Secure your Ubuntu desktop with a UFW firewall
Linux is one of the safest desktop and server platforms on the planet. Out of the box, you will find most Linux distributions far more secure than Windows or macOS. In fact, for most desktop use cases, the security offered in most Linux distributions will really help you. But that does not mean, you have to completely ignore the security of the operating system that you have trusted your data. In fact, you should know how to work with a Linux firewall.
What is a Firewall?
Simply put, a firewall is a subsystem on a computer that blocks certain network traffic from entering or leaving your computer. Firewalls can be made very limited (allowing very few in and / or exiting) or very permissive (allowing quite a lot of entry and / or exit). Firewalls come in two types:
- Hardware – physical devices that only protect your network (and computers on your network).
- Software – subsystems on individual computers that only protect the hosting machine.
Most home networks depend on a combination of both. The general hardware solution is the modem / router used by your ISP. Often this device is set to be very tight. At the end of the software, your desktop computer uses firewall software. One such firewall, which can be installed and used on many Linux distributions (such as Ubuntu and its derivatives), is the Uncomplicated Firewall (UFW). A firewall that isn’t complicated is exactly what it sounds like. This is a simple tool that makes managing blocking / allowing network traffic quite simple. UFW is a command-only tool that does an extraordinary job of helping to secure your Linux computer.
On Ubuntu and most Ubuntu derivatives, UWF is already installed. To find out if UFW is installed on your computer, open a terminal window and give the command:
sudo ufw status
This command will (most likely) report that UFW is not active. If you find UFW is not installed, run the command
sudo apt-get install ufw -y
Because UFW is active by default, you want to activate it. To do this, issue an order
sudo ufw activate Now when you check the status, it will be displayed as active. Default Policy
Most users don’t need to worry too much about default policies. However, it is best to at least understand the basics of this policy.
The default policy is a set of rules that control how to handle traffic that does not explicitly match other rules. There are four standard policies:
- INPUT – incoming traffic to the computer.
- OUTPUT – traffic exits the computer.
- FORWARD – traffic that is passed from one destination to another.
- APPLICATION POLICY – the traffic is determined by the application (and not the network port).
For most users, only the INPUT and OUTPUT policies will be of concern.
The default UFW policy is set in the / etc / default / ufw file. Take out the order
sudo nano /etc/default/ufw
- and find these four lines: DEFAULT_INPUT_POLICY = “DROP”
- DEFAULT_OUTPUT_POLICY = “ACCEPT”
- DEFAULT_FORWARD_POLICY = “DROP”
- DEFAULT_APPLICATION_POLICY = “SKIP”
It is important to know that each of the above policies can be adjusted to slightly different standards.
- INPUT / OUTPUT / FORWARD can be set to ACCEPT, REDUCE, or REJECT
- APPLICATIONS can be set to ACCEPT, DROP, REJECT, or SKIP
The difference between ACCEPT, DROP, and REJECT is:
- ACCEPT – Allow traffic through the firewall.
- REJECT – Do not allow traffic through the firewall and send destination-unreachable ICMP messages back to the source of delivery.
- DROP – Prohibits packets from passing through the firewall and does not send a response.
You can adjust the default policies to suit your needs. If you change the policies in the file, reload the UFW rules with the command:
sudo ufw reload
Allow Traffic to Enter
Since you might not need to change the default outgoing traffic policy, let’s focus on incoming incoming traffic. Say, for example, you want to be able to secure the shell to your desktop (using the ssh command) from another computer. For this, you need UFW instructions to allow incoming traffic on a standard SSH port (port 22). The command for this is:
sudo ufw allow ssh
The above command will allow any machine on your network (or even outside your network, if your router is configured to allow external traffic) to access your computer, through port 22.
All is well and good, except you only want to allow certain computers on your network. Say, for example, you only want to allow one computer – the computer with the IP address 192.168.1.162. For this, the command is:
sudo ufw allow from 192.168.1.162 to any port 22
Permission from UFW instructs the statement that the following is an address to allow traffic. The to any port instructs UFW to allow the specified port traffic. In the example above, the only computer on your network that will be allowed to secure a shell to your computer will be the one at IP address 192.168.1.162.
You can also deny traffic to the specified network interface. Say, for example, your machine has two network interfaces:
- INTERNAL – uses the ens5 network interface with the IP address scheme 192.168.1.x.
- EXTERNAL – uses the enp0s3 network interface with the IP address scheme 172.217.1.x
What if you want to leave the ssh incoming traffic rules at 192.168.1.162, but reject all incoming traffic from the external interface? For this, the command is:
sudo ufw deny in on enp0s3 to any port ssh
Take out the order
sudo ufw status to see ssh traffic from 192.168.1.162 is still permitted, whereas traffic from the external interface is denied.
If you find that you created a rule that is causing problems with the computer connected to your machine, it is possible to delete the rule that was created. The first thing you want to do is ask UFW to register your rules by number. To do this, give the command:
sudo ufw status numbered
Say you want to delete rule number 1. To do this, issue the command:
sudo ufw delete 1
You will be asked to verify the deletion of the rule. Type y and use Enter / Back on your keyboard to confirm. Take out the order
sudo ufw status
to see that the rule has been deleted.