Linux.com

Home Learn Linux Linux Tutorials Create Firewall Configurations Easily with Gufw on Ubuntu

Create Firewall Configurations Easily with Gufw on Ubuntu

A firewall can be the single most important tool to manage the security of your Linux machine and network. You can write iptables rules yourself, or find a tool that takes some of the pain out of setting up a firewall. For those that need a strong, but simple solution, and happen to use Ubuntu, there's Gufw.

I have a mantra with computers: "If a computer is connected to a network, that computer is not safe." That mantra goes for any computer, no matter the operating system. And although the general consensus is that Linux is a much more secure platform, that does not mean security should be ignored.

Gufw is a very user-friendly way to manage iptables on Ubuntu and can easily allow or block preconfigured services as well as user-specified ports. All of this is handled in a user-friend GUI interface. Gufw also offers incoming traffic reports and logging as well as an easy to manage interface for enabling/disabling a firewall.

Installing Gufw

Just how easy is Gufw to install?

  1. Open up the Ubuntu Software Center.
  2. Search for "gufw" (No quotes.)
  3. Click Install.

Outside of pre-installed, it doesn't get much easier than that! But, is Gufw just as easy to use as it is to install? Yes. Gufw has been pared down so that it is incredibly simple to use. Gufw only offers the essentials:

  • Main window.
  • Preferences window.
  • Add rule window.

Main Window

From within the Main window (see Figure 1) it is possible to quickly Enable/Disable Gufw, add rules, and view the incoming report.

Figure 1Gufw is one of the simplest firewall tools to use, with a very user-friendly interface.

Main Window: Enable/Disable

From the main window, to enable or disable the firewall, all that needs to be done is to check (enable) or un-check (disable) the box associated with Enable. Only after the firewall has been enabled, can both the Incoming and Outgoing policies be set. Once enabled, the drop-downs associated with each policy can be selected. The options are:

  • Deny: Deny traffic using the Drop target, which silently discards all incoming or outgoing packets.
  • Reject: Reject traffic using the Reject target, which sends an error packet to the sender of the incoming packets.
  • Allow: Allow incoming or outgoing traffic.

The policy must be set for both Incoming and Outgoing traffic, but both are not required to have the same policy. So Incoming traffic can be set to any of the three options and Outgoing can be set any of the three options. What is set for Incoming and Outgoing will depend on the setup in question as well as the network the machine is on.

Adding Rules

Fortunately, the developers of Gufw allow the creation of user-specific rules. Without the ability to create specific rules, Gufw is of little use outside of the basics. In order to create a specific rule, click the Add button. From this new window (see Figure 2) there are three tabs which allow the creation of rules in different ways:

  • Preconfigured: Select from preconfigured rules for specific applications or services.
  • Simple: Configure a rule for a specific port.
  • Advanced: Configure a rule for a range of addresses on specific ports.

The easiest method is to use the Preconfigured tab. From this tab, all that is necessary is to select from the different drop-down lists to Allow/Reject/Deny/Limit on Incoming/Outgoing traffic for a Program/Service.

Figure 2If you need more actions, click the Show extended actions check box.The Preconfigured tab allows for the Allowing/Denying/Rejecting/Limiting of the following Programs:

  • Amule
  • Deluge
  • KTorrent
  • Nicotine
  • qBittorent
  • Transmission

Obviously the developers were more concerned with stopping P2P traffic than any other application. As for services, Gufw offers the following in the Preconfigured tab:

  • ftp
  • http
  • imap
  • nfs
  • pop 3
  • samba
  • smtp
  • ssh
  • vnc
  • zeroconf

In order to create a rule from the Preconfigured tab, a selection from each dropdown must be chosen. So, to block all incoming ssh Traffic, the following would be selected: Deny, In, Service, ssh. Once the correct selections are made, click the Add button and the new rule will be listed in the Gufw main window (see Figure 3.)

Figure 3Port 22 is the port for ssh, so the rule is correct.

It should be noted, the Simple tab is similar to the Preconfigured tab, with only one minor variation: Instead of selecting from a drop-down list of services or applications, the port number for the rule will be added via a single text box. A single port or port ranges can be added here, in the form of port (for single port) or port1:port2 (for a port range.) See Figure 4 for an example of a configured port range.Figure 4

Here ports 22-25 are allowed in.

Advanced Rules

If a more specific rule is required, the advanced tab should be used. Say, for instance, incoming traffic on the internal lan for ssh needs to be allowed only for machines in the 192.168.100.100-192.168.100.120 range. To set this up, the following configuration would be used (The completed entry for the above rule is shown in Figure 5.):

  • Allow
  • In
  • tcp
  • From: 192.168.100.100 Port: 22
  • To: 192.168.100.120 Port: 22

Figure 5
If you make a mistake, the entire rule configuration can be cleared by clicking the "broom" icon.

After the configuration is complete, click the Add button and the rule will be inserted in the rule chain and listed in the Gufw main window. As many rules as necessary can be added and there is no need to restart Gufw as the rules will be live as soon as they are listed in the main window.

Although this is not a lesson on basic firewalling, it is important to remember that a firewall is a chain of rules that every packet is compared against. As soon as a packet matches a rule in the chain, action is taken. So if the Incoming policy is set to Deny, incoming traffic will be denied as soon as it hits that first rule. Sometimes it is easier to allow incoming traffic through via policy and then harden the chain up with individual rules. This takes a lot more time, but will be worth the effort in the end.

Incoming Listening Report

There may be times when it is necessary to view traffic coming in. Why? In my case, I use Dropbox and Ubuntu One for file syncing between computers. My machine also shares printers with everyone on my network. So I need to be able to allow that traffic in. For that I can watch the GUFW Listening Report (see Figure 6) in order to see the specific traffic listed (by Protocol, Port, Address, and Application) and then adjust my incoming rules as needed.Figure 6

The listening report updates in real time.

Configuring Gufw

Gufw does not offer a lot of configuration options. In fact, there is only one single Preferences window offering the following four options:

  • Enable Listening Report.
  • Enable Gufw logging.
  • Eable ufw logging.
  • Logging level (low, medium, high, full.)

By default, all options but the Listening Report will be checked. If necessary, the log file for Gufw can be viewed as well. This log file is located in /var/log/gufw_log.txt.

Final Thoughts

The Gufw firewall tool might well be the easiest firewall tool available for the Linux operating system that still offers a modicum of flexibility. Although Gufw isn't nearly as powerful and flexible as the command line iptables, it does do a very good job of protecting Linux machines from unwanted traffic without having to spend a great deal of time learning a complex firewall rule system.

 

Comments

Subscribe to Comments Feed
  • brumman Said:

    Still too difficult for me as a complete Ubuntu beginner! I can understand zone alarm because it uses human language and identifies the actual programs trying to access your machine - even at the start it didn't require any extra abstruse knowledge - why can't we have something like that for Linux?

  • J. Mars Bonfire Said:

    Although I have used Linux for 4 years, I agree entirely with Brumann! In today's ultra-complex world, few individuals have the time or inclination to thoroughly understand the underpinnings of anything technological in their lives as there is simply too much coming at us from too many directions. The vast majority of people are not just "lazy" as many Linux apologists claim in defence of Linux, they simply want to know the quickest and safest way to use any soft or hardware device - from a computer application to a new lawnmower - as we all lack TIME, a commodity only the rich can buy.. Who in hell really wants to sort through and understand the meaning of ssh or ftp, samba, port numbers, ip tables and addresses,or vnc? No one but the geeks, After reading 9 (IX, Nine) different instruction articles on setting up GUFW, could not help but notice every one of them was nearly identical to Ubuntu's official explanation and had nearly identical styles of writing! Plagiarism is not equivalent to a deep understanding. Also, every single article on GUFW gave details that focused on the use of this app from the perspective of setting it up in boxes tied to a home or business network. Not one covered how to set it up if you just own an non-networked, run-of-the-mill, solitary box!. This simply re-confirms to me (and many others) that Linux is still much too server-related in its design and use, and this is just another example of why curious and knowledgeable PC or Mac folks will EVER take Linux seriously as an OS. I have read hundreds of articles written by Linux users but noticed that 90% of those who go on to list the componentry of their boxes at the end of their blurb list anywhere from 1 to 5 Linux distros they are using...BUT... XP or 7 are nearly always amongst them.. There are a variety of reasons for this but I suspect that when time is of the essence, and the variety and volume of work to be produced is critical, folks tend to go back to what they understand best and requires the least amount of support to achieve their goals. Every Linux user I know personally has relatively similar gripes about their Nix OS' as Brumman, and they continually hop distros looking for a Linux breakthrough in this regard..

  • newby Said:

    Agree absolutely. Without direct access to a linux guru, I have found it next to impossible to progress my understanding by reading identical tech information, readmes and how tos which either presuppose a deal of knowledge I do not have or indicate a grater ability on the part of the authour to parrot data from other sources as opposed to clearly explaining how something works and how to configure it.


Who we are ?

The Linux Foundation is a non-profit consortium dedicated to the growth of Linux.

More About the foundation...

Frequent Questions

Join / Linux Training / Board