Ubuntu Tutorials

I’ve been hearing more and more recent requests (at OpenWeek -chat and in blog comments) regarding a request for a GUI on top of ufw.  I wanted to take a second and outline more clearly what ufw is, which will likely stop these requests.  I think its just a simple matter of not truly understand what ufw does which leads to these.  Bottom line, there are already a number of GUI firewall applications, adding one for ufw would be basically pointless. (Before you argue that point, keep reading.)

What is ufw?

ufw, or “uncomplicated firewall”, is simply a management tool for creating kernel-level firewall rules which is done via the netfilter kernel module and iptables userspace tool.  iptables has been around for quite a long time, is very, very robust and very widely used.  It is installed by default on any Ubuntu system, but no “rules” have historically been applied to it.  (Technically, every Linux system has a firewall utility built into the kernel, but if no rules are applied to that filter nothing is actually being specifically allowed or denied.)

The reason ufw was developed (I sat in on the sprint at UDS for this) is that we wanted to create a server-level firewalling utility that was a little bit more “for human beings”.  While iptables is already installed and available for use, the syntax can be complicated.  For example, lets say you wanted to block all connections from the IP address 10.100.0.5:

iptables : sudo iptables -A INPUT -s 10.100.0.5 -j REJECT
ufw: sudo ufw deny from 10.100.0.5


Another slightly more complicated example could be written for blocking specific ports and protocols:

iptables: sudo iptables -A INPUT --dport 22 -s 10.100.0.5 -j REJECT
ufw: sudo ufw deny from 10.100.0.5 to any port 22

ufw is creating the iptables / netfilter rule “under the hood”, but allowing us to create the rules in a simpler way.  Both of the commands above basically do the same thing, ufw simply “uncomplicates” the process.

For those that are looking for a GUI on top of ufw, remember that you already have tools such as Firestarter or lokkit, etc.  Those are graphical tools which create and manage iptables / netfilter rules “under the hood”.  ufw is simply a command-line tool to manage iptables / netfilter rules “under the hood”.

The existing GUI tools (Firestarter) and ufw both use iptables underneath, so adding a GUI to ufw would basically be re-creating Firestarter, which is not really needed.  ufw is simply a less complicated way to create firewall (iptables) “rules” on the command line.

Network security is an ever growing need these days. You never know what you’re going to find when you step out into the wild world of the internet. Luckily we’re all using Ubuntu so we’re much more protected than most of the world, but there still is reason to protect our computers and networks.

For those of you that are not behind a hardware router (if you don’t know this might be you) you definitely want to install a firewall for your system. Firewalls can be very simple or very complex, depending on your needs. Now this post will not go into the deepest detail of configuring, maintaining or watching a firewall but I wanted to give some quick suggestions for those of you that might need one.

The simplest desktop firewall that I’ve used on an Ubuntu system is Firestarter. It is very easy to set incoming and outgoing network policies based on port, IP, domain, etc. To install Firestarter you’ll want to do the following:

sudo aptitude install firestarter

Once this is installed you should be able to run the program by running the command firestarter or it should be located in:

Applications > Internet > Firestarter

This program should be fairly straight-forward to configure for your machine. The best policy on an unprotected machine is no-incoming policy. It’s always the safest route to be able to get out but not let anything in. Give it a try. If you run into any trouble leave a comment or check out the Ubuntu Forums for more detail.

Update:  See the second half of this tutorial at Using Firestarter.