Ubuntu Tutorials

This article is part of a series regarding firewalling and network security using the Firewall Builder tool on Ubuntu. This is user-contributed content. If you would like to contribute an article, please see the About page for contact information.

Using Built-in Policy Importer in Firewall Builder

Author: vadim@fwbuilder.org http://www.fwbuilder.org

This article continues the series of articles on Fireall Builder, a graphical firewall configuration and management tool that supports many Open Source firewall platforms as well as Cisco IOS access lists and Cisco ASA (PIX). Firewall Builder was introduced on this site earlier with articles
Getting Started With Firewall Builder.

More information on Firewall Builder, pre-built binary packages and source code, documentation and Firewall Builder Cookbook can be found on the project web site at www.fwbuilder.org. Watch Project Blog for announcements and articles on all aspects of using Firewall Builder.

This article demonstrates how you can import existing iptables or Cisco router configuration into Firewall Builder.

There are two ways to activate the feature: Main menu “File/Import Policy” or “Tools/Discovery Druid” and then choose option “Import configuration of a
firewall or a router”. Only import of iptables and Cisco IOS access lists is possible in the current version.

Importing existing iptables configuration

iptables config that the program can import is in the format of iptables-save. Script “iptables-save” is part of the standard iptables install and should be present on all Linux distribution. Usually this script is installed in /sbin/ . When you run this script, it dumps current iptables configuration to stdout. It reads iptables rules directly form the kernel rather than from some file, so what it dumps is what is really working right now. To import this into fwbuilder run the script to save configuration to a file:

iptables-save > iptables_config.conf

Then launch fwbuilder, activate “Import Policy” function and use “Browse” button in the dialog to find file iptables_config.conf. You also need to choose “iptables” in the drop-down menu “Platform”.

Read more…

This article is part of a series regarding firewalling and network security using the Firewall Builder tool on Ubuntu. This is user-contributed content. If you would like to contribute an article, please see the About page for contact information.

Getting Started with Firewall Builder

Author: vadim@fwbuilder.org http://www.fwbuilder.org

This guide starts a series of articles about Firewall Builder. Firewall Builder (also known as fwbuilder) is a GUI firewall configuration and management tool that supports iptables (netfilter), ipfilter, pf, ipfw, Cisco PIX (FWSM, ASA) and Cisco routers extended access lists. Both professional network administrators and hobbyists managing firewalls with policies more complex that is allowed by simple web based UI can simplify management tasks with the application. The program runs on Linux, FreeBSD, OpenBSD, Windows and Mac OS X and can manage both local and remote firewalls. The first article is an introduction to the program. We will follow up with series of articles focusing on more advanced aspects of it in the coming weeks.

Firewall Builder is packaged with most Linux distributions and is available under “System/Administration” menu.

If it is not there, then it probably needs to be installed on your system. You need to install package that has supporting API library libfwbuilder and package fwbuilder that contains Firewall Builder GUI and policy compilers. Use apt-get or aptitude to find and install them:

# aptitude install libfwbuilder fwbuilder

On FreeBSD and OpenBSD Firewall Builder is part of ports, you can find it in /usr/ports/security/fwbuilder.

Packages shipping with Ubuntu are always one or two minor revisions behind. If you want to try the latest version, you can use pre-built binary .deb packages offered on the project’s web site or build from source using our online installation instructions. Pre-built binary packages can be installed using our repositories of rpm and deb packages, see instructions on this page.

If the system menu item is not there or you have built the program from source, you can always launch it from the command line by just typing “fwbuilder” on the shell prompt:

$ fwbuilder

Read more…

I’ve been hearing more and more recent requests (at OpenWeek -chat and in blog comments) regarding a request for a GUI on top of ufw.  I wanted to take a second and outline more clearly what ufw is, which will likely stop these requests.  I think its just a simple matter of not truly understand what ufw does which leads to these.  Bottom line, there are already a number of GUI firewall applications, adding one for ufw would be basically pointless. (Before you argue that point, keep reading.)

What is ufw?

ufw, or “uncomplicated firewall”, is simply a management tool for creating kernel-level firewall rules which is done via the netfilter kernel module and iptables userspace tool.  iptables has been around for quite a long time, is very, very robust and very widely used.  It is installed by default on any Ubuntu system, but no “rules” have historically been applied to it.  (Technically, every Linux system has a firewall utility built into the kernel, but if no rules are applied to that filter nothing is actually being specifically allowed or denied.)

The reason ufw was developed (I sat in on the sprint at UDS for this) is that we wanted to create a server-level firewalling utility that was a little bit more “for human beings”.  While iptables is already installed and available for use, the syntax can be complicated.  For example, lets say you wanted to block all connections from the IP address 10.100.0.5:

iptables : sudo iptables -A INPUT -s 10.100.0.5 -j REJECT
ufw: sudo ufw deny from 10.100.0.5


Another slightly more complicated example could be written for blocking specific ports and protocols:

iptables: sudo iptables -A INPUT --dport 22 -s 10.100.0.5 -j REJECT
ufw: sudo ufw deny from 10.100.0.5 to any port 22

ufw is creating the iptables / netfilter rule “under the hood”, but allowing us to create the rules in a simpler way.  Both of the commands above basically do the same thing, ufw simply “uncomplicates” the process.

For those that are looking for a GUI on top of ufw, remember that you already have tools such as Firestarter or lokkit, etc.  Those are graphical tools which create and manage iptables / netfilter rules “under the hood”.  ufw is simply a command-line tool to manage iptables / netfilter rules “under the hood”.

The existing GUI tools (Firestarter) and ufw both use iptables underneath, so adding a GUI to ufw would basically be re-creating Firestarter, which is not really needed.  ufw is simply a less complicated way to create firewall (iptables) “rules” on the command line.

Network security is an ever growing need these days. You never know what you’re going to find when you step out into the wild world of the internet. Luckily we’re all using Ubuntu so we’re much more protected than most of the world, but there still is reason to protect our computers and networks.

For those of you that are not behind a hardware router (if you don’t know this might be you) you definitely want to install a firewall for your system. Firewalls can be very simple or very complex, depending on your needs. Now this post will not go into the deepest detail of configuring, maintaining or watching a firewall but I wanted to give some quick suggestions for those of you that might need one.

The simplest desktop firewall that I’ve used on an Ubuntu system is Firestarter. It is very easy to set incoming and outgoing network policies based on port, IP, domain, etc. To install Firestarter you’ll want to do the following:

sudo aptitude install firestarter

Once this is installed you should be able to run the program by running the command firestarter or it should be located in:

Applications > Internet > Firestarter

This program should be fairly straight-forward to configure for your machine. The best policy on an unprotected machine is no-incoming policy. It’s always the safest route to be able to get out but not let anything in. Give it a try. If you run into any trouble leave a comment or check out the Ubuntu Forums for more detail.

Update:  See the second half of this tutorial at Using Firestarter.