October 1, 2008

Simplify system security with the Uncomplicated Firewall

Author: Michael Anckaert

The Uncomplicated Firewall (UFW) is a new tool from Ubuntu whose goal is to make configuration of the built-in Linux packet filter less complicated and more secure for novice users.

You must run UFW commands as root, so in Ubuntu, you must preface them with the sudo command. With UFW, enabling and disabling packet filtering is a simple matter of issuing the sudo ufw enable and sudo ufw disable commands. You set the default policy for filtering packets by running the sudo ufw default command and passing the allow or deny argument, depending on what you want to achieve. If you issue the sudo ufw default allow command, all incoming packets will be allowed by default, creating a very unsecure packet filter but giving you the broadest range of allowed services. The command sudo ufw default deny will block all incoming packets, requiring that you allow specific services to pass the packet filter.

Packet filters allow or deny certain services as specified by an administrator. Compared to iptables, the most common command used on Linux systems to configure packet filtering, the rules syntax used by UFW is extremely simple. You can use as much or as little information as you want to specify a filter rule. In the simplest case, you simply pass the protocol definition you want to allow or deny with syntax like this:

sudo ufw allow 80/tcp
sudo ufw deny 21/tcp

These examples allow TCP traffic on port 80, which is used by the HTTP protocol, and deny TCP traffic on port 21, used by the FTP protocol.

Non-sysadmins may argue that it's not very "uncomplicated" if you have to specify rules by their port numbers and protocol names. To make things even simpler, you can refer to services by their names instead:

sudo ufw deny smtp
sudo ufw allow ssh

The file /etc/services contains a list of services with their official port numbers as assigned by IANA, the organization responsible for naming and numbering Internet protocols.

More complex filtering

When it comes to packet filters, where something comes from is as import as what it is. Filtering packets on their source or destination address is one of biggest tasks of a packet filter. UFW gives you a powerful syntax to filter on source and destination addresses. After specifying the protocol in your rule, you can add additional options:

sudo ufw allow|deny [proto protocol] [from ADDRESS [port PORT[[ [to ADDRESS [port PORT[[
sudo ufw allow ssh from
sudo ufw allow smtp from to

Deleting a rule is as simple as specifying the original rule with the delete keyword in front of it. For example, to remove our previous rule that denied SSH traffic, enter:

sudo ufw delete allow ssh from

Most administrators find it useful to log what the packet filter is doing. Use the sudo ufw logging on|off command to enable or disable logging. With logging enabled, you can check the output of dmesg to see what UFW is doing to your packets.

No matter how good or easy your packet filter is, building a good chain of rules is never easy. There are plenty of goodsources on the Internet about building good packet filter rules.

The next version of Ubuntu, Intrepid Ibex, will make it even easier to allow certain programs to be allowed or denied access by using package integration, which will allow you to use UFW with an application's name instead of with the services it provides. This extra functionality will add a layer of abstraction that targets a specific program instead of a particular port/protocol definition, as in:

sudo ufw apache default allow

As you can see, the UFW tool makes it easy to work with the built-in Linux packet filter.


  • System Administration
  • Security
  • Networking