Learn about Linux
Download Linux
Get Linux helpSpecial Offers
Feature: Security
Installing a firewall on Ubuntu
Share
Print
CommentsFrankly, I'm glad that the default install doesn't set up a firewall. Most of my computers live behind a firewall at all times anyway, and I've always been annoyed by installers that demand I deal with firewall questions when I've already got the situation well in hand. If I want a firewall on a machine, I can set one up on my own. Since Ubuntu is, in part, aimed at corporate desktops, a firewall is unnecessary for many installations.
But if an Ubuntu desktop is your sole machine that connects directly to the Internet, then it's a good idea to configure one. Technically speaking, Ubuntu does include a firewall -- you could configure everything by hand using iptables. That, however, is a little more detailed than many users care to get. Instead, we'll look at installing a GUI application to configure a firewall in just a few easy steps.
We'll look at two packages that configure firewalls. The first is Lokkit, an application that walks you through a few simple steps and configures a basic firewall for you. Lokkit is dead easy to use, and requires very little understanding of firewalls to set up, but it provides few options, and it's not a good choice if you want to set up a complex firewall.
By contrast, Guarddog, a flexible GUI firewall configuration program, is much more complex than Lokkit. Choose Guarddog only if you know what you're doing.
To install Lokkit or Guarddog, fire up Synaptic or Adept and install the appropriate package. If you prefer to use APT, just run sudo apt-get install gnome-lokkit for Lokkit, or sudo apt-get install guarddog to install Guarddog.
Configuring your firewall with Lokkit
Configuring a basic firewall with Lokkit is a snap. You'll need to run it with superuser privileges, so open the Run Command dialog with Alt-F2 and run gksudo gnome-lokkit. After entering your password, you'll see a Configure Firewalling dialog.
Lokkit's configuration wizard is fairly self-explanatory. I'd recommend starting with the High Security option, unless you have a need for DCC file transfer over IRC. Also, if you're using DHCP to grab an IP address from a cable modem or DSL modem, you want to make sure to say "yes" when Lokkit asks about enabling DHCP. If you have a cable modem or DSL, you probably do pull the IP address via DHCP.
If the computer is the only one on the network, it's probably not necessary to enable any services, and it's safe to tell Lokkit "no" when it asks about doing that. By default, even if you select no here, Lokkit will leave SSH open to machines on the local network as long as you say "yes" when Lokkit asks if it's safe to trust hosts connected via your network interface.
After answering a few questions, Lokkit will say it's ready to enable the firewall, and then you can either apply the changes and start the firewall or cancel.
If you suspect you're having problems with the firewall, you can re-run Lokkit and select Disable Firewall to remove all of your firewall rules.
Lokkit is easy to use, and it sets up a decent set of firewall rules. However, even if you pick the most restrictive rules, Lokkit leaves SSH and VNC open, and allows ping and services such as BitTorrent to operate. If you want really tight firewall rules, or need to set up a more complex firewall, look to Guarddog.
Configuring your firewall with Guarddog
To set up a firewall with Guarddog, run gksudo guarddog. You can run Guarddog as a regular user, but you'd have to load the firewall rules separately as the superuser later.
Guarddog is much more complex than Lokkit. The first thing you'll see when firing up Guarddog is the Zones tab. Zones are basically sets of IP addresses, which are used to define firewall rules that apply to those addresses. For example, if your machine is on a local area network with IP addresses in a private network, you can set up a zone for all of those addresses. By default, Guarddog comes with two pre-configured zones; the Internet zone, for all IP addresses that don't match other zones, and a Local zone, for IP addresses on the local machine.
To set up a zone for your LAN, click on New Zone, and then under Zone Addresses, click on New Address. In the Address field, you can add a single address or a network mask to cover an entire network. Let's say your LAN is in the 10.0.0.0 range, and your IP addresses range from 10.0.0.1 to 10.0.0.255. You could set the address as 10.0.0.0/24.
You'd want to set zones other than Local and Internet so you can set up firewall rules to address those machines, if it's necessary to have different rules for local machines than you do for machines connected via the Internet zone. The best way to think of the Internet zone is as the "most hostile" zone. That is, you want to allow the bare minimum when it comes to traffic coming from Internet hosts.
Next you have the protocol configurations. Here you need to tell Guarddog exactly which protocols you want to enable. This can be a bit tricky, as anything that's not explicitly allowed is disabled. By default, nothing -- not even DNS, HTTP, or POP3 -- is allowed. Select all of the protocols you wish to enable for each zone, and then click "Apply." After approving the rules, see if you can browse the Web, get email, and whatever else you need to do. If not, you may need to tweak the allowed protocols a bit.
Guarddog also allows you to set logging options. You may wish to disable logging if you're not likely to read the logs to see what's being blocked or rejected. For desktop users, logging is probably unnecessary unless you're trying to troubleshoot a problem with the firewall.
Finally, under the Advanced tab, you can configure custom protocols if Guarddog doesn't include rules to match a protocol that you need to enable. See the Guarddog help for this if you need to add a protocol.
If you want to use your desktop machine as a router and firewall for a bunch of machines, you may need to set up Network Address Translation (NAT) using IP Masquerade. That's a bit beyond the scope of this article, and Guarddog. To set your system up as a router, have a look at Guidedog instead.
It may take a little tweaking to get everything set up the way you want it with Guarddog, but it's probably worth the time and effort.
Either Lokkit or Guarddog should be sufficient to protect your Linux desktop. If neither of these strikes your fancy, Ubuntu does offer other firewall configuration tools that might be more to your liking.
Comments
on Installing a firewall on UbuntuNote: Comments are owned by the poster. We are not responsible for their content.
iptables is included and that is the firewall. The article talks about gui configuration tools that makes using iptables easier.
Really, all Linux "firewalls" use the same Linux subsystem. iptables, firestarter and all the others are just an interface for that subsystem. I expect that most firewalls even use iptables directly.
Cheers,
Daniel.
Based on the news page, they seem to be working on that feature and more.
http://www.fs-security.com/news.php
I prefer to have each client PC, regardless of OS, have their own firewall. Why? In case one is contaminated with something, you can control or regulate the situation. It gives you an option to have "choke points".
And that Windows comment? What nonsense. I don't know how you set up your boxes (pretty sloppy procedures you've got there), but it takes at least 30min to compromise a fully patched Windows box. (For a commercial distro like Red Hat, it takes months).
And the message about shutting down in 60 seconds is clearly the infamous Blaster virus. To be infected by that, you'd have to be connected to the web directly with an unpatched Windows box. As in you don't have a router/firewall infront of your win boxes...Considering you can't even setup a Windows box without getting infected, I really wonder about your advice in regards to Linux.
I've reverted back to Win2k, because I don't want to deal with WGA and Activation nonsense. Even then, I've never been infected by nonsense, since I PREPARE before I install. It just goes to show you really have no clue wtf you're doing, if you are infected by something as old as Blaster.
How about growing up a bit and actually download AutoPatcher (a collection of Windows patches in one convenient download) and slipstream your Windows setup CD with the service pack?
I also do similar for Linux. I set up a fileserver that pulls down all the patches for the distros I use, and then I get all the updates from that. If I ever need to format and start again (not likely), then I can just get the updates locally. It saves me on my monthly web usage (60GB/month) AND centralises the updates/patches. (easy to backup).
As well, how come there is no mention of Bastille Linux? This is a great way to help the Linux rookie in reducing the security risks to their boxes. (note: I said ROOKIE, not a no-clue beginner!)
I don't know how you set up your boxes (pretty sloppy procedures you've got there), but it takes at least 30min to compromise a fully patched Windows box. (For a commercial distro like Red Hat, it takes months).
[/quote]
But you can't patch it until you connect to the internet...
[quote]
To be infected by that, you'd have to be connected to the web directly with an unpatched Windows box.
[/quote]
For example, if you just finished installing Windows.
[quote]
Even then, I've never been infected by nonsense, since I PREPARE before I install.
[/quote]
The fact that such preparation is necessary is a testimony to Windows' insecurity.
But you can't patch it until you connect to the internet...
The "dumb monkey factor" kicked up a few notches today...No wait, that's cruel to monkeys. I have more respect for monkeys that I have for you.
Did you even read what the other guy said?
He said prepare your install BEFORE you connect a brand new box to the web!
Does he have to draw you a picture?
You make "setup CDs" of your own consisting of the latest patches and apps you need. Its convenient to use this thing he calls "Autopatcher". Judging by that website, its the current updates and such in a covenient single download and install.
Install Windows, install service pack, then Autopatcher, then Zone Alarm, and any other nonsense that you feel will help your security situation. Disable services that you don't use, then connect to the web to do a final update.
Any experienced Windows user knows this.
The fact that such preparation is necessary is a testimony to Windows' insecurity.
Eh no.
Windows insecurity are because of factors as follows:
(1) Users are NOT educated in basic security concepts and measures. They will click on anything. Its like giving an 8 yr old a 9mm handgun.
(2) No robust security mechanisms are built in by default. Its all fluff to keep the general population happy. (Just enough...Crap like MS "anti-spyware" or whatever the heck they call it now.)
(3) You can't run crap without using the admin account, so many people don't bother setting things up properly. (Because "its too hard").
(4) Microsoft's slow response to security patches. Its bloody ridiculous! Open-source can do things within hours, and yet a Multi-Billion dollar company can't achieve better! Unpaid volunteers beating paid workers...That's a first!
(5) Microsoft's continued insistence of using crap like Outlook, IE and ActiveX, despite they are the primary attack vectors for malware.
(6) WinXP is old as crap. Recent Linux distros will obviously have less patches to install by default. It doesn't take a genius to figure this out.
What you've said is like saying Linux is insecure because you're using Red Hat 7.3 and got compromised because you weren't able to update in time.
Such a scenario (assuming the admin wants to stay with RedHat 7.3), would involve going to the Fedora Legacy website, and downloading the required patches, burning them onto CD, install and prepare the old RedHat box BEFORE connecting to the web.
Its simple logic, prepare your boxes before you go on the web. Any admin or experienced computer user can see this logic. But apparently, your "spider-monkey" powered brain completely failed to register that one. It went right over your head.
I'm not defending Windows or Microsoft. I'm pointing out your stupidity in making utterly dumb comments that ANY Windows fanboi can refute.<nobr> <wbr></nobr>...And its sad how you actually use Linux. You're the kind of person that gives the entire Open-source community a bad name.
Here's a tip: If you're gonna argue against Windows, at least build up the necessary truths in making your case. That's what open-source is about. The truth. (along with freedom, choice and independence).
Sprouting crap out of your butt is what Marketing Departments of large corporations do. Maybe you should apply for those kinds of jobs, as you'd fit perfectly in there! You've already pulled nonsense out of your butt, why not get paid for it?
It is a valid point that most people can't get Windows patched without connecting to the internet, so they must at least for a while connect with an unpatched box (to download the patches). I understand asking a sysadmin to find a way around this, but not home users. A user has the right to install an operating system and expect it to work for without getting viruses just because they plugged the network cable is. This level of risk is unique to Windows, and it shows that the system is insecure (notice my words, I said "level" of risk, I didn't say that other systems are completely flawless, I say that they have a much lower level of risk).
>> Any experienced Windows user knows this.
I don't use Windows, so I can't say, but I know several Windows users that I expect are experienced and they don't seem to do all of that. The fact that so much work is needed before you even connect to the internet shows that there really is a problem with Windows.
> (1) Users are NOT educated in basic security
> concepts and measures. They will click on
> anything. Its like giving an 8 yr old a 9mm
> handgun.
I'll use my family as an example. They are quite educated about security, they don't click on anything, they don't use Internet Explorer, they use a firewall, anti spyware, anti virus, and all sorts of security measures, and their Windows computers still get infenced. One of them has become completely useless. At the same time, their Linux computer works perfectly.
A user should not have to get a PhD in system security to use a computer. In any other market a user has a reasonable expectation to have a functioning product that won't cause harm. If it does, it's called a defect, and the supplier must pay for damages. If a toaster sets the kitchen on fire you wouldn't blame the user. It is unfair to blame the user for not managing to use securely a product which is insecure.
As for the gun comment; guns are dangerous. If Windows is like a gun, Windows is dangerous.
>> (2) No robust security mechanisms are built in by default.
That's exactly what the poster said. Windows is insecure.
>> (3) You can't run crap without using the admin account,
I also consider this a security bug in Windows. Proper security is one that makes it easy for users to do the right thing and hard to do the wrong thing. Take for example Ubuntu or Mac OS X. Users run as regular users, not as admin. And they can still manage to do the system. I don't know about Mac OS X, but in Ubuntu you can't even log in as root; the root account is disabled, so you have to use sudo (or the GUI version of it). Ubuntu is a system that makes it easy to use the computer securely, and hard to use it insecurely. This is an important aspect of security, and one that Windows misses.
>> (4) Microsoft's slow response to security patches.
You are agreeing with the previous post again. Windows is insecure, and it's not the user's fault. It's not fair to blame the user when the problem is that Windows makes it hard to use the computer securely, Microsoft is slow to release patches, and a brand new computer will be compromised in 60 seconds if you plug it to the itnernet. These things are Microsoft's fault, not the user's.
>> (5) Microsoft's continued insistence of using crap like Outlook,<nobr> <wbr></nobr>...
This is one instance where at least the user can do something, they can use something else (this, of course, doesn't excuse Microsoft).
>> (6) WinXP is old as crap.
* This is not the user's fault.
* When you buy WinXP today, does it come with SP2? It should...
* Personally I expect that a 6 year-old Linux distribution to be more secure that WinXP (but less secure than a modern Linux distro).
>> Its simple logic, prepare your boxes before you go on the web.
Actually, it isn't. The fact that you need to do this is a testimony to low product security. It is not simple logic that you need to check your TV before plugging it in, or that you need to take your car to the mechanic before driving it for the first time. Buyers of any product sold on a shelf have a reasonable expectation of that product working correctly, at least for a little while, unless the product is labeled as "second hand" or something like that.
Now, I'd like to suggest that you take a break from the computer and try to calm down a little. Take time to deal with whatever life issues are making you upset, and come back when you are willing to talk like an adult.
Ubuntu does have a default firewall -you are wrong
Posted by: Anonymous Coward on July 04, 2006 07:47 AMLearn your basics before you go writing an article about something you dont know about.
Re:Ubuntu does have a default firewall -you are wr
Posted by: Anonymous Coward on August 23, 2006 05:32 PMAdditional configuration if any should be to relax the rules as one finds suitable for his or her use.
hanishkvc
You have worded your article poorly in such a manner that you are not making the truth clear. I would like to see the article amended or withdrawn.
he took the time to post something helpful for people who aren't as smart as you, geez
at least be more constructive
Thanks<nobr> <wbr></nobr>;-) ubuntu desktop replacement -new user
Installing a firewall on Ubuntu
Posted by: Anonymous [ip: 71.197.184.54] on August 18, 2007 04:42 AMInstalling a firewall on Ubuntu
Posted by: Anonymous [ip: 89.240.111.75] on August 24, 2007 07:58 PMGnomeUI-WARNING **: While connecting to session manager:
Authentication Rejected, reason : None of the authentication protocols specified are supported and host-based authentication failed.
what went wrong...?
Installing a firewall on Ubuntu
Posted by: Anonymous [ip: 98.197.77.232] on September 14, 2007 06:18 AMdid that but the program got rejected...something like GnomeUI-WARNING **: While connecting to session manager: Authentication Rejected, reason : None of the authentication protocols specified are supported and host-based authentication failed. what went wrong...?
can some one help??
Installing a firewall on Ubuntu
Posted by: Anonymous [ip: 70.224.206.36] on October 15, 2007 03:27 PMI opened terminal>
I did > sudo apt-get install lokkit
then after installed,> sudo lokkit and after password could now configure using arrow keys, space for selection and enter.
then it works.
If you installed it already and it won't work, use sudo apt-get remove lokkit
G
Good On-line Resource, re: Installing a firewall on Ubuntu
Posted by: Anonymous [ip: 68.49.202.223] on November 14, 2007 05:54 PMhttp://www.techotopia.com/index.php/Ubuntu_Linux_Essentials
-- I found chapters 14 & 15 good resources for subject raised in this message thread.
-- Thanx to 'Zonker' for the article on Linux.com that provided the key information leads to help me ferret out the Techtopia book cited above. I found Zonker's article an informative overview, helpful to someone finally braving the world of Linux. This is after a decade or so of being locked into a world dominated by a certain 500 pound gorilla, a reluctant former happy-UNIXdom user pushed there (more like dragged, kicking & screaming) by my working world employers. (Now, in retirement I can say: "Free! Free, at last! ....")
-- I've been depending on Zone Alarm on the MS side and was looking for a good equivalent on the Linux side of a dual-boot machine I'm setting up for my second & third generation kids. This opportunity turned out to be the "straw that broke the camel's back" in finally overcoming the challenge of migrating to Linux. Ubuntu's friendliness in providing "idiot light" type set up via Gnome GUI access to the underlying OS made a big contribution for those who have lived too long in the 500 pound gorilla's world.
A like-ness.
Posted by: Anonymous Coward on July 01, 2006 12:09 AMIntroductions are in order. Linux meet Windows. Windows meet Linux. Now you two have something in common.
#