Home > Desktop User > My Mom Learns the “Uncomplicated Firewall” on Ubuntu 8.04

My Mom Learns the “Uncomplicated Firewall” on Ubuntu 8.04

I was recently excited to see that Ubuntu has included an “Uncomplicated Firewall” in the Hardy Heron release. This was perfect since my mom has just had Ubuntu 8.04 placed on her laptop and I was concerned that she have a firewall to protect her laptop. She has struggled with Linux and making the transition from Win…whatever so I have been searching for simple solutions. Ubuntu known for their simple solutions, has saved the day again by simplifying security for users. Here is the simple process and a record of how quickly my mom picks this simple stuff up. Click Here for the BeginLinux.com ufw Tutorial.

“Mom…I have a simple solution for the security on your computer!”

“Oh great I know you have told me that Linux is soooo simple, I need an easy uncomplicated way to make sure I don’t get hacked. What do I need to do?”

Linux Training Options: Desktop and Server

“Ok mom, sit down, fire up that puppy and let’s get to work.”

“I am so pleased you are going to help me, that stupid firewall you showed me before was just too difficult for me. I remember I had to:

sudo apt-get install lokkit

That command was tough alone but then picking the ports that I should have open after the install was confusing since I had to know that remote support from you was coming in on port 22. And I had to click OK…

Red Hat Firewall

Besides that worthless firewall said “Red Hat” on it and I certainly do not need that on my Ubuntu machine!”

“Yea mom, I know the Lokkit firewall was complicated, two steps is just too much to ask….we will be working with the ‘Uncomplicated Firewall’ so you can just take it easy…. Here we go now open up a terminal.”

“Terminal who?”

“Mom, this is really simple, just open up the command line terminal, Applications/Accessories/Terminal…yea now you got it…good we are almost there. Now just check the commands that you can run by typing ufw”

Usage: ufw COMMAND

Commands:
enable Enables the firewall
disable Disables the firewall
default ARG set default policy to ALLOW or DENY
logging ARG set logging to ON or OFF
allow|deny RULE allow or deny RULE
delete allow|deny RULE delete the allow/deny RULE
status show firewall status
version display version information

“What is all this stuff? And what do I need this for…am I done?”

“Well no mom, this is information about how to set up rules.”

“Huh…”

“Rules mom….simple uncomplicated rules for how it will interface with iptables on the INPUT, OUTPUT and FORWARD chains…it’s easy.”

“I don’t want no rules…I don’t want to learn no rules and I DON’T WANT TO HEAR ABOUT EASY RULES!!!!”

“Mom….look just turn it on.”

“My computer is on…look at the screen why do you think I am typing….see.”

“No mom I mean turn on the uncomplicated firewall.”

“You mean I have to turn it on…why do I have to turn it on, where is the button?”

“Sorry, the developers thought you might have another firewall running and this might interfere with the
rules that you had written so it is off when you first start Ubuntu 8.04. All you have to do is this command to start it:”

ufw enable

“OK now it is on…”

“Are we done NOW?”

“No mom you need to set a default deny policy for your chains. See just do this:”

ufw default deny

Default policy changed to ‘deny’ (be sure to update your rules accordingly)

“Deny…deny what and who….I just want a simple uncomplicated firewall thingy”

“OK mom almost done. Now you need to type this command so you can see your rules. See your Chain INPUT rule is DROP by default and your FORWARD chain is DROP by default.

# iptables -L -n

Chain INPUT (policy DROP)

target prot opt source destination
ufw-before-input all — 0.0.0.0/0 0.0.0.0/0 ufw-after-input all — 0.0.0.0/0 0.0.0.0/0

Chain FORWARD (policy DROP)
target prot opt source destination
ufw-before-forward all — 0.0.0.0/0 0.0.0.0/0
ufw-after-forward all — 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ufw-before-output all — 0.0.0.0/0 0.0.0.0/0
ufw-after-output all — 0.0.0.0/0 0.0.0.0/0 Chain
ufw-after-forward (1 references) target prot opt source destination
LOG all — 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix `[UFW BLOCK FORWARD]: ‘ RETURN all — 0.0.0.0/0 0.0.0.0/0
Chain ufw-after-input (1 references) target prot opt source destination
RETURN udp — 0.0.0.0/0 0.0.0.0/0 udp dpt:137
RETURN udp — 0.0.0.0/0 0.0.0.0/0 udp dpt:138
RETURN tcp — 0.0.0.0/0 0.0.0.0/0 tcp dpt:139
RETURN tcp — 0.0.0.0/0 0.0.0.0/0 tcp dpt:445
RETURN udp — 0.0.0.0/0 0.0.0.0/0 udp dpt:67
RETURN udp — 0.0.0.0/0 0.0.0.0/0 udp dpt:68
LOG all — 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10
LOG flags 0 level 4 prefix `[UFW BLOCK INPUT]: ‘
RETURN all — 0.0.0.0/0 0.0.0.0/0
Chain ufw-after-output (1 references) target prot opt source destination
RETURN all — 0.0.0.0/0 0.0.0.0/0 Chain
ufw-before-forward (1 references) target prot opt source destination
ufw-user-forward all — 0.0.0.0/0 0.0.0.0/0
RETURN all — 0.0.0.0/0 0.0.0.0/0
Chain ufw-before-input (1 references) target prot opt source destination
ACCEPT all — 0.0.0.0/0 0.0.0.0/0 ACCEPT all — 0.0.0.0/0 0.0.0.0/0 ctstate
RELATED,ESTABLISHED DROP all — 0.0.0.0/0 0.0.0.0/0 ctstate
INVALID ACCEPT icmp — 0.0.0.0/0 0.0.0.0/0 icmp type 3
ACCEPT icmp — 0.0.0.0/0 0.0.0.0/0 icmp type 4
ACCEPT icmp — 0.0.0.0/0 0.0.0.0/0 icmp type 11
ACCEPT icmp — 0.0.0.0/0 0.0.0.0/0 icmp type 12
ACCEPT icmp — 0.0.0.0/0 0.0.0.0/0 icmp type 8
ACCEPT udp — 0.0.0.0/0 0.0.0.0/0 udp spt:67 dpt:68
ufw-not-local all — 0.0.0.0/0 0.0.0.0/0 ACCEPT all — 224.0.0.0/4 0.0.0.0/0
ACCEPT all — 0.0.0.0/0 224.0.0.0/4 ufw-user-input all — 0.0.0.0/0 0.0.0.0/0
RETURN all — 0.0.0.0/0 0.0.0.0/0 Chain
ufw-before-output (1 references) target prot opt source destination
ACCEPT all — 0.0.0.0/0 0.0.0.0/0
ACCEPT tcp — 0.0.0.0/0 0.0.0.0/0 state NEW,RELATED,ESTABLISHED ACCEPT
udp — 0.0.0.0/0 0.0.0.0/0 state NEW,RELATED,ESTABLISHED
ufw-user-output all — 0.0.0.0/0 0.0.0.0/0 RETURN all — 0.0.0.0/0 0.0.0.0/0

Chain ufw-not-local (1 references) target prot opt source destination

RETURN all — 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type

LOCAL RETURN all — 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type
MULTICAST RETURN all — 0.0.0.0/0 0.0.0.0/0

ADDRTYPE match dst-type

BROADCAST LOG all — 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix `[UFW BLOCK NOT-TO-ME]: ‘ DROP all — 0.0.0.0/0 0.0.0.0/0

Chain ufw-user-forward (1 references) target prot opt source destination

RETURN all — 0.0.0.0/0 0.0.0.0/0

Chain ufw-user-input (1 references) target prot opt source destination
ACCEPT tcp — 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
RETURN all — 0.0.0.0/0 0.0.0.0/0
Chain ufw-user-output (1 references) target prot opt source destination RETURN all — 0.0.0.0/0 0.0.0.0/0

WHAT????????…..Is this Chineeese…what kind of joke is this…I am too old to learn a new language and
what is the OUTPUT…it is not DROP it is ALLOW, what is the Default DROP anyway? And why am I allowing
people to get into my computer…is this really safe?”

“Easy Mom, it is really easy. OK, so the default DROP is really not a default DROP for all the chains
just the INPUT and FORWARD chain.”

“Who am I FORWARDing stuff to, does that go to you?”

“Well no Mom…this is really if you have two network cards and one was eth0 and the second was eth1
and you were FORWARDing traffic to an internal network, maybe using NAT and having a firewall on the outside
and you need to make sure that your /proc/sys/net/ipv4/ip_forward is 1 so that you can transfer traffic…..”

“Oh stop that mumble jumble garbage…this is supposed be easy..am I done?”

“Well no, just a few more steps, you need to write a rule that allows me to connect to your laptop for
support when you need it. Just use the ufw command to allow a connection from my computer at 192.168.5.100 like this:

# ufw allow from 192.168.5.100 port 22

“Now mom you can view your changes with the command:

# ufw status
Chain ufw-user-input (1 references) target prot opt source destination
ACCEPT tcp — 192.168.5.100 0.0.0.0/0 tcp spt:22
ACCEPT udp — 192.168.5.100 0.0.0.0/0 udp spt:22

“And now look it is simple to add VNC support as well.”

# ufw allow from 192.168.5.100 port 5900
Rule added

“You’re kidding me right…what is this Halloween trick and treat? What is the gibberish…why don’t I just write 123456789….port what is this a fishing adventure? I told you I was sick and tired of your IT Techie baloney … I HAVE NO IDEA WHAT YOU ARE TALKING ABOUT YOU MORON!!!!!!

“Mom, please don’t start that again this really is not complicated, just type what I wrote on the notepad,
OK I will leave as soon as we are done. This really is simple…”

“Idiot, there now I typed your stupid RULE for your shipping ports.”

“Great Mom now check your status with this command:
ufw status

# ufw status
Firewall loaded

To                         Action  From
--                         ------  ----
Anywhere                   ALLOW   192.168.5.100 22:tcp
Anywhere                   ALLOW   192.168.5.100 22:udp
Anywhere                   ALLOW   192.168.5.100 5900:tcp
Anywhere                   ALLOW   192.168.5.100 5900:udp

"What ...status, I thought the default was DENY and why is there an Anywhere, does that mean that
anyone can get into my computer and who are tcp and udp ...are these your friends?"

"Come now mom, this is not complicated just stick with me, tcp and udo are protocols, they are just ways
to communicate and they connect on ports, it is really simple stuff.  No don't say anything just relax."

"Are we done?"

"No not yet, let's just go over how you can check your logs for intrusion attempts and failed
port connections in case you need to edit your RULES...OK?"  Just use this command to see the
end of the log:

 tail /var/log/messages
Apr 22 14:36:18 ub3 kernel: [28092.908356] [UFW BLOCK INPUT]: IN=eth0 OUT= MAC=00:03:0d:11:f6:a9:00:14:bf:7f:59:b0:08:00 SRC=64.233.183.17 DST=192.168.5.12 LEN=80 TOS=0x00 PREC=0x00 TTL=44 ID=38470 PROTO=TCP SPT=80 DPT=38292 WINDOW=129 RES=0x00 ACK PSH URGP=0
Apr 22 14:36:20 ub3 kernel: [28094.761693] [UFW BLOCK INPUT]: IN=eth0 OUT= MAC=00:03:0d:11:f6:a9:00:14:bf:7f:59:b0:08:00 SRC=64.233.183.17 DST=192.168.5.12 LEN=80 TOS=0x00 PREC=0x00 TTL=44 ID=38471 PROTO=TCP SPT=80 DPT=38292 WINDOW=129 RES=0x00 ACK PSH URGP=0
Apr 22 14:36:22 ub3 kernel: [28097.108344] [UFW BLOCK INPUT]: IN=eth0 OUT= MAC=00:03:0d:11:f6:a9:00:14:bf:7f:59:b0:08:00 SRC=64.233.183.17 DST=192.168.5.12 LEN=80 TOS=0x00 PREC=0x00 TTL=44 ID=38472 PROTO=TCP SPT=80 DPT=38292 WINDOW=129 RES=0x00 ACK PSH URGP=0
Apr 22 14:36:27 ub3 kernel: [28101.809296] [UFW BLOCK INPUT]: IN=eth0 OUT= MAC=00:03:0d:11:f6:a9:00:14:bf:7f:59:b0:08:00 SRC=64.233.183.17 DST=192.168.5.12 LEN=80 TOS=0x00 PREC=0x00 TTL=44 ID=38473 PROTO=TCP SPT=80 DPT=38292 WINDOW=129 RES=0x00 ACK PSH URGP=0

"See there you can see your UFW is working as it has already blocked input ...see you are safe."

"Safe from who? Whose stupid idea is this anyway?  Simple ...uncomplicated firewall...who are you kidding!
I sick and tired of your Techno Blah Simple Uncomplicated Stupidity!!!!!!!!!!

WHERE IS MY WINDOWS VISTA DISK!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
About these ads
  1. nik
    April 28, 2008 at 6:56 pm

    hello how can i get access to yahoo..and now i just can browse google website

  2. April 29, 2008 at 12:46 pm

    It really shouldn’t matter as the firewall will not stop one site over the other.

  3. Rich
    April 29, 2008 at 1:54 pm

    Hello all. This is a great start for me so thank you very much for taking time to detail how to use ufw, but I’m still rather clueless and would love a bit more instruction from anyone willing to help a complete noob. Any takers?

    1. I got ufw enabled and the response said, “Firewall started and enabled on system startup” … but it doesn’t automatically start for me on start-up. Not sure what’s up. I’m doing it with the same account I installed and named as the first account … using sudo ufw enable.

    2. I used the command, sudo ufw default deny, and totally hosed myself … unable to surf the web. So, my question is to request that you provide a bit more instruction for a noob like myself, to understand what I need to do to get my browser browsing, and my e-mail mailing.

    3. Also, you note that the command, “sudo ufw default deny” fails to lock down the outgoing ports … can you be more specific so as to include what else needs to be disabled?

    4. Finally, even when ufw is enabled, as soon as I run “lokkit” it disables my ufw firewall … so what gives? Are they not compatible? Or is ufw simply not recognizing lokkit’s changes to the iptables?

    5. Can you give a list of common iptables configuration string changes for the common stuff, like you did for port 22?

    Again, thanks for the great post! I hope I don’t come across critical … but it would be really helpful if this information was added. Thanks again! Best regards, Rich

  4. April 29, 2008 at 4:23 pm

    Easy stuff first. Lokkit and ufw are both front ends to iptables. So you have to choose which one you will use, you cannot use both. That is why they are incompatible.

    I am fully developing a tutorial for ufw at beginlinux.com

    http://beginlinux.com/index.php/server_training/server-managment-topics/116-server-management/983-ubuntu-804-uncomplicated-firewall

  5. April 29, 2008 at 4:32 pm

    When you run sudo ufw enable the firewall should be running. You can check with the command:

    sudo iptables -L

    You should see output like this. This will indicate that it is running.

    Chain INPUT (policy DROP)
    target prot opt source destination
    ufw-before-input all — anywhere anywhere
    ufw-after-input all — anywhere anywhere

    Chain FORWARD (policy DROP)
    target prot opt source destination
    ufw-before-forward all — anywhere anywhere
    ufw-after-forward all — anywhere anywhere

    Chain OUTPUT (policy ACCEPT)
    target prot opt source destination
    ufw-before-output all — anywhere anywhere
    ufw-after-output all — anywhere anywhere
    —cut—

    When you start the computer again run this command:

    sudo iptables -L

    to verify that it is running which it should be.

  6. April 29, 2008 at 4:36 pm

    This command:

    sudo ufw default deny

    Should not impact any connections that you initiate to the Internet. You must be running a command incorrectly as I have tested this on multiple machines and it always works the same. If you have problems run the command:

    sudo iptables -L

    and post the output so I can see it.

  7. Rich
    May 1, 2008 at 10:07 am

    Okay Andreas(?) … Thanks for your time on this … I’ll take a look when I get home tonight. Thanks again. -Rich

  8. robin
    June 10, 2008 at 12:30 pm

    I love this article,
    I upgraded to ubuntu 8.04 and my computer always starts with my firewall disabled, even though it is in the /etc/rc5.d/ and set to start.

    I have real sympathy for your mom,
    as an IT professional I still have to type either, sudo /etc/init.d/ufw stop or sudo ufw enable in order to get network action going on startup. I’ve tried investigating this on more than one occasion and not once have I had the feeling that the process is uncomplicated. I’ve been using linux on and off since 1998, and ubuntu since 2006 and all I can say is that I am mildly annoyed with the so called ufw (I have also attempted to remove it, but alas no love)

    I’m sure I’ll get lambasted by all of the l33t Linux h4x0r5 for being such a dumbass for not knowing how to set up iptables, but come on, does it really have to require a flippin’ textbook?

  9. sip
    November 27, 2008 at 5:51 pm

    Dude, any idea why ufw would block all of my outbound internet connection from my server by default? I’ve denied all incoming connections by default apart from SSH, Web and FTP, but not touched outbound connections. I know it’s ufw blocking it for certain because when I disable it I can access the internet once again.

  1. January 26, 2009 at 7:51 pm

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 58 other followers

%d bloggers like this: