Simplify your firewall setup
Detours
Since version 0.34, ufw now also supports routing. This means that the firewall can wave through incoming packets and, for example, forward all requests arriving on network interface enp0s3
to the interface enp0s8
(shown in Listing 4).
Listing 4
Forwarding Requests
$ sudo ufw route allow in on enp0s3 out on enp0s8
For IP forwarding to work, the corresponding function must be enabled in the sysctl.conf
configuration file. On Ubuntu, you use the /etc/ufw/sysctl.conf
file for this purpose; enter the lines from Listing 5 or – if they already exist – enable them by removing the preceding hashtags (#
). If you made some changes, restart ufw by typing
sudo ufw disable
Listing 5
Enable Forwarding
net/ipv4/ip_forward=1 net/ipv6/conf/default/forwarding=1 net/ipv6/conf/all/forwarding=1
followed by
sudo ufw enable
This more or less brings us to the end of ufw's feature set. In particular, ufw does not yet support masquerading, where the firewall changes, among other things, the source and destination ports in the packets that pass through the firewall. But, as mentioned earlier, more complex rules can be added using iptables. The corresponding configuration is stored either in the /etc/ufw/before.rules
file or in /etc/ufw/after.rules
. These rules are applied by the firewall before or after the rules that you defined with the ufw
command-line program.
Gufw
It is even easier to configure the firewall with Gufw [3], the ufw's graphical user interface. However, since it is not officially part of the ufw project, you usually have to install it in a second step. On Ubuntu, you can install Gufw with:
sudo apt install gufw
After starting Gufw, click the button next to Status to fire up the firewall. Then, in Inbound and Outbound, set the respective default rules. The Report tab (Figure 4), an extremely practical feature, displays the running services more clearly than the matching ufw show listening
command. Clicking the plus icon also automatically creates a matching firewall rule.
All existing rules can be found in the Rules tab. Use the gear icon to edit the currently selected rule and the plus icon to add another rule. Under Preconfigured, you can select an application profile; Gufw sorts the applications into categories. CUPS, for example, can be found below Network in the Print subcategory. If you don't want to use application profiles, switch to the Simple tab. Even more granular settings are allowed by the Advanced tab (Figure 5).
Conclusions
With the comparatively simple ufw, a firewall can be configured far faster than with the more complex iptables. The simple ufw rules also reduce the risk of misconfiguration and simplify maintenance. Nevertheless, ufw provides all the critical functions required to harden popular services. If you reach ufw's limits, you can add further rules with iptables. However, ufw and iptables' different syntax does prove to be a hindrance here. The bottom line, however, is that ufw makes setting up a firewall far easier.
Infos
- ufw: https://launchpad.net/ufw
- ufw source code: https://code.launchpad.net/ufw
- Gufw: http://gufw.org
« Previous 1 2 3
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
Plasma 6.3 Ready for Public Beta Testing
Plasma 6.3 will ship with KDE Gear 24.12.1 and KDE Frameworks 6.10, along with some new and exciting features.
-
Budgie 10.10 Scheduled for Q1 2025 with a Surprising Desktop Update
If Budgie is your desktop environment of choice, 2025 is going to be a great year for you.
-
Firefox 134 Offers Improvements for Linux Version
Fans of Linux and Firefox rejoice, as there's a new version available that includes some handy updates.
-
Serpent OS Arrives with a New Alpha Release
After months of silence, Ikey Doherty has released a new alpha for his Serpent OS.
-
HashiCorp Cofounder Unveils Ghostty, a Linux Terminal App
Ghostty is a new Linux terminal app that's fast, feature-rich, and offers a platform-native GUI while remaining cross-platform.
-
Fedora Asahi Remix 41 Available for Apple Silicon
If you have an Apple Silicon Mac and you're hoping to install Fedora, you're in luck because the latest release supports the M1 and M2 chips.
-
Systemd Fixes Bug While Facing New Challenger in GNU Shepherd
The systemd developers have fixed a really nasty bug amid the release of the new GNU Shepherd init system.
-
AlmaLinux 10.0 Beta Released
The AlmaLinux OS Foundation has announced the availability of AlmaLinux 10.0 Beta ("Purple Lion") for all supported devices with significant changes.
-
Gnome 47.2 Now Available
Gnome 47.2 is now available for general use but don't expect much in the way of newness, as this is all about improvements and bug fixes.
-
Latest Cinnamon Desktop Releases with a Bold New Look
Just in time for the holidays, the developer of the Cinnamon desktop has shipped a new release to help spice up your eggnog with new features and a new look.