Archive

Posts Tagged ‘ufw’

My Mom Learns the “Uncomplicated Firewall” on Ubuntu 8.04

April 23, 2008 10 comments

I was recently excited to see that Ubuntu has included an “Uncomplicated Firewall” in the Hardy Heron release. This was perfect since my mom has just had Ubuntu 8.04 placed on her laptop and I was concerned that she have a firewall to protect her laptop. She has struggled with Linux and making the transition from Win…whatever so I have been searching for simple solutions. Ubuntu known for their simple solutions, has saved the day again by simplifying security for users. Here is the simple process and a record of how quickly my mom picks this simple stuff up. Click Here for the BeginLinux.com ufw Tutorial.

“Mom…I have a simple solution for the security on your computer!”

“Oh great I know you have told me that Linux is soooo simple, I need an easy uncomplicated way to make sure I don’t get hacked. What do I need to do?”

Linux Training Options: Desktop and Server

“Ok mom, sit down, fire up that puppy and let’s get to work.”

“I am so pleased you are going to help me, that stupid firewall you showed me before was just too difficult for me. I remember I had to:

sudo apt-get install lokkit

That command was tough alone but then picking the ports that I should have open after the install was confusing since I had to know that remote support from you was coming in on port 22. And I had to click OK…

Red Hat Firewall

Besides that worthless firewall said “Red Hat” on it and I certainly do not need that on my Ubuntu machine!”

“Yea mom, I know the Lokkit firewall was complicated, two steps is just too much to ask….we will be working with the ‘Uncomplicated Firewall’ so you can just take it easy…. Here we go now open up a terminal.”

“Terminal who?”

“Mom, this is really simple, just open up the command line terminal, Applications/Accessories/Terminal…yea now you got it…good we are almost there. Now just check the commands that you can run by typing ufw”

Usage: ufw COMMAND

Commands:
enable Enables the firewall
disable Disables the firewall
default ARG set default policy to ALLOW or DENY
logging ARG set logging to ON or OFF
allow|deny RULE allow or deny RULE
delete allow|deny RULE delete the allow/deny RULE
status show firewall status
version display version information

“What is all this stuff? And what do I need this for…am I done?”

“Well no mom, this is information about how to set up rules.”

“Huh…”

“Rules mom….simple uncomplicated rules for how it will interface with iptables on the INPUT, OUTPUT and FORWARD chains…it’s easy.”

“I don’t want no rules…I don’t want to learn no rules and I DON’T WANT TO HEAR ABOUT EASY RULES!!!!”

“Mom….look just turn it on.”

“My computer is on…look at the screen why do you think I am typing….see.”

“No mom I mean turn on the uncomplicated firewall.”

“You mean I have to turn it on…why do I have to turn it on, where is the button?”

“Sorry, the developers thought you might have another firewall running and this might interfere with the
rules that you had written so it is off when you first start Ubuntu 8.04. All you have to do is this command to start it:”

ufw enable

“OK now it is on…”

“Are we done NOW?”

“No mom you need to set a default deny policy for your chains. See just do this:”

ufw default deny

Default policy changed to ‘deny’ (be sure to update your rules accordingly)

“Deny…deny what and who….I just want a simple uncomplicated firewall thingy”

“OK mom almost done. Now you need to type this command so you can see your rules. See your Chain INPUT rule is DROP by default and your FORWARD chain is DROP by default.

# iptables -L -n

Chain INPUT (policy DROP)

target prot opt source destination
ufw-before-input all — 0.0.0.0/0 0.0.0.0/0 ufw-after-input all — 0.0.0.0/0 0.0.0.0/0

Chain FORWARD (policy DROP)
target prot opt source destination
ufw-before-forward all — 0.0.0.0/0 0.0.0.0/0
ufw-after-forward all — 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ufw-before-output all — 0.0.0.0/0 0.0.0.0/0
ufw-after-output all — 0.0.0.0/0 0.0.0.0/0 Chain
ufw-after-forward (1 references) target prot opt source destination
LOG all — 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix `[UFW BLOCK FORWARD]: ‘ RETURN all — 0.0.0.0/0 0.0.0.0/0
Chain ufw-after-input (1 references) target prot opt source destination
RETURN udp — 0.0.0.0/0 0.0.0.0/0 udp dpt:137
RETURN udp — 0.0.0.0/0 0.0.0.0/0 udp dpt:138
RETURN tcp — 0.0.0.0/0 0.0.0.0/0 tcp dpt:139
RETURN tcp — 0.0.0.0/0 0.0.0.0/0 tcp dpt:445
RETURN udp — 0.0.0.0/0 0.0.0.0/0 udp dpt:67
RETURN udp — 0.0.0.0/0 0.0.0.0/0 udp dpt:68
LOG all — 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10
LOG flags 0 level 4 prefix `[UFW BLOCK INPUT]: ‘
RETURN all — 0.0.0.0/0 0.0.0.0/0
Chain ufw-after-output (1 references) target prot opt source destination
RETURN all — 0.0.0.0/0 0.0.0.0/0 Chain
ufw-before-forward (1 references) target prot opt source destination
ufw-user-forward all — 0.0.0.0/0 0.0.0.0/0
RETURN all — 0.0.0.0/0 0.0.0.0/0
Chain ufw-before-input (1 references) target prot opt source destination
ACCEPT all — 0.0.0.0/0 0.0.0.0/0 ACCEPT all — 0.0.0.0/0 0.0.0.0/0 ctstate
RELATED,ESTABLISHED DROP all — 0.0.0.0/0 0.0.0.0/0 ctstate
INVALID ACCEPT icmp — 0.0.0.0/0 0.0.0.0/0 icmp type 3
ACCEPT icmp — 0.0.0.0/0 0.0.0.0/0 icmp type 4
ACCEPT icmp — 0.0.0.0/0 0.0.0.0/0 icmp type 11
ACCEPT icmp — 0.0.0.0/0 0.0.0.0/0 icmp type 12
ACCEPT icmp — 0.0.0.0/0 0.0.0.0/0 icmp type 8
ACCEPT udp — 0.0.0.0/0 0.0.0.0/0 udp spt:67 dpt:68
ufw-not-local all — 0.0.0.0/0 0.0.0.0/0 ACCEPT all — 224.0.0.0/4 0.0.0.0/0
ACCEPT all — 0.0.0.0/0 224.0.0.0/4 ufw-user-input all — 0.0.0.0/0 0.0.0.0/0
RETURN all — 0.0.0.0/0 0.0.0.0/0 Chain
ufw-before-output (1 references) target prot opt source destination
ACCEPT all — 0.0.0.0/0 0.0.0.0/0
ACCEPT tcp — 0.0.0.0/0 0.0.0.0/0 state NEW,RELATED,ESTABLISHED ACCEPT
udp — 0.0.0.0/0 0.0.0.0/0 state NEW,RELATED,ESTABLISHED
ufw-user-output all — 0.0.0.0/0 0.0.0.0/0 RETURN all — 0.0.0.0/0 0.0.0.0/0

Chain ufw-not-local (1 references) target prot opt source destination

RETURN all — 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type

LOCAL RETURN all — 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type
MULTICAST RETURN all — 0.0.0.0/0 0.0.0.0/0

ADDRTYPE match dst-type

BROADCAST LOG all — 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix `[UFW BLOCK NOT-TO-ME]: ‘ DROP all — 0.0.0.0/0 0.0.0.0/0

Chain ufw-user-forward (1 references) target prot opt source destination

RETURN all — 0.0.0.0/0 0.0.0.0/0

Chain ufw-user-input (1 references) target prot opt source destination
ACCEPT tcp — 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
RETURN all — 0.0.0.0/0 0.0.0.0/0
Chain ufw-user-output (1 references) target prot opt source destination RETURN all — 0.0.0.0/0 0.0.0.0/0

WHAT????????…..Is this Chineeese…what kind of joke is this…I am too old to learn a new language and
what is the OUTPUT…it is not DROP it is ALLOW, what is the Default DROP anyway? And why am I allowing
people to get into my computer…is this really safe?”

“Easy Mom, it is really easy. OK, so the default DROP is really not a default DROP for all the chains
just the INPUT and FORWARD chain.”

“Who am I FORWARDing stuff to, does that go to you?”

“Well no Mom…this is really if you have two network cards and one was eth0 and the second was eth1
and you were FORWARDing traffic to an internal network, maybe using NAT and having a firewall on the outside
and you need to make sure that your /proc/sys/net/ipv4/ip_forward is 1 so that you can transfer traffic…..”

“Oh stop that mumble jumble garbage…this is supposed be easy..am I done?”

“Well no, just a few more steps, you need to write a rule that allows me to connect to your laptop for
support when you need it. Just use the ufw command to allow a connection from my computer at 192.168.5.100 like this:

# ufw allow from 192.168.5.100 port 22

“Now mom you can view your changes with the command:

# ufw status
Chain ufw-user-input (1 references) target prot opt source destination
ACCEPT tcp — 192.168.5.100 0.0.0.0/0 tcp spt:22
ACCEPT udp — 192.168.5.100 0.0.0.0/0 udp spt:22

“And now look it is simple to add VNC support as well.”

# ufw allow from 192.168.5.100 port 5900
Rule added

“You’re kidding me right…what is this Halloween trick and treat? What is the gibberish…why don’t I just write 123456789….port what is this a fishing adventure? I told you I was sick and tired of your IT Techie baloney … I HAVE NO IDEA WHAT YOU ARE TALKING ABOUT YOU MORON!!!!!!

“Mom, please don’t start that again this really is not complicated, just type what I wrote on the notepad,
OK I will leave as soon as we are done. This really is simple…”

“Idiot, there now I typed your stupid RULE for your shipping ports.”

“Great Mom now check your status with this command:
ufw status

# ufw status
Firewall loaded

To                         Action  From
--                         ------  ----
Anywhere                   ALLOW   192.168.5.100 22:tcp
Anywhere                   ALLOW   192.168.5.100 22:udp
Anywhere                   ALLOW   192.168.5.100 5900:tcp
Anywhere                   ALLOW   192.168.5.100 5900:udp

"What ...status, I thought the default was DENY and why is there an Anywhere, does that mean that
anyone can get into my computer and who are tcp and udp ...are these your friends?"

"Come now mom, this is not complicated just stick with me, tcp and udo are protocols, they are just ways
to communicate and they connect on ports, it is really simple stuff.  No don't say anything just relax."

"Are we done?"

"No not yet, let's just go over how you can check your logs for intrusion attempts and failed
port connections in case you need to edit your RULES...OK?"  Just use this command to see the
end of the log:

 tail /var/log/messages
Apr 22 14:36:18 ub3 kernel: [28092.908356] [UFW BLOCK INPUT]: IN=eth0 OUT= MAC=00:03:0d:11:f6:a9:00:14:bf:7f:59:b0:08:00 SRC=64.233.183.17 DST=192.168.5.12 LEN=80 TOS=0x00 PREC=0x00 TTL=44 ID=38470 PROTO=TCP SPT=80 DPT=38292 WINDOW=129 RES=0x00 ACK PSH URGP=0
Apr 22 14:36:20 ub3 kernel: [28094.761693] [UFW BLOCK INPUT]: IN=eth0 OUT= MAC=00:03:0d:11:f6:a9:00:14:bf:7f:59:b0:08:00 SRC=64.233.183.17 DST=192.168.5.12 LEN=80 TOS=0x00 PREC=0x00 TTL=44 ID=38471 PROTO=TCP SPT=80 DPT=38292 WINDOW=129 RES=0x00 ACK PSH URGP=0
Apr 22 14:36:22 ub3 kernel: [28097.108344] [UFW BLOCK INPUT]: IN=eth0 OUT= MAC=00:03:0d:11:f6:a9:00:14:bf:7f:59:b0:08:00 SRC=64.233.183.17 DST=192.168.5.12 LEN=80 TOS=0x00 PREC=0x00 TTL=44 ID=38472 PROTO=TCP SPT=80 DPT=38292 WINDOW=129 RES=0x00 ACK PSH URGP=0
Apr 22 14:36:27 ub3 kernel: [28101.809296] [UFW BLOCK INPUT]: IN=eth0 OUT= MAC=00:03:0d:11:f6:a9:00:14:bf:7f:59:b0:08:00 SRC=64.233.183.17 DST=192.168.5.12 LEN=80 TOS=0x00 PREC=0x00 TTL=44 ID=38473 PROTO=TCP SPT=80 DPT=38292 WINDOW=129 RES=0x00 ACK PSH URGP=0

"See there you can see your UFW is working as it has already blocked input ...see you are safe."

"Safe from who? Whose stupid idea is this anyway?  Simple ...uncomplicated firewall...who are you kidding!
I sick and tired of your Techno Blah Simple Uncomplicated Stupidity!!!!!!!!!!

WHERE IS MY WINDOWS VISTA DISK!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Follow

Get every new post delivered to your Inbox.

Join 56 other followers