UncomplicatedFirewall
|
Size: 5376
Comment:
|
← Revision 131 as of 2023-10-18 01:29:55 ⇥
Size: 11529
Comment: add ufw versions for lunar and jammy
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 1: | Line 1: |
| ## page was renamed from UbuntuFirewall | |
| Line 20: | Line 21: |
| to help an adminstrator who knows what he or she is doing. `ufw` is an upstream for | to help an administrator who knows what he or she is doing. `ufw` is an upstream for |
| Line 27: | Line 28: |
| === Available Versions === * '''Ubuntu 8.04 LTS''': 0.16.2 * '''Ubuntu 8.10''': 0.23.2 * '''Ubuntu 9.04''': 0.27-0ubuntu2 |
=== Available Versions in supported versions of Ubuntu === * '''Ubuntu 14.04 LTS''': 0.34~rc-0ubuntu2 * '''Ubuntu 16.04 LTS''': 0.35-0ubuntu2 * '''Ubuntu 18.04 LTS''': 0.36-0ubuntu0.18.04.1 * '''Ubuntu 20.04''': 0.36-6 * '''Ubuntu 22.04''': 0.36.1-4, * '''Ubuntu 23.04''': 0.36.1-4.1 * '''Ubuntu 23.10''': 0.36.2-1 * '''Ubuntu Core''': 0.36pre |
| Line 35: | Line 41: |
| || '''Feature''' || '''8.04 LTS''' || '''8.10''' || '''9.04''' || || default policy (allow/deny) || yes || yes || yes || || allow/deny rules || yes || yes || yes || || ipv6 || yes || yes || yes || || status || yes || yes || yes || || logging (on/off) || yes || yes || yes || || application integration || -- || yes || yes || || limit rules (rate limiting) || -- || yes || yes || || multiport rules || -- || yes || yes || || debconf/preseeding || -- || -- || yes || || default policy (reject) || -- || -- || yes || || reject rules || -- || -- || yes || || rule insertion || -- || -- || yes || || log levels || -- || -- || yes || || per rule logging || -- || -- || yes || |
|| '''Feature''' || '''0.31.1-1''' || '''0.34~rc-0ubuntu2''' || '''0.34-2''' || '''0.35''' || || default incoming policy (allow/deny) || yes || yes || yes || yes || || allow/deny incoming rules || yes || yes || yes || yes || || IPv6 (by default) || yes || yes || yes || yes || || status || yes || yes || yes || yes || || logging (on/off) || yes || yes || yes || yes || || extensible framework || yes || yes || yes || yes || || python 2.5 support || yes || no || no || no || || application integration || yes || yes || yes || yes* || || IPv4 rate limiting via 'limit' command || yes || yes || yes || yes || || internationalization || yes || yes || yes || yes || || multiport incoming rules || yes || yes || yes || yes || || debconf/preseeding || yes || yes || yes || yes || || default incoming policy (reject) || yes || yes || yes || yes || || reject incoming rules || yes || yes || yes || yes || || rule insertion || yes || yes || yes || yes || || log levels || yes || yes || yes || yes || || per rule logging || yes || yes || yes || yes || || outgoing filtering (on par with incoming) || yes || yes || yes || yes || || filtering by interface || yes || yes || yes || yes || || bash completion || yes || yes || yes || yes || || upstart support || yes || yes || yes || yes || || improved reporting || yes || yes || yes || yes || || reset command || yes || yes || yes || yes || || rsyslog support || yes || yes || yes || yes || || delete by rule number || yes || yes || yes || yes || || python 2.6 support || yes || yes || yes || yes || || 'show listening' report || yes || yes || yes || yes || || python 2.7 support || yes || yes || yes || yes || || increased protocol support (ah, esp) || yes || yes || yes || yes || || IPv6 rate limiting via 'limit' command || -- || yes || yes || yes || || python 3.2 support || -- || yes || yes || no || || python 3.3 support || -- || yes || yes || yes || || 'show added' report || -- || yes || yes || yes || || python 3.4 support || -- || yes || yes || yes || || before/after extensibility hooks || -- || yes || yes || yes || || routed packet filtering (FORWARD) || -- || yes || yes || yes || || systemd support || -- || -- || yes || yes || || increased protocol support (igmp, gre) || -- || -- || yes || yes || || python 3.5 support || -- || -- || yes || yes || || Snappy for Ubuntu Core support || -- || -- || -- || yes || || per rule comments || -- || -- || -- || yes || |
| Line 51: | Line 84: |
| * support for application integration is limited on Ubuntu Core at this time | |
| Line 67: | Line 101: |
| outbound connections allowed with connections tracking. | outbound connections allowed with state tracking. On Ubuntu Core, simply replace '`ufw`' with '`ufw.cmd`'. Eg: {{{ $ sudo ufw.cmd enable }}} |
| Line 70: | Line 108: |
| As mentioned, the `ufw` framework is capable of doing anything that `iptables` can | As mentioned, the `ufw` application is capable of doing anything that `iptables` can |
| Line 74: | Line 112: |
| files: * '''/etc/defaults/ufw''': high level configuration, such as default policies, IPv6 support and kernel modules to use |
files^1^: * '''/etc/default/ufw''': high level configuration, such as default policies, IPv6 support and kernel modules to use |
| Line 79: | Line 117: |
| * '''/var/lib/ufw/user[6].rules''': rules added via the `ufw` command (should not normally be edited by hand) | * '''/var/lib/ufw/user[6].rules''' or '''/lib/ufw/user[6].rules''' (0.28 and later): rules added via the `ufw` command (should not normally be edited by hand) |
| Line 81: | Line 119: |
| * '''/etc/ufw/after.init''': initialization customization script run after ufw is initialized (ufw 0.34 and later) * '''/etc/ufw/before.init''': initialization customization script run before ufw is initialized (ufw 0.34 and later) |
|
| Line 87: | Line 127: |
| ^1^ On Ubuntu Core, these files are located under `/var/lib/apps/ufw*/current`. See '`ufw.doc ufw-on-snappy`' on an Ubuntu Core system for details. |
|
| Line 88: | Line 130: |
| * Ubuntu 8.04 LTS (Hardy Heron) * [[https://help.ubuntu.com/8.04/serverguide/C/firewall.html|Server Guide - Firewall]] * [[http://manpages.ubuntu.com/manpages/hardy/en/man8/ufw.8.html|Man page]] |
* Ubuntu 16.04 LTS (Xenial Xerus) * [[https://help.ubuntu.com/16.04/serverguide/firewall.html|Server Guide - Firewall]] * [[http://manpages.ubuntu.com/manpages/xenial/en/man8/ufw.8.html|ufw manual]] * [[http://manpages.ubuntu.com/manpages/xenial/en/man8/ufw-framework.8.html|ufw framework manual]] |
| Line 92: | Line 135: |
| * Ubuntu 8.10 (Intrepid Ibex) * [[https://help.ubuntu.com/8.10/serverguide/C/firewall.html|Server Guide - Firewall]] * [[http://manpages.ubuntu.com/manpages/intrepid/en/man8/ufw.8.html|Man page]] |
* Ubuntu 18.04 LTS (Bionic Beaver) * [[https://help.ubuntu.com/18.04/serverguide/firewall.html|Server Guide - Firewall]] * [[http://manpages.ubuntu.com/manpages/bionic/en/man8/ufw.8.html|ufw manual]] * [[http://manpages.ubuntu.com/manpages/bionic/en/man8/ufw-framework.8.html|ufw framework manual]] |
| Line 96: | Line 140: |
| * Ubuntu 9.04 (Jaunty Jackalope) * [[https://help.ubuntu.com/9.04/serverguide/C/firewall.html|Server Guide - Firewall]] * [[http://manpages.ubuntu.com/manpages/jaunty/en/man8/ufw.8.html|Man page]] |
* Ubuntu 20.04 (Focal Fossa) * [[https://ubuntu.com/server/docs/security-firewall | Ubuntu Server Guide - Firewall]] * [[http://manpages.ubuntu.com/manpages/focal/en/man8/ufw.8.html|ufw manual]] * [[http://manpages.ubuntu.com/manpages/focal/en/man8/ufw-framework.8.html|ufw framework manual]] * Ubuntu 21.04 (Hirsute Hippo) * [[http://manpages.ubuntu.com/manpages/hirsute/en/man8/ufw.8.html|ufw manual]] * [[http://manpages.ubuntu.com/manpages/hirsute/en/man8/ufw-framework.8.html|ufw framework manual]] * Ubuntu 21.10 (Impish Indri) * [[http://manpages.ubuntu.com/manpages/impish/en/man8/ufw.8.html|ufw manual]] * [[http://manpages.ubuntu.com/manpages/impish/en/man8/ufw-framework.8.html|ufw framework manual]] * Ubuntu 22.04 (Jammy Jellyfish) * [[http://manpages.ubuntu.com/manpages/jammy/en/man8/ufw.8.html|ufw manual]] * [[http://manpages.ubuntu.com/manpages/jammy/en/man8/ufw-framework.8.html|ufw framework manual]] * Ubuntu Core * See '`ufw.doc`' on your Ubuntu Core system, specifically '`ufw.doc ufw-on-snappy | less`' to see how ufw differs on Ubuntu Core. * [[https://help.ubuntu.com/community/UFW|Ubuntu Community Documentation on UFW]] |
| Line 102: | Line 164: |
| * Graphic User Interface for UFW: [[https://help.ubuntu.com/community/Gufw|Gufw]]. |
Introduction
The Linux kernel in Ubuntu provides a packet filtering system called netfilter, and the traditional interface for manipulating netfilter are the iptables suite of commands. iptables provide a complete firewall solution that is both highly configurable and highly flexible.
Becoming proficient in iptables takes time, and getting started with netfilter firewalling using only iptables can be a daunting task. As a result, many frontends for iptables have been created over the years, each trying to achieve a different result and targeting a different audience.
The Uncomplicated Firewall (ufw) is a frontend for iptables and is particularly well-suited for host-based firewalls. ufw provides a framework for managing netfilter, as well as a command-line interface for manipulating the firewall. ufw aims to provide an easy to use interface for people unfamiliar with firewall concepts, while at the same time simplifies complicated iptables commands to help an administrator who knows what he or she is doing. ufw is an upstream for other distributions and graphical frontends.
UFW in Ubuntu
Ubuntu 8.04 LTS introduced ufw, and it is available by default in all Ubuntu installations after 8.04 LTS.
Available Versions in supported versions of Ubuntu
Ubuntu 14.04 LTS: 0.34~rc-0ubuntu2
Ubuntu 16.04 LTS: 0.35-0ubuntu2
Ubuntu 18.04 LTS: 0.36-0ubuntu0.18.04.1
Ubuntu 20.04: 0.36-6
Ubuntu 22.04: 0.36.1-4,
Ubuntu 23.04: 0.36.1-4.1
Ubuntu 23.10: 0.36.2-1
Ubuntu Core: 0.36pre
Features
ufw has the following features:
Feature |
0.31.1-1 |
0.34~rc-0ubuntu2 |
0.34-2 |
0.35 |
default incoming policy (allow/deny) |
yes |
yes |
yes |
yes |
allow/deny incoming rules |
yes |
yes |
yes |
yes |
IPv6 (by default) |
yes |
yes |
yes |
yes |
status |
yes |
yes |
yes |
yes |
logging (on/off) |
yes |
yes |
yes |
yes |
extensible framework |
yes |
yes |
yes |
yes |
python 2.5 support |
yes |
no |
no |
no |
application integration |
yes |
yes |
yes |
yes* |
IPv4 rate limiting via 'limit' command |
yes |
yes |
yes |
yes |
internationalization |
yes |
yes |
yes |
yes |
multiport incoming rules |
yes |
yes |
yes |
yes |
debconf/preseeding |
yes |
yes |
yes |
yes |
default incoming policy (reject) |
yes |
yes |
yes |
yes |
reject incoming rules |
yes |
yes |
yes |
yes |
rule insertion |
yes |
yes |
yes |
yes |
log levels |
yes |
yes |
yes |
yes |
per rule logging |
yes |
yes |
yes |
yes |
outgoing filtering (on par with incoming) |
yes |
yes |
yes |
yes |
filtering by interface |
yes |
yes |
yes |
yes |
bash completion |
yes |
yes |
yes |
yes |
upstart support |
yes |
yes |
yes |
yes |
improved reporting |
yes |
yes |
yes |
yes |
reset command |
yes |
yes |
yes |
yes |
rsyslog support |
yes |
yes |
yes |
yes |
delete by rule number |
yes |
yes |
yes |
yes |
python 2.6 support |
yes |
yes |
yes |
yes |
'show listening' report |
yes |
yes |
yes |
yes |
python 2.7 support |
yes |
yes |
yes |
yes |
increased protocol support (ah, esp) |
yes |
yes |
yes |
yes |
IPv6 rate limiting via 'limit' command |
-- |
yes |
yes |
yes |
python 3.2 support |
-- |
yes |
yes |
no |
python 3.3 support |
-- |
yes |
yes |
yes |
'show added' report |
-- |
yes |
yes |
yes |
python 3.4 support |
-- |
yes |
yes |
yes |
before/after extensibility hooks |
-- |
yes |
yes |
yes |
routed packet filtering (FORWARD) |
-- |
yes |
yes |
yes |
systemd support |
-- |
-- |
yes |
yes |
increased protocol support (igmp, gre) |
-- |
-- |
yes |
yes |
python 3.5 support |
-- |
-- |
yes |
yes |
Snappy for Ubuntu Core support |
-- |
-- |
-- |
yes |
per rule comments |
-- |
-- |
-- |
yes |
- support for application integration is limited on Ubuntu Core at this time
Basic Usage
Getting started with ufw is easy. For example, to enable firewall, allow ssh access, enable logging, and check the status of the firewall, perform:
$ sudo ufw allow ssh/tcp $ sudo ufw logging on $ sudo ufw enable $ sudo ufw status Firewall loaded To Action From -- ------ ---- 22:tcp ALLOW Anywhere
This sets up a default deny (DROP) firewall for incoming connections, with all outbound connections allowed with state tracking.
On Ubuntu Core, simply replace 'ufw' with 'ufw.cmd'. Eg:
$ sudo ufw.cmd enable
Advanced Functionality
As mentioned, the ufw application is capable of doing anything that iptables can do. This is achieved by using several sets of rules files, which are nothing more than iptables-restore compatible text files. Fine-tuning ufw and/or adding additional iptables commands not offered via the ufw command is a matter of editing various text files1:
/etc/default/ufw: high level configuration, such as default policies, IPv6 support and kernel modules to use
/etc/ufw/before[6].rules: rules in these files are evaluated before any rules added via the ufw command
/etc/ufw/after[6].rules: rules in these files are evaluated after any rules added via the ufw command
/etc/ufw/sysctl.conf: kernel network tunables
/var/lib/ufw/user[6].rules or /lib/ufw/user[6].rules (0.28 and later): rules added via the ufw command (should not normally be edited by hand)
/etc/ufw/ufw.conf: sets whether or not ufw is enabled on boot, and in 9.04 (ufw 0.27) and later, sets the LOGLEVEL
/etc/ufw/after.init: initialization customization script run after ufw is initialized (ufw 0.34 and later)
/etc/ufw/before.init: initialization customization script run before ufw is initialized (ufw 0.34 and later)
After modifying any of the above files, activate the new settings with:
$ sudo ufw disable $ sudo ufw enable
1 On Ubuntu Core, these files are located under /var/lib/apps/ufw*/current. See 'ufw.doc ufw-on-snappy' on an Ubuntu Core system for details.
More Information
- Ubuntu 16.04 LTS (Xenial Xerus)
- Ubuntu 18.04 LTS (Bionic Beaver)
- Ubuntu 20.04 (Focal Fossa)
- Ubuntu 21.04 (Hirsute Hippo)
- Ubuntu 21.10 (Impish Indri)
- Ubuntu 22.04 (Jammy Jellyfish)
- Ubuntu Core
See 'ufw.doc' on your Ubuntu Core system, specifically 'ufw.doc ufw-on-snappy | less' to see how ufw differs on Ubuntu Core.
Specification: UbuntuFirewallSpec
Graphic User Interface for UFW: Gufw.
UncomplicatedFirewall (last edited 2023-10-18 01:29:55 by sbeattie)