UncomplicatedFirewall
10083
Comment:
|
11531
Added 22.04 (Jammy Jellyfish) information to "More Information"
|
Deletions are marked like this. | Additions are marked like this. |
Line 1: | Line 1: |
https://blueprints.edge.launchpad.net/ubuntu/+spec/ubuntu-firewall https://wiki.ubuntu.com/UbuntuFirewall == Summary == '''Release Target''': Hardy '''Name''': TBD Create a tool for host-based iptables firewall configuration. This tool should provide an easy to use interface to the user, as well as support package integration and dynamic-detection of open ports. |
## page was renamed from UbuntuFirewall ||<tablestyle="float:right; font-size: 0.9em; width:30%; background:#F1F1ED; background-repeat: no-repeat; background-position: 98% 0.5ex; margin: 0 0 1em 1em; padding: 0.5em;"><<TableOfContents>>|| |
Line 16: | Line 5: |
== Release Note == | == Introduction == The Linux kernel in Ubuntu provides a packet filtering system called `netfilter`, and the traditional interface for manipulating `netfilter` are the `iptables` suite of commands. `iptables` provide a complete firewall solution that is both highly configurable and highly flexible. |
Line 18: | Line 11: |
The tool will not affect users in the default installation as the tool will initially specify a default ACCEPT policy. | Becoming proficient in `iptables` takes time, and getting started with `netfilter` firewalling using only `iptables` can be a daunting task. As a result, many frontends for `iptables` have been created over the years, each trying to achieve a different result and targeting a different audience. |
Line 20: | Line 16: |
The Uncomplicated Firewall (`ufw`) is a frontend for `iptables` and is particularly well-suited for host-based firewalls. `ufw` provides a framework for managing `netfilter`, as well as a command-line interface for manipulating the firewall. `ufw` aims to provide an easy to use interface for people unfamiliar with firewall concepts, while at the same time simplifies complicated `iptables` commands to help an administrator who knows what he or she is doing. `ufw` is an upstream for other distributions and graphical frontends. |
|
Line 21: | Line 24: |
== Rationale == | == UFW in Ubuntu == Ubuntu 8.04 LTS introduced `ufw`, and it is available by default in all Ubuntu installations after 8.04 LTS. |
Line 23: | Line 28: |
Ubuntu currently does not have an integrated firewall in its base installation. The tools that are available to create a firewall are largely based on GUI applications and/or designed for advanced users. Additionally, existing tools also do not provide package integration so that when a network daemon is installed, users have to determine on their own how to integrate the application with the firewall. |
=== Available Versions in supported versions of Ubuntu === * '''Ubuntu 12.04 ESM''': 0.31.1-1 * '''Ubuntu 14.04 ESM''': 0.34~rc-0ubuntu2 * '''Ubuntu 16.04 LTS''': 0.35-0ubuntu2 * '''Ubuntu 18.04 LTS''': 0.36-0ubuntu0.18.04.1 * '''Ubuntu 20.04''': 0.36-6 * '''Ubuntu 21.04''': 0.36-7.1 * '''Ubuntu 21.10''': 0.36.1-1, * '''Ubuntu Core''': 0.36pre |
Line 30: | Line 38: |
=== Features === `ufw` has the following features: |
|
Line 31: | Line 41: |
== Use Cases == | || '''Feature''' || '''0.31.1-1''' || '''0.34~rc-0ubuntu2''' || '''0.34-2''' || '''0.35''' || || default incoming policy (allow/deny) || yes || yes || yes || yes || || allow/deny incoming rules || yes || yes || yes || yes || || IPv6 (by default) || yes || yes || yes || yes || || status || yes || yes || yes || yes || || logging (on/off) || yes || yes || yes || yes || || extensible framework || yes || yes || yes || yes || || python 2.5 support || yes || no || no || no || || application integration || yes || yes || yes || yes* || || IPv4 rate limiting via 'limit' command || yes || yes || yes || yes || || internationalization || yes || yes || yes || yes || || multiport incoming rules || yes || yes || yes || yes || || debconf/preseeding || yes || yes || yes || yes || || default incoming policy (reject) || yes || yes || yes || yes || || reject incoming rules || yes || yes || yes || yes || || rule insertion || yes || yes || yes || yes || || log levels || yes || yes || yes || yes || || per rule logging || yes || yes || yes || yes || || outgoing filtering (on par with incoming) || yes || yes || yes || yes || || filtering by interface || yes || yes || yes || yes || || bash completion || yes || yes || yes || yes || || upstart support || yes || yes || yes || yes || || improved reporting || yes || yes || yes || yes || || reset command || yes || yes || yes || yes || || rsyslog support || yes || yes || yes || yes || || delete by rule number || yes || yes || yes || yes || || python 2.6 support || yes || yes || yes || yes || || 'show listening' report || yes || yes || yes || yes || || python 2.7 support || yes || yes || yes || yes || || increased protocol support (ah, esp) || yes || yes || yes || yes || || IPv6 rate limiting via 'limit' command || -- || yes || yes || yes || || python 3.2 support || -- || yes || yes || no || || python 3.3 support || -- || yes || yes || yes || || 'show added' report || -- || yes || yes || yes || || python 3.4 support || -- || yes || yes || yes || || before/after extensibility hooks || -- || yes || yes || yes || || routed packet filtering (FORWARD) || -- || yes || yes || yes || || systemd support || -- || -- || yes || yes || || increased protocol support (igmp, gre) || -- || -- || yes || yes || || python 3.5 support || -- || -- || yes || yes || || Snappy for Ubuntu Core support || -- || -- || -- || yes || || per rule comments || -- || -- || -- || yes || |
Line 33: | Line 84: |
Alice uses a desktop system and wants to add a firewall as another layer of protection. Alice can enable the firewall to provide this protection. When new packages are added, Alice can easily enable the services provided by these packages. |
* support for application integration is limited on Ubuntu Core at this time |
Line 38: | Line 86: |
Bob installs a server with one network interface and wants to add a firewall as another layer of protection. Bob can enable the firewall to provide this protection, as well as monitor the status of open ports. | == Basic Usage == Getting started with `ufw` is easy. For example, to enable firewall, allow ssh access, enable logging, and check the status of the firewall, perform:{{{ $ sudo ufw allow ssh/tcp $ sudo ufw logging on $ sudo ufw enable $ sudo ufw status Firewall loaded |
Line 40: | Line 95: |
== Assumptions == The tool will allow users to specify opening a port explicitly as well as choosing from a list of open ports. However, to fully integrate with the system, packages should provide meta-data regarding what protocol and port a particular package will need to operate with a firewall. The tool will still be useful during the transition when packages are not providing this information. == Design == The tool will manage /etc/<tool>/rules.ipv4 and /etc/<tool>/rules.ipv6. These files will be used with iptables-restore and ip6tables-restore respectively, and will be used on boot. The tool will manage /etc/<tool>/maps. This file keeps track of how the user specified a service to the tool. It is used only for the user interface and not used in policy generation. The package will provide /etc/network/if-up.d/<tool> to run iptables-restore and ip6tables-restore when 'lo' is brought up. External packages will add files to /usr/share/<tool>.d that describe the service. File will use .INI format. Will support comma-separated values for protocols and ports, ranges for ports, and multiple entries per file. Examples: {{{ [apache2] description: Apache Webserver protocols: tcp ports: 80 }}} {{{ [openvpn] description: OpenVPN server protocols: tcp,udp ports: 1194 |
To Action From -- ------ ---- 22:tcp ALLOW Anywhere |
Line 66: | Line 100: |
The firewall policy will be: 1. ACCEPT all on loopback 1. ACCEPT all outgoing 1. default policy of ACCEPT for incoming (configurable) 1. LOG all dropped packets (perhaps use --limit 3/min --limit-burst 10 or similar) |
This sets up a default deny (DROP) firewall for incoming connections, with all outbound connections allowed with state tracking. |
Line 72: | Line 103: |
The tool provides the following interface: * Set default iptables policy ('enable' is default DROP and 'disable' is default ACCEPT): {{{ # <tool> enable|disable |
On Ubuntu Core, simply replace '`ufw`' with '`ufw.cmd`'. Eg: {{{ $ sudo ufw.cmd enable |
Line 77: | Line 107: |
* Toggle logging: {{{ # <tool> logging on|off |
=== Advanced Functionality === As mentioned, the `ufw` application is capable of doing anything that `iptables` can do. This is achieved by using several sets of rules files, which are nothing more than `iptables-restore` compatible text files. Fine-tuning `ufw` and/or adding additional `iptables` commands not offered via the `ufw` command is a matter of editing various text files^1^: * '''/etc/default/ufw''': high level configuration, such as default policies, IPv6 support and kernel modules to use * '''/etc/ufw/before[6].rules''': rules in these files are evaluated before any rules added via the `ufw` command * '''/etc/ufw/after[6].rules''': rules in these files are evaluated after any rules added via the `ufw` command * '''/etc/ufw/sysctl.conf''': kernel network tunables * '''/var/lib/ufw/user[6].rules''' or '''/lib/ufw/user[6].rules''' (0.28 and later): rules added via the `ufw` command (should not normally be edited by hand) * '''/etc/ufw/ufw.conf''': sets whether or not `ufw` is enabled on boot, and in 9.04 (ufw 0.27) and later, sets the LOGLEVEL * '''/etc/ufw/after.init''': initialization customization script run after ufw is initialized (ufw 0.34 and later) * '''/etc/ufw/before.init''': initialization customization script run before ufw is initialized (ufw 0.34 and later) After modifying any of the above files, activate the new settings with:{{{ $ sudo ufw disable $ sudo ufw enable |
Line 81: | Line 127: |
* Set the default packages for new packages (dynamically detected ports will not be automatically allowed): {{{ # <tool> default allow|deny }}}'''NEEDS DISCUSSION''': This may be extraneous and confusing for the user. When a package is installed, it provides the meta-data, but rules.ipv4 and rules.ipv6 still have to be regenerated via '<tool>'. Could add debhelper hooks, or just default DENY for new services and warn when running '<tool> enable' that services have to be explicitly allowed for new packages. The second is probably fine for servers, but desktops would need a notification area alert when a new service is detected. |
^1^ On Ubuntu Core, these files are located under `/var/lib/apps/ufw*/current`. See '`ufw.doc ufw-on-snappy`' on an Ubuntu Core system for details. |
Line 85: | Line 129: |
* Accept or drop incoming packets to <service> (can see what services are available with 'status' (see below)). <service> can be specified via service name in /etc/services, 'protocol:port', or via package meta-data. 'allow' adds service entry to /etc/<tool>/maps and 'deny' removes service entry from /etc/<tool>/maps: {{{ # <tool> <service> allow|deny }}} |
== More Information == * Ubuntu 16.04 LTS (Xenial Xerus) * [[https://help.ubuntu.com/16.04/serverguide/firewall.html|Server Guide - Firewall]] * [[http://manpages.ubuntu.com/manpages/xenial/en/man8/ufw.8.html|ufw manual]] * [[http://manpages.ubuntu.com/manpages/xenial/en/man8/ufw-framework.8.html|ufw framework manual]] |
Line 89: | Line 135: |
* Display status of firewall and ports in the listening state, referencing /etc/<tool>/maps. Numbers in parenthesis are not displayed to user: {{{ # <tool> status apache2 DENY Apache Webserver (1) openssh-server ALLOW SSH Logins (2) pop3s ALLOW (3) named DENY WARNING: New service running (4) tcp:8082 DENY (5) tcp:25 ALLOW (6) ntp ALLOW* (7) imaps ALLOW** (8) tcp:23 ALLOW** (9) jabberd2 ALLOW** (10) |
* Ubuntu 18.04 LTS (Bionic Beaver) * [[https://help.ubuntu.com/18.04/serverguide/firewall.html|Server Guide - Firewall]] * [[http://manpages.ubuntu.com/manpages/bionic/en/man8/ufw.8.html|ufw manual]] * [[http://manpages.ubuntu.com/manpages/bionic/en/man8/ufw-framework.8.html|ufw framework manual]] |
Line 102: | Line 140: |
* rule for removed package 'ntpd' ** services not running }}} 1. denied service referencing package meta-data 1. allowed service referencing package meta-data 1. allowed service referencing /etc/services 1. denied service referencing dynamically-detected service 1. denied service by specifying 'protocol:port' 1. allowed service referencing a package with supplied meta-data, but was replaced by one that does not 1. allowed service referencing removed package meta-data 1. allowed service referencing /etc/services but the service is not running 1. allowed service by specifying 'protocol:port' but the service is not running 1. allowed service referencing package meta-data but the service is not running |
* Ubuntu 20.04 (Focal Fossa) * [[https://ubuntu.com/server/docs/security-firewall | Ubuntu Server Guide - Firewall]] * [[http://manpages.ubuntu.com/manpages/focal/en/man8/ufw.8.html|ufw manual]] * [[http://manpages.ubuntu.com/manpages/focal/en/man8/ufw-framework.8.html|ufw framework manual]] |
Line 116: | Line 145: |
== Migration == | * Ubuntu 21.04 (Hirsute Hippo) * [[http://manpages.ubuntu.com/manpages/hirsute/en/man8/ufw.8.html|ufw manual]] * [[http://manpages.ubuntu.com/manpages/hirsute/en/man8/ufw-framework.8.html|ufw framework manual]] |
Line 118: | Line 149: |
As there is currently no default firewall configuration for Ubuntu, there are no mandatory migration issues. The only migration issue is getting network daemon packages to provide the necessary policy files to ubuntu-firewall. | * Ubuntu 21.10 (Impish Indri) * [[http://manpages.ubuntu.com/manpages/impish/en/man8/ufw.8.html|ufw manual]] * [[http://manpages.ubuntu.com/manpages/impish/en/man8/ufw-framework.8.html|ufw framework manual]] |
Line 120: | Line 153: |
== Test/Demo Plan == TBD |
* Ubuntu 22.04 (Jammy Jellyfish) * [[http://manpages.ubuntu.com/manpages/jammy/en/man8/ufw.8.html|ufw manual]] * [[http://manpages.ubuntu.com/manpages/jammy/en/man8/ufw-framework.8.html|ufw framework manual]] |
Line 123: | Line 157: |
== Outstanding Issues == | * Ubuntu Core * See '`ufw.doc`' on your Ubuntu Core system, specifically '`ufw.doc ufw-on-snappy | less`' to see how ufw differs on Ubuntu Core. |
Line 125: | Line 160: |
* UbuntuFirewallLongTerm describes some ideas for moving forward to extend functionality to include router/gateway configuration, NAT, QoS configuration and /proc adjustments (eg ip_forwarding, rp_filter, et al) | * [[https://help.ubuntu.com/community/UFW|Ubuntu Community Documentation on UFW]] |
Line 127: | Line 162: |
== BoF agenda and discussion == The above specification is based on the meeting from 2007/10/30. Originally this specification was based on UbuntuFirewallLongTerm, but it was decided that the ideas expressed in UbuntuFirewallLongTerm were Hardy+1 or longer. === Meeting Notes 2007/10/29 === * Goals: * flexible, comprehensive and easy to use firewall configuration * package integration * What this spec doesn't do * This spec does not address UI aspects * This spec is not about intrusion detection (ie, we don't notify user here) * Options * OpenBSD has a very convenient interface: http://www.openbsd.org/faq/pf/filter.html * With PF - human readable firewall config much fewer lines * nothing prevents user from muddling addresses and ports and zones and services, leading to support issues (user shouldn't touch metadata that package provides) * OpenBSD is last-match by default, iptables isn't * All configuration in one file (rules, /proc adjustments, QoS, etc), text file, easy to audit * Shorewall - shorewall.net: http://www.shorewall.net/shorewall_setup_guide.htm * Define zone in one file, access in another * Provides a way to protect you from locking yourself out (backup config) * Does not provide per package integration * Implementation is pretty horrid maze of shell scripts * Other * Packages: Firestarter (XML backend), Firehol, fwbuilder * SuSe had a series of twisty shell scripts that implemented a higher-level (very simple) - shell variables and such (SuSEfirewall2). Had a way to put crazy iptables stuff between the normal lanugage * DrakConf (mentioned outside of meeting) * Thoughts on desirable attributes * Packages need to provide metadata saying "I use this port", we need an interpreter * What about services that change ports inside configuration (/etc/apache2/ports.conf) * Proper handling when opening a port (not open everything for a moment...either deny drop or something similar when rerunning whole script) * declarative language * per package meta-data (.d directory style). * Apache package should be able to provide enough meta-data to shape a UI say "Apache on/off" * or "limit to internal" or similar * compile from an XML file, perhaps without that XML file being made by a GUI * Easy to admin by modifying config files on a commmand line * Mechanism to test before implementation, especially so you don't lock yourself out * Separation between the service definition and the zone. Seems that pf syntax doesn't provide this. * Ability to manually handle iptables stuff between other rules in the higher level language (so you can do insane things -- packages won't do insane things, but admins might) * User needs to be able to turn it all off (default should be off, but turn on easy) * Packages might break if unaware of firewall before Hardy * Simple examples for simple use cases * Also consider simple rules that don't break packages (eg slowing flooding of brute force attacks on port 22) * Dynamic discovering of services * Could look at services from packages * Default open/closed? Different for packages? Default policy is configurable. * Let user set default policy for new services (but allow tweaking per service) but need default for default * Firewall should probably not break apache by default install * Wouldn't need package metadata if we did it dynamically * but may be advantage to having it optional (eg install paranoid rules package, or a package defining a range of ports) "<ompaul> if you auto discover it you tell me what you found and I say yes or no and add a comment - if you want me to undestand what I am doing" * We are adding a new non-default (installing firewall package and then it) ---- CategorySpec |
* '''Specification''': UbuntuFirewallSpec * '''Code''': [[https://launchpad.net/ufw|https://launchpad.net/ufw]] * Graphic User Interface for UFW: [[https://help.ubuntu.com/community/Gufw|Gufw]]. |
Introduction
The Linux kernel in Ubuntu provides a packet filtering system called netfilter, and the traditional interface for manipulating netfilter are the iptables suite of commands. iptables provide a complete firewall solution that is both highly configurable and highly flexible.
Becoming proficient in iptables takes time, and getting started with netfilter firewalling using only iptables can be a daunting task. As a result, many frontends for iptables have been created over the years, each trying to achieve a different result and targeting a different audience.
The Uncomplicated Firewall (ufw) is a frontend for iptables and is particularly well-suited for host-based firewalls. ufw provides a framework for managing netfilter, as well as a command-line interface for manipulating the firewall. ufw aims to provide an easy to use interface for people unfamiliar with firewall concepts, while at the same time simplifies complicated iptables commands to help an administrator who knows what he or she is doing. ufw is an upstream for other distributions and graphical frontends.
UFW in Ubuntu
Ubuntu 8.04 LTS introduced ufw, and it is available by default in all Ubuntu installations after 8.04 LTS.
Available Versions in supported versions of Ubuntu
Ubuntu 12.04 ESM: 0.31.1-1
Ubuntu 14.04 ESM: 0.34~rc-0ubuntu2
Ubuntu 16.04 LTS: 0.35-0ubuntu2
Ubuntu 18.04 LTS: 0.36-0ubuntu0.18.04.1
Ubuntu 20.04: 0.36-6
Ubuntu 21.04: 0.36-7.1
Ubuntu 21.10: 0.36.1-1,
Ubuntu Core: 0.36pre
Features
ufw has the following features:
Feature |
0.31.1-1 |
0.34~rc-0ubuntu2 |
0.34-2 |
0.35 |
default incoming policy (allow/deny) |
yes |
yes |
yes |
yes |
allow/deny incoming rules |
yes |
yes |
yes |
yes |
IPv6 (by default) |
yes |
yes |
yes |
yes |
status |
yes |
yes |
yes |
yes |
logging (on/off) |
yes |
yes |
yes |
yes |
extensible framework |
yes |
yes |
yes |
yes |
python 2.5 support |
yes |
no |
no |
no |
application integration |
yes |
yes |
yes |
yes* |
IPv4 rate limiting via 'limit' command |
yes |
yes |
yes |
yes |
internationalization |
yes |
yes |
yes |
yes |
multiport incoming rules |
yes |
yes |
yes |
yes |
debconf/preseeding |
yes |
yes |
yes |
yes |
default incoming policy (reject) |
yes |
yes |
yes |
yes |
reject incoming rules |
yes |
yes |
yes |
yes |
rule insertion |
yes |
yes |
yes |
yes |
log levels |
yes |
yes |
yes |
yes |
per rule logging |
yes |
yes |
yes |
yes |
outgoing filtering (on par with incoming) |
yes |
yes |
yes |
yes |
filtering by interface |
yes |
yes |
yes |
yes |
bash completion |
yes |
yes |
yes |
yes |
upstart support |
yes |
yes |
yes |
yes |
improved reporting |
yes |
yes |
yes |
yes |
reset command |
yes |
yes |
yes |
yes |
rsyslog support |
yes |
yes |
yes |
yes |
delete by rule number |
yes |
yes |
yes |
yes |
python 2.6 support |
yes |
yes |
yes |
yes |
'show listening' report |
yes |
yes |
yes |
yes |
python 2.7 support |
yes |
yes |
yes |
yes |
increased protocol support (ah, esp) |
yes |
yes |
yes |
yes |
IPv6 rate limiting via 'limit' command |
-- |
yes |
yes |
yes |
python 3.2 support |
-- |
yes |
yes |
no |
python 3.3 support |
-- |
yes |
yes |
yes |
'show added' report |
-- |
yes |
yes |
yes |
python 3.4 support |
-- |
yes |
yes |
yes |
before/after extensibility hooks |
-- |
yes |
yes |
yes |
routed packet filtering (FORWARD) |
-- |
yes |
yes |
yes |
systemd support |
-- |
-- |
yes |
yes |
increased protocol support (igmp, gre) |
-- |
-- |
yes |
yes |
python 3.5 support |
-- |
-- |
yes |
yes |
Snappy for Ubuntu Core support |
-- |
-- |
-- |
yes |
per rule comments |
-- |
-- |
-- |
yes |
- support for application integration is limited on Ubuntu Core at this time
Basic Usage
Getting started with ufw is easy. For example, to enable firewall, allow ssh access, enable logging, and check the status of the firewall, perform:
$ sudo ufw allow ssh/tcp $ sudo ufw logging on $ sudo ufw enable $ sudo ufw status Firewall loaded To Action From -- ------ ---- 22:tcp ALLOW Anywhere
This sets up a default deny (DROP) firewall for incoming connections, with all outbound connections allowed with state tracking.
On Ubuntu Core, simply replace 'ufw' with 'ufw.cmd'. Eg:
$ sudo ufw.cmd enable
Advanced Functionality
As mentioned, the ufw application is capable of doing anything that iptables can do. This is achieved by using several sets of rules files, which are nothing more than iptables-restore compatible text files. Fine-tuning ufw and/or adding additional iptables commands not offered via the ufw command is a matter of editing various text files1:
/etc/default/ufw: high level configuration, such as default policies, IPv6 support and kernel modules to use
/etc/ufw/before[6].rules: rules in these files are evaluated before any rules added via the ufw command
/etc/ufw/after[6].rules: rules in these files are evaluated after any rules added via the ufw command
/etc/ufw/sysctl.conf: kernel network tunables
/var/lib/ufw/user[6].rules or /lib/ufw/user[6].rules (0.28 and later): rules added via the ufw command (should not normally be edited by hand)
/etc/ufw/ufw.conf: sets whether or not ufw is enabled on boot, and in 9.04 (ufw 0.27) and later, sets the LOGLEVEL
/etc/ufw/after.init: initialization customization script run after ufw is initialized (ufw 0.34 and later)
/etc/ufw/before.init: initialization customization script run before ufw is initialized (ufw 0.34 and later)
After modifying any of the above files, activate the new settings with:
$ sudo ufw disable $ sudo ufw enable
1 On Ubuntu Core, these files are located under /var/lib/apps/ufw*/current. See 'ufw.doc ufw-on-snappy' on an Ubuntu Core system for details.
More Information
- Ubuntu 16.04 LTS (Xenial Xerus)
- Ubuntu 18.04 LTS (Bionic Beaver)
- Ubuntu 20.04 (Focal Fossa)
- Ubuntu 21.04 (Hirsute Hippo)
- Ubuntu 21.10 (Impish Indri)
- Ubuntu 22.04 (Jammy Jellyfish)
- Ubuntu Core
See 'ufw.doc' on your Ubuntu Core system, specifically 'ufw.doc ufw-on-snappy | less' to see how ufw differs on Ubuntu Core.
Specification: UbuntuFirewallSpec
Graphic User Interface for UFW: Gufw.
UncomplicatedFirewall (last edited 2023-10-18 01:29:55 by sbeattie)