======Ubuntu Firewall======
=====Overview=====
This page contains a bunch of useful tips for managing the Ubuntu firewall from [[http://1000umbrellas.com/2010/04/29/how-to-set-up-the-firewall-using-ufw-on-ubuntu-lucid-lynx-server|this site]].

<code>Today I learned a different way to configure the firewall on my Ubuntu 10.04 Lucid Lynx Server: the ufw command. UFW stands for “Uncomplicated FireWall,” and it’s just that. It provides a simpler interface to add or remove firewall rules to iptables, the default Linux firewall. It’s installed on Ubuntu Server by default (and has been, since Ubuntu 8.04), and I find a little simpler than the application I used to use to configure my firewall: Firehol. (Here’s how to set up Firehol, if you are interested. It’s more difficult than ufw, in my opinion, but a lot easier than setting up iptables manually!)

A new Ubuntu Server install (as of 10.04) contains a firewall (iptables) that is not enabled. Ubuntu.com has a great tutorial that explains that ufw is the default configuration tool for iptables. After I set up my server, I used ufw to close all ports by default, then open up ports for the services I use. I don’t have complex security needs or run a proxy server, so my rules are simple.
Adding Rules

Before adding rules, it’s best to explicitly set the default behavior. By default, I like to block everything: both incoming and outgoing traffic. After that is done, I selectively open ports to support the services I wish to run. In contrast, UFW, by default, denies all incoming traffic but allows all outgoing traffic. That setup is accomplished manually with the following commands.

$ sudo ufw default deny incoming
$ sudo ufw default allow outgoing

The following commands open ports for named services that I use: namely, SSH (port 22), a web server (port 80), and Webmin (port 10000). Any services named in /etc/services may be identified by name instead of port number.

$ sudo ufw allow ssh
$ sudo ufw allow www
$ sudo ufw allow webmin

UFW also has a list of application presets, for common servers such as Apache, OpenSSH, Lighttpd, and Samba. You can view the list by issuing the command:

$ sudo ufw app list</code>

=====Create Rules=====
You can implement firewall rules for Samba and Lighttpd by using the commands below, which specify the application name, not the service name. Note that you must enclose in quotation marks any application names that include spaces.

<code>sudo ufw allow Samba</code>

It’s better to limit Samba access to hosts on your LAN. Using ufw’s more complex syntax, you can do just that. Note that you have to add “app” before the application name in this case.

<code>sudo ufw allow from 10.0.0.0/8 to 127.0.0.1 app Samba</code>
<code>sudo ufw allow to 10.0.0.0/8 from 127.0.0.1 app Samba</code>

The following commands open the ports required by my Transmission-Daemon server. Here I must specify port numbers explicitly. Note that you use a colon instead of a dash to specify port ranges. Plus, when creating rules for port ranges, you must specify whether they apply to TCP or UDP.
<code>sudo ufw allow 9091</code>
<code>sudo ufw allow 20500:20599/tcp</code>
<code>sudo ufw allow 20500:20599/udp</code>
The following command opens up ports needed for MySQL, but only to hosts within the local network.
<code>sudo ufw allow from 10.0.0.0/8 to any port 3306/tcp</code>
If you wish to open up MySQL to the world, you could use a simpler syntax.
<code>sudo ufw allow mysql</code>
=====Deleting Rules=====
Deleting rules is pretty simple. Just use the following syntax, and replace <…> with the entire rule that you wish to delete.
<code>sudo ufw delete <...></code>
For example:
<code>sudo ufw delete allow ssh</code>
<code>sudo ufw delete allow 10000</code>
You can also delete all the rules with a single command.
<code>sudo ufw reset
=====Enabling the Firewall=====
The following command enables the firewall rules immediately, and upon subsequent system restarts. This command will also refresh the rules. Run this command each time you update your firewall configuration.
<code>sudo ufw enable</code>
=====Disabling the Firewall=====
To disable the firewall, simply issue the following command.
<code>sudo ufw disable</code>
=====Checking the Configuration=====
You can check your configuration by issuing one of the following commands. The “verbose” version shows more information.
<code>sudo ufw status</code>
<code>sudo ufw status verbose</code>
=====Firewall Configuration Script=====
Here is a script that I wrote to set up my firewall. This script resets the firewall to deny everything but the services/applications I have installed on my server. Run it with sudo. You only have to run it once, not on every boot.
<code>#!/bin/sh

# obtain server's IP address
SERVERIP=`hostname --all-ip-addresses | cut --fields 1 --delimiter " "`

# disable firewall
ufw disable

# reset all firewall rules
ufw reset

# set default rules: deny all incoming traffic, allow all outgoing traffic
ufw default deny incoming
ufw default allow outgoing

# open port for SSH
ufw allow OpenSSH

# open port for Webmin
ufw allow webmin

# open ports for Samba file sharing
ufw allow from 10.0.0.0/8 to $SERVERIP app Samba
ufw allow to 10.0.0.0/8 from $SERVERIP app Samba

# open ports for Transmission-Daemon
ufw allow 9091
ufw allow 20500:20599/tcp
ufw allow 20500:20599/udp

# open port for MySQL
ufw allow proto tcp from 10.0.0.0/8 to any port 3306

# open ports for Lighttpd
ufw allow “Lighttpd Full”

# open port for network time protocol (ntpd)
ufw allow ntp

# enable firewall
ufw enable

# list all firewall rules
ufw status verbose</code>