incoming policy (reject)          || yes             || yes                    || yes          || yes        ||
|| reject incoming rules                     || yes             || yes                    || yes          || yes        ||
|| rule insertion                            || yes             || yes                    || yes          || yes        ||
|| log levels                                || yes             || yes                    || yes          || yes        ||
|| per rule logging                          || yes             || yes                    || yes          || yes        ||
|| outgoing filtering (on par with incoming) || yes             || yes                    || yes          || yes        ||
|| filtering by interface                    || yes             || yes                    || yes          || yes        ||
|| bash completion                           || yes             || yes                    || yes          || yes        ||
|| upstart support                           || yes             || yes                    || yes          || yes        ||
|| improved reporting                        || yes             || yes                    || yes          || yes        ||
|| reset command                             || yes             || yes                    || yes          || yes        ||
|| rsyslog support                           || yes             || yes                    || yes          || yes        ||
|| delete by rule number                     || yes             || yes                    || yes          || yes        ||
|| python 2.6 support                        || yes             || yes                    || yes          || yes        ||
|| 'show listening' report                   || yes             || yes                    || yes          || yes        ||
|| python 2.7 support                        || yes             || yes                    || yes          || yes        ||
|| increased protocol support (ah, esp)      || yes             || yes                    || yes          || yes        ||
|| IPv6 rate limiting via 'limit' command    || --              || yes                    || yes          || yes        ||
|| python 3.2 support                        || --              || yes                    || yes          || no         ||
|| python 3.3 support                        || --              || yes                    || yes          || yes        ||
|| 'show added' report                       || --              || yes                    || yes          || yes        ||
|| python 3.4 support                        || --              || yes                    || yes          || yes        ||
|| before/after extensibility hooks          || --              || yes                    || yes          || yes        ||
|| routed packet filtering (FORWARD)         || --              || yes                    || yes          || yes        ||
|| systemd support                           || --              || --                     || yes          || yes        ||
|| increased protocol support (igmp, gre)    || --              || --                     || yes          || yes        ||
|| python 3.5 support                        || --              || --                     || yes          || yes        ||
|| Snappy for Ubuntu Core support            || --              || --                     || --           || yes        ||
|| per rule comments                         || --              || --                     || --           || yes        ||
-Line 77:
+Line 85:
-Ubuntu currently does not have an integrated firewall in its base installation. Additionally, the tools that are available to create a firewall are largely based on GUI applications and/or create iptables scripts that are dependent on the tool to update them. Users are left to choose between one of the many firewall tools available, or roll their own firewall scripts. Creation and auditing of the firewall for correctness can be difficult because of the complexity of iptables and the files created by existing tools.  Additionally, existing tools also do not provide package integration so that when a network daemon is installed, users have to manually determine and add the necessary firewall rules (usually with their tool of choice).
+ * support for application integration is limited on Ubuntu Core at this time
-Line 79:
+Line 87:
-== Use Cases ==
+== Basic Usage ==
Getting started with `ufw` is easy. For example, to enable firewall, allow
ssh access, enable logging, and check the status of the firewall, perform:{{{
$ sudo ufw allow ssh/tcp
$ sudo ufw logging on
$ sudo ufw enable
$ sudo ufw status
Firewall loaded
-Line 81:
+Line 96:
-Bob uses a desktop system and wants to add a firewall as another layer of protection.  Bob can enable ubuntu-firewall to provide this protection.  When new packages are added, Bob can optionally enable the firewall rules provided by these packages.
+To                         Action  From
--                         ------  ----
22:tcp                     ALLOW   Anywhere
}}}
-Line 83:
+Line 101:
-Alice administers many server machines and wants to create a host-based firewall for them.  Alice can create a base firewall policy for all the servers using the PF-based ubuntu-firewall language.  Once the default policy for her servers is setup and pushed to each machine, she can then install the server packages she wants on the individual servers, and enable the firewall rules provided by those packages.
+This sets up a default deny (DROP) firewall for incoming connections, with all
outbound connections allowed with state tracking.
-Line 85:
+Line 104:
-Charlie wants to configure a system to use as perimeter firewall/router.  Because of ubuntu-firewall's simplified configuration syntax, the firewall can be more easily created and audited.
+On Ubuntu Core, simply replace '`ufw`' with '`ufw.cmd`'. Eg: {{{
$ sudo ufw.cmd enable
}}}
-Line 87:
+Line 108:
-== Assumptions ==
+=== Advanced Functionality ===
As mentioned, the `ufw` application is capable of doing anything that `iptables` can
do. This is achieved by using several sets of rules files, which are nothing more
than `iptables-restore` compatible text files. Fine-tuning `ufw` and/or adding additional
`iptables` commands not offered via the `ufw` command is a matter of editing various text
files^1^:
 * '''/etc/default/ufw''': high level configuration, such as default policies, IPv6 support and kernel modules to use
 * '''/etc/ufw/before[6].rules''': rules in these files are evaluated before any rules added via the `ufw` command
 * '''/etc/ufw/after[6].rules''': rules in these files are evaluated after any rules added via the `ufw` command
 * '''/etc/ufw/sysctl.conf''': kernel network tunables
 * '''/var/lib/ufw/user[6].rules''' or '''/lib/ufw/user[6].rules''' (0.28 and later): rules added via the `ufw` command (should not normally be edited by hand)
 * '''/etc/ufw/ufw.conf''': sets whether or not `ufw` is enabled on boot, and in 9.04 (ufw 0.27) and later, sets the LOGLEVEL
 * '''/etc/ufw/after.init''': initialization customization script run after ufw is initialized (ufw 0.34 and later)
 * '''/etc/ufw/before.init''': initialization customization script run before ufw is initialized (ufw 0.34 and later)
-Line 89:
+Line 123:
-While the PF-based abstraction that ubuntu-firewall provides would be a great benefit to users on its own, to fully realize the benefits of ubuntu-firewall, packages providing network services should also provide firewall policy for the applications they provide.  For example, apache2 should let ubuntu-firewall know that it provides a TCP service on port 80. It should be noted that ubuntu-firewall is still very useful on its own, so a slow transition for these packages is tolerable.
+After modifying any of the above files, activate the new settings with:{{{
$ sudo ufw disable
$ sudo ufw enable
}}}
-Line 91:
+Line 128:
-== Design ==
+^1^ On Ubuntu Core, these files are located under `/var/lib/apps/ufw*/current`. See '`ufw.doc ufw-on-snappy`' on an Ubuntu Core system for details.
-Line 93:
+Line 130:
-. Create the high level language for iptables firewall configuration
 1. Integrate with package management by creating an /etc/uf/rules.d directory
 1. Create a tool for parsing the high level language.  This tool would be called 'ufctl'.  Default configuration would be in /etc/uf/uf.conf. ufctl would be smart enough to turn on things like IP forwarding, depending on the configuration in uf.conf. This tool should:
   * Parse uf.conf and files in /etc/uf/rules.d
   * Load the results of the parse via iptables/proc/(and eventually ip)
   * Provide a means to specify another configuration file
   * Provide a 'dry-run' or 'config test' mechanism
 1. Provide a means to load the ubuntu-firewall policy on boot
+== More Information ==
 * Ubuntu 16.04 LTS (Xenial Xerus)
  * [[https://help.ubuntu.com/16.04/serverguide/firewall.html|Server Guide - Firewall]]
  * [[http://manpages.ubuntu.com/manpages/xenial/en/man8/ufw.8.html|ufw manual]]
  * [[http://manpages.ubuntu.com/manpages/xenial/en/man8/ufw-framework.8.html|ufw framework manual]]
-Line 102:
+Line 136:
-== Implementation ==
+ * Ubuntu 18.04 LTS (Bionic Beaver)
  * [[https://help.ubuntu.com/18.04/serverguide/firewall.html|Server Guide - Firewall]]
  * [[http://manpages.ubuntu.com/manpages/bionic/en/man8/ufw.8.html|ufw manual]]
  * [[http://manpages.ubuntu.com/manpages/bionic/en/man8/ufw-framework.8.html|ufw framework manual]]
-Line 104:
+Line 141:
-=== UI Changes  ===
+ * Ubuntu 20.04 (Focal Fossa)
  * [[https://ubuntu.com/server/docs/security-firewall | Ubuntu Server Guide - Firewall]]
  * [[http://manpages.ubuntu.com/manpages/focal/en/man8/ufw.8.html|ufw manual]]
  * [[http://manpages.ubuntu.com/manpages/focal/en/man8/ufw-framework.8.html|ufw framework manual]]
-Line 106:
+Line 146:
-There are no specific UI changes for ufctl.  Simple CLI or GUI tools could
eventually be created which simply add files to /etc/uf/rules.d.  One
implementation could similar to RedHat's system-config-securitylevel, which essentially declares what protocol and port to open.
+ * Ubuntu 21.04 (Hirsute Hippo)
  * [[http://manpages.ubuntu.com/manpages/hirsute/en/man8/ufw.8.html|ufw manual]]
  * [[http://manpages.ubuntu.com/manpages/hirsute/en/man8/ufw-framework.8.html|ufw framework manual]]
-Line 110:
+Line 150:
-=== Code Changes ===
+ * Ubuntu 21.10 (Impish Indri)
  * [[http://manpages.ubuntu.com/manpages/impish/en/man8/ufw.8.html|ufw manual]]
  * [[http://manpages.ubuntu.com/manpages/impish/en/man8/ufw-framework.8.html|ufw framework manual]]
-Line 112:
+Line 154:
-Depending on the method chosen for boot integration, there may be changes to
the loopback entry ('lo') in /etc/network/interfaces.
+ * Ubuntu 22.04 (Jammy Jellyfish)
  * [[http://manpages.ubuntu.com/manpages/jammy/en/man8/ufw.8.html|ufw manual]]
  * [[http://manpages.ubuntu.com/manpages/jammy/en/man8/ufw-framework.8.html|ufw framework manual]]
-Line 115:
+Line 158:
-=== Migration ===
+ * Ubuntu Core
  * See '`ufw.doc`' on your Ubuntu Core system, specifically '`ufw.doc ufw-on-snappy | less`' to see how ufw differs on Ubuntu Core.
-Line 117:
+Line 161:
-As there is currently no default firewall configuration for Ubuntu, there are no
mandatory migration issues.  It should be possible to generate an
ubuntu-firewall policy from an existing firewall policy.  Another migration
issue is getting network daemon packages to provide the necessary policy files
to ubuntu-firewall.
+ * [[https://help.ubuntu.com/community/UFW|Ubuntu Community Documentation on UFW]]
-Line 123:
+Line 163:
-== Test/Demo Plan ==
TBD

== Outstanding Issues ==

 * User space tools for generating policies for ubuntu-firewall

== BoF agenda and discussion ==

Use this section to take notes during the BoF; if you keep it in the approved spec, use it for summarizing what was discussed and note any options that were rejected.

----
CategorySpec
+ * '''Specification''': UbuntuFirewallSpec
 * '''Code''': [[https://launchpad.net/ufw|https://launchpad.net/ufw]]
 * Graphic User Interface for UFW: [[https://help.ubuntu.com/community/Gufw|Gufw]].

Ubuntu Wiki