Linux Firewalls: Uncomplicated Firewall (ufw)

Hacking Linux

Welcome back, my aspiring security engineers!

There are a multitude of reasons for using Linux but one of the most overlooked is its capabilities and versatility as a firewall. While many firms spend thousands or tens of thousands of dollars on state-of-the art firewalls, you can build your own with just few hours of your time. If that doesn’t make you the hero in your workplace, nothing will!

In a previous post here, I showed you how to use iptables to develop a firewall for your Linux system or network. In this tutorial, I’ll demonstrate the uncomplicated firewall or ufw that utilizes iptables to configure your firewall. ufw does just what its name implies, it makes creating a firewall simple and uncomplicated.

 

Step #1: Download and Install ufw

First, download and install ufw. ufw is in nearly every Linux distribution repository including Kali and is pre-installed in Ubuntu.

 

kali > sudo apt install ufw

Step #2: ufw help

Next, let’s take a look at the help screen for ufw to get some idea of how it works.

 

kali > sudo ufw –help

Step #3: Check the status of ufw

Now, before we begin to configure our firewall, let’s check its status.

 

kali> sudo ufw status

When it is first installed it is disabled by default. Let’s enable it.

 

kali > sudo ufw enable

If we want to disable it later, we can simply execute the following command.

 

kali > sudo ufw disable

 

Step #4: Default Policy

Generally, the safest firewall is one that has a default policy to block everything unless it has been explicitly allowed. We can choose this before proceeding by setting the default policy to deny. Then we can allow only traffic that is necessary making certain to block everything else. This is the safest and most secure approach.

Step #5: Block an IP address

To illustrate the commands and capabilities of ufw, we will set the default policy to allow simply for the purposes of illustrating both allow and deny traffic.

For instance, if we want to write rule to deny traffic from IP address 103.136.43.142, we can write the following rule

 

kali > sudo ufw deny from 103.136.43.142

If we want to block all IP addresses on a subnet, we can use CIDER notation to block all 255 Ip addresses on the subnet such as;

 

kali > sudo ufw deny from 103.136.43.0/24

 

In addition, we can specify which network interface to block the traffic on by specifying “in on <interface>” such as;

 

kali > sudo deny in on eth0 from 103.136.43.142

 

Now, we can check the status of our firewall to review our rules

 

kali > sudo ufw status

Step #6: Allowing Traffic

If you chose a default policy of deny all, it critical to define what traffic will be allowed, otherwise you have bricked your entire network (not a good thing). Let’s write rules to allow some traffic. For instance, as the administrator of this firewall, you will need access to configure and maintain the firewall. Make certain you give yourself access from your IP.

 

kali > sudo ufw allow from 192.168.1.101

 

If later you need to delete a rule, you can simply use the keyword delete before the rule such as;

 

kali > sudo ufw delete allow from 192.168.1.101

 

Maybe easier, you can get the rule numbers by entering…

 

kali > sudo ufw status numbered

and then delete the rule by its number such as;

 

kali > sudo ufw delete 1

 

Step #7: Application List

Generally, new applications that rely on network communications will open a port on the firewall automatically if the application is on the same system as the firewall such as your host system. If the application is on another system on the network, you will need to manually open a port to allow communication. UFW has a list of applications that enable you to just specify the application and ufw will automatically open the appropriate ports.

 

To see the list of applications, enter;

 

kali> sudo ufw app list

So, for instance, if you had a nginx web server on your network that needed access to web traffic, ufw allows the simplified syntax of;

 

kali > sudo ufw allow “Nginx Full”

This allows nginx traffic on both port 80 and 443 using both IPv4 and IPv6 addresses. Note that it creates 2 rules.

 

If you just wanted to enable https traffic, you can enter a rule such as;

 

kali > sudo ufw allow https

When you check the status, you can view all the rules created up to this point in time.

 

kali > sudo ufw status

 

Instead of using the name of the application, you can specify the port to open such as;

 

kali > sudo ufw allow 80

If you want to open both port 80 and 443;

 

kali > sudo ufw allow 80, 443

Note that this syntax throws an error. To enable multiple ports, you must specific the protocol with the keyword “proto” (TCP, in this case) and the clause “from any to any” preceding the ports

 

kali> sudo ufw allow proto tcp from any to any 80,443

Now, we have successfully enabled traffic on both port 80 and port 443.

 

You can be even more specific and limit this traffic to just one interface such as eth0;

 

kali > sudo ufw allow in on eth0 proto tcp from any to any 80,443

Step #8: Enabling Access to a MySQL Database

Imagine a case where you have a MySQL (or any other) database on a system in your network. You will likely need to give the administrator access to the database as well as any applications (website, snort, etc.) that use the database. Of course, no one else should have access to the database as it’s the target of nearly every hacker group. We can limit access to just the admin by allowing traffic from the admin’s IP address and only on MySQL’s default port, 3306.

 

kali > sudo ufw allow from 192.168.1.101 to any port 3306

Summary

iptables can be powerful tool to create a secure and professional firewall without the expense of commercial firewalls. ufw or uncomplicated firewall utilizes the power of iptables to create secure firewalls with a very simple syntax. ufw is especially useful for creating a simple but powerful firewall to protect a simple network or your host system. For larger and complex networks, nftables is the firewall of choice.