This is the third in my Firewall series, is in follow up to my previous 2 blogs about firewalls, and is intended to introduce GUFW, a graphical front end to UFW.
Firewall Ubuntu Desktops
Firewall Ubuntu Servers
Although the GUFW GUI may seem deceptively simple, the graphical front end is both easy to use and capable of performing the most common firewall configuration options. The graphical tool is a perfect place to start if you find ufw and iptables overwhelming.
Again the most difficult part of managing a firewall is knowing who you wish to allow or restrict (by ip address) and what service and port you need to allow (open) or deny (close). Gufw can help as many of these options are preconfigured. If you need further assistance, start with gufw, configure as much as you can, and then review the other two links.
GUFW is an option if you installed a few simple servers on your desktop (torrents for example) or if you installed a graphical desktop/ window manager (Gnome, Fluxbox, etc) to help you administrate a server.
As a side note, server side, rather then installing a GUI, some people probably use either the command line or web tools such as webmin, phpMyAdmin, etc to manage servers.
Install GUFW
Although ufw is installed by default, gufw is not.
First, Enable the Universe repository.
Then, using any method, install gufw (apt-get shown here).
sudo apt-get update
sudo apt-get -y install gufw
In Ubuntu 9.10, UFW is then located under System -> Administration -> Firewall configuration.
Enable your firewall
Simply click (check off) the “Enabled” button and select “Deny” in the “By Default” pull down menu.
The default settings are probably sufficient for the vast majority of Desktop users and, unless you are running a server, nothing further needs to be done. Simply close the GUFW window and your firewall will remain active, even if you reboot.
IMO, The most common servers used on desktops would include torrents, VNC, Samba, Apache, and SSH. If you are wanting to allow access to one or more of these servers you will need to configure GUFW as outlined below.
Allow inbound connections
UFW manages NEW INBOUND connections. Gufw allows all outbound traffic (see limitations below).
Use the following options if you are running servers and you wish to allow inbound connections from other computers.
To add a rule, first click the “Add” box on the bottom left. You will get a dialog box which will allow you a number of options.
Preconfigured options
GUFW has a number of common services preconfigured. You allow a service by program name (perhaps most useful on Desktops). As you can see common servers used on desktops, such as Transmission, are included (surprise, torrents are servers).
Or by service (perhaps most useful on servers).
By port
In the “Simple” tab you can open a specific port, by tcp, udp, or both. Simply add the port you wish to open in the box.
You may specify multiple ports, comma delineated
22,80,443
Or a range of ports with a : , so to allow bittorrent, open ports 6881 – 6999, use
6881:6999
Limit traffic
You may use the “Advanced” tab to allow or deny traffic from a specific ip address or subnet (LAN). Keep in mind order of your rules counts, so deny first then allow.
You may blacklist an ip address by denying all traffic from that IP.
In this example, all traffic from your LAN is allowed to connect to Apache (sorry the first part of “192.168.0.0/24” was outside the box).
Firewall rules are displayed in the main GUFW window. The rule displayed in this example allows all traffic on the LAN (192.168.0.0/24) to access Apache ( port 80/tcp) on the server (ip address 192.168.1.10).
Remove a rule
Simply select your rule and click the “Remove” button on the bottom.
Logs
Logging is enabled by default. Under the menu, select Edit -> Preferences
Enable logging by selecting (checking off) your “Enable Gufw Logging” and “Enable ufw Logging”.
View the log
Under File -> Select the option “Log” with the magnifying glass icon
And you will see your logs. Although not displayed, any denied traffic will be logged.
You may clear the logs from this menu as well.
Limitations of GUFW
IMO GUFW is designed for users who wish to enable a firewall and do not feel they need to know the dirty details. As such it is simple and effective, although it does not offer all of the available options from either ufw or iptables.
- GUFW does not manage (limit) outbound traffic.
- GUFW only manages NEW connections.
- GUFW does not give the option to block ping or limit connections.
You will need to user either ufw from the command line, learn iptables, or use another configuration tool if you need these options.
Pingback: Shadows of epiphany » Blog Archive » Firewall Ubuntu GUFW | Just linux!
Pingback: Shadows of epiphany » Blog Archive » Firewall Ubuntu GUFW Ubuntu Netbook
Pingback: uberVU - social comments
GUFW ?
It’s unfortunate such nice application’s names are impossible to pronounce and difficult to spell in all three languages I speak.
There must be some way to come up with better names! :(
GUFW is an acronym for Graphical Uncomplicated FireWall
So the name is not bad, just long ;)
Pingback: Destillat KW48-2009 | duetsch.info - GNU/Linux, Open Source, Softwareentwicklung, Selbstmanagement, Vim ...
I was wondering how I configured GUFW after installing it from day 1 of Karmic. Now I got a decent how-to :)
Glad it helped. I enjoy your blog by the way =)
This is a great tutorial and I have added it to my UF sig. I am currently studying for my AS (I do plan to move to higher levels, but gotta start somewhere.) in Networking Security. Reading your threads on the forums and your blogs is sure to help make me a better network engineer.
Thanks,
Ronnie
Thank your for your kind words, glad you are headed in the right direction. I am sure you will be teaching the rest of us in short order.
You say ordering of rules is important and so deny first and then allow. Shouldn’t it be other way round. First allow then deny. So if someone checks rules in the order, allow rules come before deny rules and it does what you expect it to do. Or am I missing anything
Tridgell: Sorry for the confusion.
On my ufw/gufw blogs I am referring to “default deny” and the big “Deny” button.
These settings set the default policy and as such are not rules in a chain.
They are the same as “sudo iptables -P INPUT DROP”
The default policy basically tells iptables what to do with a packet that does not match any rules.
This is related, but not the same as the order of rules within a chain.
Hope that clarifies things for you, if not, stop ufw and open a terminal. Look at teh output and effect of these commands :
sudo iptables -L -v
sudo iptables -P INPUT DROP
sudo iptables -L -v
sudo iptables -P INPUT ACCEPT
sudo iptables -L -v
Cool! I think it is much better now after you clarified
Thanks for your exceptionally informative information on GUFW. Also, your postings in the Ubuntu Forums were extremely helpful. Thanks!
It works :-) what I miss is a desktop icon. Thanks for writing this post.
While installing gufw i’m getting following errors, for the two respective commands listed for gufw installation…Plz help me…
E: Some index files failed to download, they have been ignored, or old ones used instead.
E: Unable to locate package gufw
@Harish:
gufw is in the repositories (universe), check your repositories.
http://packages.ubuntu.com/cgi-bin/search_packages.pl?keywords=gufw&searchon=name&subword=1&version=all&release=all
gufw is a graphical application, so it will not run without X.
Thanks for a great into to this program.
Hope they add more features to it like “limit ssh/tcp” and other cli commands..
@Brian – They are slowly adding features to ufw / gufw. Submit a feature request on Launchpad.
Just added GUFW to ubuntu 11.10 but I cannot seem to find it active after reboot, is there a simple way to check that it IS working and installed?
BR
Paul
@Paul – the command
sudo ufw status
will show if your firewall is active.
Is there a way for a noob to enable GUFW at boot/login as root start job?
Can I find a conf file to set the preferences to show listening report and notifications so they are not reset each logout/boot?
Great info and thanks!
@ rick : When you enable gufw, your settings are active when you boot. No further configuration is necessary.
Pingback: Ubuntu Security | alexndeso
Thanks, very nice and simple for the beginner!
Pingback: Ensiaskeleita Linux Mintin parissa – Palomuuri käyttöön | Tietokone -blogi