GUFW and UFW Ubuntu 20.10 Firewall Configuration Guide

Security is paramount, and one of the first lines of defense for any system, whether it’s a desktop or a server, is a properly configured firewall.

Ubuntu comes with a powerful, yet surprisingly easy-to-use firewall called the Uncomplicated Firewall (UFW). And for those who prefer a graphical interface, there’s GUFW, a user-friendly front-end for UFW.

This guide, based directly on Chapter 16 of “Ubuntu 20.04 Essentials,” will walk you through everything you need to know to get started with GUFW and UFW, from basic concepts to advanced rule configuration. Let’s dive in!

1. Understanding

Sponsored

GUFW and UFW: Your Firewall Toolkit

• UFW (Uncomplicated Firewall): This is the command-line tool for managing the firewall. It provides a simplified way to create and manage iptables rules (iptables is the underlying, more complex, firewall technology in Linux). UFW is designed to be, well, uncomplicated.
• GUFW (Graphical Uncomplicated Firewall): This is a graphical user interface (GUI) for UFW. It provides a point-and-click way to manage your firewall rules, making it ideal for those who prefer a visual approach.

Why use UFW and GUFW?

• Ease of Use: They’re much simpler to learn and use than direct iptables commands.
• Default on Ubuntu: UFW is installed by default on most Ubuntu systems.
• Sufficient for Most Needs: For many common firewall scenarios, UFW and GUFW provide all the necessary functionality.
• Good Security Practices: They encourage a “default deny” approach, which is a security best practice.

Read: How to set up a UFW on Ubuntu 22.04

2. Installing GUFW: Getting the Graphical Interface

While UFW is usually installed by default, GUFW (the graphical interface) often isn’t. Here’s how to install it:

1. Open a terminal: Press Ctrl+Alt+T.
2. Run the installation command:

   sudo apt install gufw
   

   You’ll be prompted for your password. apt will download and install GUFW and any necessary dependencies.

3. Launching and Enabling GUFW: Your First Steps

1. Launch GUFW:
   • Press Alt+F2 to open the “Run a command” dialog.
   • Type gufw and press Enter.
   • Alternatively, you can find it in your applications menu (usually under “Administration” or “System Tools”).
2. Enable the firewall: When you first launch GUFW, the firewall will likely be disabled. You’ll see a “Status” switch. Click it to turn the firewall on.The GUI has:
   • Status: A switch to enable or disable the firewall.
   • Profiles: Pre-configured sets of rules (Home, Office, Public).
   • Incoming: Default policy for incoming connections (Deny, Allow, Reject).
   • Outgoing: Default policy for outgoing connections (Allow, Deny, Reject).
   • Rules, Report and Log buttons: The buttons that allow you to switch between the main sections of the interface.

4. Creating Profiles: Tailoring Your Firewall to Different Environments

GUFW comes with pre-defined profiles (Home, Office, Public) that provide different default settings. You can also create your own custom profiles.

• Home: Typically configured to deny incoming connections and allow outgoing connections. This is a good starting point for a home network.
• Office: Similar to Home, but might have additional rules specific to an office environment.
• Public: The most restrictive profile, designed for use on public Wi-Fi networks.

To create a new profile:

1. In GUFW, go to Edit > Preferences.
2. Click the + button at the bottom of the Profiles list.
3. Give your profile a descriptive name.
4. Click Close.
5. Select your new profile from the “Profile” dropdown menu in the main GUFW window.

Read: Linux Firewall: The Complete Guide to IPtables, NAT, ip6tables and Network Security

5. Adding Preconfigured Firewall Rules: The Easy Way

GUFW makes it easy to allow or block traffic for common applications and services. These are called “preconfigured” rules.

1. Click the Rules button in the main window.
2. Click the + button at the bottom of the rules list.
3. In the “Add a Firewall Rule” dialog, select the Preconfigured tab.
   • Policy:
     • Allow: Permits the traffic.
     • Deny: Blocks the traffic silently (the requesting system doesn’t get a notification).
     • Reject: Blocks the traffic and sends a notification to the requesting system.
     • Limit: Deny network connections if an IP address attempts to initiate 6 or more connections in the last 30 seconds.
   • Direction: Choose In (incoming), Out (outgoing), or Both.
   • Category: (Optional) Filter the list of applications/services.
   • Subcategory: (Optional) Further filter the list.
   • Application: Select the application or service you want to configure.
4. Click Add.

Example: To allow incoming SSH connections (which are essential for remote administration):

1. Go to the Preconfigured tab.
2. Select SSH from the Application dropdown.
3. Set Policy to Allow.
4. Set Direction to In.
5. Click Add.

6. Adding Simple Firewall Rules: Port-Based Control

“Simple” rules allow you to allow or block traffic based on port numbers, without needing to select a specific application.

1. In the “Add a Firewall Rule” dialog, select the Simple tab.
2. Name: (Optional) Give your rule a descriptive name.
3. Policy: Choose Allow, Deny, Reject, or Limit.
4. Direction: Choose In, Out, or Both.
5. Protocol: Select TCP, UDP, or Both.
6. Port: Enter the port number or a port range (e.g., 80, 20:21, 5900:5910). You can also use service names here (e.g., http, https, smtp).

Example: To allow incoming web traffic on port 80 (HTTP):

1. Go to the Simple tab.
2. Set Policy to Allow.
3. Set Direction to In.
4. Set Protocol to TCP.
5. Set Port to 80.
6. Click Add.

Read: How to Secure Your Linux System with 10 Proven Firewalls

7. Adding Advanced Firewall Rules: Fine-Grained Control

“Advanced” rules give you the most control, allowing you to specify source and destination IP addresses, ports, and interfaces.

1. In the “Add a Firewall Rule” dialog, select the Advanced tab.
2. Name: (Optional) Give your rule a descriptive name.
3. Policy: Choose Allow, Deny, Reject, or Limit.
4. Direction: Choose In, Out, or Both.
5. Interface: (Optional) Specify the network interface (e.g., eth0, wlan0). Leave blank to apply to all interfaces.
6. Log: Select logging options.
7. Protocol: Select TCP, UDP, or Both.
8. From:
   • IP Address: Enter the source IP address or a range of addresses (e.g., 192.168.1.10, 192.168.1.0/24).
   • Port: (Optional) Enter the source port number or range.
9. To:
   • IP Address: (Optional) Enter the destination IP address or range. If you’re configuring a rule for incoming traffic to your local system, you can often leave this blank.
   • Port: Enter the destination port number or range.

Example: To allow incoming SSH connections (port 22) only from the IP address 192.168.1.100:

1. Go to the Advanced tab.
2. Set Policy to Allow.
3. Set Direction to In.
4. Set Protocol to TCP.
5. Set From: IP Address to 192.168.1.100.
6. Set To: Port to 22.
7. Click Add.

Example (Range of IP addresses): To allow incoming connections from any IP address in the 192.168.1.0/24 subnet:

• Set From: IP Address to 192.168.1.0/24.

8. Configuring the Firewall from the Command Line using UFW

Everything you can do with GUFW can also be done from the command line using UFW. This is useful for scripting, remote administration (via SSH), and situations where you don’t have a graphical environment.

• Enable the firewall:

  sudo ufw enable
  

• Disable the firewall:

  sudo ufw disable
  

• Check firewall status:

  sudo ufw status
  

  Or, for more detailed information:

  sudo ufw status verbose
  

• Set default policies:

  sudo ufw default deny incoming
  sudo ufw default allow outgoing
  

• Allow a service (preconfigured rule):

  sudo ufw allow ssh  # Allow incoming SSH connections
  

• Allow a port:

  sudo ufw allow 80/tcp   # Allow incoming TCP connections on port 80
  

• Allow from a specific IP address:

  sudo ufw allow from 192.168.1.100  # Allow all traffic from this IP
  sudo ufw allow from 192.168.1.100 to any port 22  # Allow SSH from this IP
  

• Deny a port:

  sudo ufw deny 80/tcp
  

• Delete a Rule:

  sudo ufw status numbered  # to check number
  sudo ufw delete 3  # example
  

• Enable Logging:

  sudo ufw logging on
  

• Disable Logging:

  sudo ufw logging off
  

• Reload UFW:

  sudo ufw reload
  

• Reset to default:

  sudo ufw reset
  

9. Summary: Your Firewall Foundation

GUFW and UFW provide a user-friendly way to manage your Ubuntu system’s firewall. They allow you to:

• Control incoming and outgoing network traffic.
• Create rules based on applications, services, ports, and IP addresses.
• Use pre-configured profiles or create your own.
• Manage the firewall from the command line or a graphical interface.

By mastering these tools, you’ll significantly enhance the security of your Ubuntu system.

FAQ

1. Q: What’s the difference between deny and reject?A: deny silently drops the connection. The requesting system doesn’t get any notification. reject drops the connection and sends a notification back to the requesting system. deny is generally preferred for security (it gives less information to potential attackers).
2. Q: How can I see a list of all my firewall rules?A: In GUFW, click the Rules button. From the command line, use sudo ufw status (or sudo ufw status verbose for more detail).
3. Q: Can I use UFW and GUFW together?A: Yes! GUFW is simply a graphical front-end for UFW. Any changes you make in GUFW are immediately reflected in UFW, and vice-versa.
4. Q: I made a mistake and locked myself out of my system! How do I fix it?A: If you can still access the system locally (i.e., you have physical access to the keyboard and monitor), you can log in and use UFW to adjust your rules. If you’re locked out remotely, you might need to use your cloud provider’s console access (if available) or contact your hosting provider for assistance. This is a good reason to be very careful when configuring firewall rules!
5. Q: Does UFW protect against all types of attacks?A: No. A firewall is just one part of a comprehensive security strategy. It primarily protects against unauthorized network access. It doesn’t protect against things like malware, phishing attacks, or vulnerabilities in your applications.
6. Q: How can I see which ports are listening on my system?A: Use netstat, ss, or lsof. For example:

   sudo netstat -tulnp  # Shows listening TCP and UDP ports
   sudo ss -tulnp      # Modern replacement for netstat
   

7. Q: I need more advanced firewall features. What should I use?A: If UFW is too limiting, you can explore firewalld (another, more complex firewall management tool) or learn iptables directly. Iptables gives you the ultimate level of control, but it has a steeper learning curve and is typically needed for complex networking scenarios or enterprise environments.
8. Q: How can I allow/deny a range of IP addresses?A: You can use CIDR notation (e.g., 192.168.1.0/24) to specify a subnet.
9. Q: Is there a way to automatically log firewall events?A: Yes, UFW logging is controlled by the ufw logging on command. The log files are typically located in /var/log/ufw.log.

The post GUFW and UFW Ubuntu 20.10 Firewall Configuration Guide appeared first on net2.