Detours

Since version 0.34, ufw now also supports routing. This means that the firewall can wave through incoming packets and, for example, forward all requests arriving on network interface enp0s3 to the interface enp0s8 (shown in Listing 4).

$ sudo ufw route allow in on enp0s3 out on enp0s8

For IP forwarding to work, the corresponding function must be enabled in the sysctl.conf configuration file. On Ubuntu, you use the /etc/ufw/sysctl.conf file for this purpose; enter the lines from Listing 5 or – if they already exist – enable them by removing the preceding hashtags (#). If you made some changes, restart ufw by typing

sudo ufw disable

net/ipv4/ip_forward=1
net/ipv6/conf/default/forwarding=1
net/ipv6/conf/all/forwarding=1

followed by

sudo ufw enable

This more or less brings us to the end of ufw's feature set. In particular, ufw does not yet support masquerading, where the firewall changes, among other things, the source and destination ports in the packets that pass through the firewall. But, as mentioned earlier, more complex rules can be added using iptables. The corresponding configuration is stored either in the /etc/ufw/before.rules file or in /etc/ufw/after.rules. These rules are applied by the firewall before or after the rules that you defined with the ufw command-line program.

Gufw

It is even easier to configure the firewall with Gufw [3], the ufw's graphical user interface. However, since it is not officially part of the ufw project, you usually have to install it in a second step. On Ubuntu, you can install Gufw with:

sudo apt install gufw

After starting Gufw, click the button next to Status to fire up the firewall. Then, in Inbound and Outbound, set the respective default rules. The Report tab (Figure 4), an extremely practical feature, displays the running services more clearly than the matching ufw show listening command. Clicking the plus icon also automatically creates a matching firewall rule.

Figure 4: The Report tab in the Gufw user interface shows the services running on the system.

All existing rules can be found in the Rules tab. Use the gear icon to edit the currently selected rule and the plus icon to add another rule. Under Preconfigured, you can select an application profile; Gufw sorts the applications into categories. CUPS, for example, can be found below Network in the Print subcategory. If you don't want to use application profiles, switch to the Simple tab. Even more granular settings are allowed by the Advanced tab (Figure 5).

Figure 5: This rule blocks access to port 22 via TCP.

Conclusions

With the comparatively simple ufw, a firewall can be configured far faster than with the more complex iptables. The simple ufw rules also reduce the risk of misconfiguration and simplify maintenance. Nevertheless, ufw provides all the critical functions required to harden popular services. If you reach ufw's limits, you can add further rules with iptables. However, ufw and iptables' different syntax does prove to be a hindrance here. The bottom line, however, is that ufw makes setting up a firewall far easier.