UncomplicatedFirewall
10634
Comment: updates for trusty
|
10631
|
Deletions are marked like this. | Additions are marked like this. |
Line 32: | Line 32: |
* '''Ubuntu 13.04''': 0.33-0ubuntu3 | |
Line 34: | Line 33: |
* '''Ubuntu 14.04 LTS''': 0.34~rc-0ubuntu2 | |
Line 116: | Line 116: |
* [[https://help.ubuntu.com/10.04/serverguide/C/firewall.html|Server Guide - Firewall]] | * [[https://help.ubuntu.com/10.04/serverguide/firewall.html|Server Guide - Firewall]] |
Line 121: | Line 121: |
* [[https://help.ubuntu.com/12.04/serverguide/C/firewall.html|Server Guide - Firewall]] | * [[https://help.ubuntu.com/12.04/serverguide/firewall.html|Server Guide - Firewall]] |
Line 126: | Line 126: |
* [[https://help.ubuntu.com/12.10/serverguide/C/firewall.html|Server Guide - Firewall]] | * [[https://help.ubuntu.com/12.10/serverguide/firewall.html|Server Guide - Firewall]] |
Line 131: | Line 131: |
* [[https://help.ubuntu.com/13.10/serverguide/C/firewall.html|Server Guide - Firewall]] | * [[https://help.ubuntu.com/13.10/serverguide/firewall.html|Server Guide - Firewall]] |
Line 136: | Line 136: |
* [[https://help.ubuntu.com/14.04/serverguide/C/firewall.html|Server Guide - Firewall]] | * [[https://help.ubuntu.com/14.04/serverguide/firewall.html|Server Guide - Firewall]] |
Introduction
The Linux kernel in Ubuntu provides a packet filtering system called netfilter, and the traditional interface for manipulating netfilter are the iptables suite of commands. iptables provide a complete firewall solution that is both highly configurable and highly flexible.
Becoming proficient in iptables takes time, and getting started with netfilter firewalling using only iptables can be a daunting task. As a result, many frontends for iptables have been created over the years, each trying to achieve a different result and targeting a different audience.
The Uncomplicated Firewall (ufw) is a frontend for iptables and is particularly well-suited for host-based firewalls. ufw provides a framework for managing netfilter, as well as a command-line interface for manipulating the firewall. ufw aims to provide an easy to use interface for people unfamiliar with firewall concepts, while at the same time simplifies complicated iptables commands to help an adminstrator who knows what he or she is doing. ufw is an upstream for other distributions and graphical frontends.
UFW in Ubuntu
Ubuntu 8.04 LTS introduced ufw, and it is available by default in all Ubuntu installations after 8.04 LTS.
Available Versions in supported versions of Ubuntu
Ubuntu 10.04 LTS: 0.30pre1-0ubuntu2
Ubuntu 12.04 LTS: 0.31.1-1
Ubuntu 12.10: 0.33-0ubuntu2.1
Ubuntu 13.10: 0.33-0ubuntu4
Ubuntu 14.04 LTS: 0.34~rc-0ubuntu2
Features
ufw has the following features:
Feature |
10.04 LTS |
12.04 LTS |
12.10 |
13.10 |
14.04 LTS |
default incoming policy (allow/deny) |
yes |
yes |
yes |
yes |
yes |
allow/deny incoming rules |
yes |
yes |
yes |
yes |
yes |
IPv6 |
yes |
yes1 |
yes1 |
yes1 |
yes1 |
status |
yes |
yes |
yes |
yes |
yes |
logging (on/off) |
yes |
yes |
yes |
yes |
yes |
extensible framework |
yes |
yes |
yes |
yes |
yes |
python 2.5 support |
yes |
yes |
no |
no |
no |
application integration |
yes |
yes |
yes |
yes |
yes |
IPv4 rate limiting via 'limit' command |
yes |
yes |
yes |
yes |
yes |
internationalization |
yes |
yes |
yes |
yes |
yes |
multiport incoming rules |
yes |
yes |
yes |
yes |
yes |
debconf/preseeding |
yes |
yes |
yes |
yes |
yes |
default incoming policy (reject) |
yes |
yes |
yes |
yes |
yes |
reject incoming rules |
yes |
yes |
yes |
yes |
yes |
rule insertion |
yes |
yes |
yes |
yes |
yes |
log levels |
yes |
yes |
yes |
yes |
yes |
per rule logging |
yes |
yes |
yes |
yes |
yes |
outgoing filtering (on par with incoming) |
yes |
yes |
yes |
yes |
yes |
filtering by interface |
yes |
yes |
yes |
yes |
yes |
bash completion |
yes |
yes |
yes |
yes |
yes |
upstart support |
yes |
yes |
yes |
yes |
yes |
improved reporting |
yes |
yes |
yes |
yes |
yes |
reset command |
yes |
yes |
yes |
yes |
yes |
rsyslog support |
yes |
yes |
yes |
yes |
yes |
delete by rule number |
yes |
yes |
yes |
yes |
yes |
python 2.6 support |
yes |
yes |
yes |
yes |
yes |
'show listening' report |
-- |
yes |
yes |
yes |
yes |
python 2.7 support |
-- |
yes |
yes |
yes |
yes |
IPv6 rate limiting via 'limit' command |
-- |
-- |
yes |
yes |
yes |
python 3.2 support |
-- |
-- |
yes |
yes |
yes |
python 3.3 support |
-- |
-- |
yes |
yes |
yes |
'show added' report |
-- |
-- |
yes |
yes |
yes |
python 3.4 support |
-- |
-- |
-- |
-- |
yes |
before/after extensibility hooks |
-- |
-- |
-- |
-- |
yes |
routed packet filtering (FORWARD) |
-- |
-- |
-- |
-- |
yes |
- IPv6 enabled by default
Basic Usage
Getting started with ufw is easy. For example, to enable firewall, allow ssh access, enable logging, and check the status of the firewall, perform:
$ sudo ufw allow ssh/tcp $ sudo ufw logging on $ sudo ufw enable $ sudo ufw status Firewall loaded To Action From -- ------ ---- 22:tcp ALLOW Anywhere
This sets up a default deny (DROP) firewall for incoming connections, with all outbound connections allowed with state tracking.
Advanced Functionality
As mentioned, the ufw framework is capable of doing anything that iptables can do. This is achieved by using several sets of rules files, which are nothing more than iptables-restore compatible text files. Fine-tuning ufw and/or adding additional iptables commands not offered via the ufw command is a matter of editing various text files:
/etc/default/ufw: high level configuration, such as default policies, IPv6 support and kernel modules to use
/etc/ufw/before[6].rules: rules in these files are evaluated before any rules added via the ufw command
/etc/ufw/after[6].rules: rules in these files are evaluated after any rules added via the ufw command
/etc/ufw/sysctl.conf: kernel network tunables
/var/lib/ufw/user[6].rules or /lib/ufw/user[6].rules (0.28 and later): rules added via the ufw command (should not normally be edited by hand)
/etc/ufw/ufw.conf: sets whether or not ufw is enabled on boot, and in 9.04 (ufw 0.27) and later, sets the LOGLEVEL
/etc/ufw/after.init: initialization customization script run after ufw is initialized (ufw 0.34 and later)
/etc/ufw/before.init: initialization customization script run before ufw is initialized (ufw 0.34 and later)
After modifying any of the above files, activate the new settings with:
$ sudo ufw disable $ sudo ufw enable
More Information
- Ubuntu 10.04 (Lucid Lynx)
- Ubuntu 12.04 LTS (Precise Pangolin)
- Ubuntu 12.10 (Quantal Quetzal)
- Ubuntu 13.10 (Saucy Salamander)
- Ubuntu 14.04 LTS (Trusty Tahr)
Specification: UbuntuFirewallSpec
Graphic User Interface for UFW: Gufw.
UncomplicatedFirewall (last edited 2023-10-18 01:29:55 by sbeattie)