The Uncomplicated Firewall (UFW) is a new tool from Ubuntu whose goal is to make configuration of the built-in Linux packet filter less complicated and more secure for novice users.
You must run UFW commands as root, so in Ubuntu, you must preface them with the sudo command. With UFW, enabling and disabling packet filtering is a simple matter of issuing the
sudo ufw enable and
sudo ufw disable commands. You set the default policy for filtering packets by running the
sudo ufw default command and passing the
deny argument, depending on what you want to achieve. If you issue the
sudo ufw default allow command, all incoming packets will be allowed by default, creating a very unsecure packet filter but giving you the broadest range of allowed services. The command
sudo ufw default deny will block all incoming packets, requiring that you allow specific services to pass the packet filter.
Packet filters allow or deny certain services as specified by an administrator. Compared to iptables, the most common command used on Linux systems to configure packet filtering, the rules syntax used by UFW is extremely simple. You can use as much or as little information as you want to specify a filter rule. In the simplest case, you simply pass the protocol definition you want to allow or deny with syntax like this:
sudo ufw deny 21/tcp
These examples allow TCP traffic on port 80, which is used by the HTTP protocol, and deny TCP traffic on port 21, used by the FTP protocol.
Non-sysadmins may argue that it's not very "uncomplicated" if you have to specify rules by their port numbers and protocol names. To make things even simpler, you can refer to services by their names instead:
sudo ufw allow ssh
The file /etc/services contains a list of services with their official port numbers as assigned by IANA, the organization responsible for naming and numbering Internet protocols.
More complex filtering
When it comes to packet filters, where something comes from is as import as what it is. Filtering packets on their source or destination address is one of biggest tasks of a packet filter. UFW gives you a powerful syntax to filter on source and destination addresses. After specifying the protocol in your rule, you can add additional options:
sudo ufw allow ssh from 192.168.2.3
sudo ufw allow smtp from 192.168.2.7 to 192.168.2.9
Deleting a rule is as simple as specifying the original rule with the delete keyword in front of it. For example, to remove our previous rule that denied SSH traffic, enter:
Most administrators find it useful to log what the packet filter is doing. Use the
sudo ufw logging on|off command to enable or disable logging. With logging enabled, you can check the output of
dmesg to see what UFW is doing to your packets.
The next version of Ubuntu, Intrepid Ibex, will make it even easier to allow certain programs to be allowed or denied access by using package integration, which will allow you to use UFW with an application's name instead of with the services it provides. This extra functionality will add a layer of abstraction that targets a specific program instead of a particular port/protocol definition, as in:
As you can see, the UFW tool makes it easy to work with the built-in Linux packet filter.