Install and configure UFW (Firewall)

To provide some protection against threats originating from the internet you should configure your system with a host based firewall to control any incoming connections, and only open up the ports you need. Linux firewalls are typically configured using ‘iptables’ which is well-known for being difficult and complicated to configure properly.

First released on Ubuntu 8.04 ‘UFW’ was designed to be easy to use, with a command line interface and a small number of simple commands that make configuring the firewall rules relatively straight forward – providing you know which ports are used by which applications.

Note – In general you will not need to configure your system to allow OUTGOING connections, and you usually you can block all incoming connections unless you are sharing information with other computers, sharing a printer, or hosting a multiplayer game.

Installing UFW

To install the ufw package.

# apt-get install ufw
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
ufw
0 upgraded, 1 newly installed, 0 to remove and 45 not upgraded.
Need to get 116 kB of archives.
After this operation, 672 kB of additional disk space will be used.
Get:1 http://ftp.uk.debian.org/debian/ squeeze/main ufw all 0.29.3-1 [116
kB]
Fetched 116 kB in 0s (314 kB/s)
Preconfiguring packages ...
Selecting previously deselected package ufw.
(Reading database ... 14980 files and directories currently installed.)
Unpacking ufw (from .../archives/ufw_0.29.3-1_all.deb) ...
Processing triggers for man-db ...
Setting up ufw (0.29.3-1) ...
Creating config file /etc/ufw/before.rules with new version
Creating config file /etc/ufw/before6.rules with new version
Creating config file /etc/ufw/after.rules with new version
Creating config file /etc/ufw/after6.rules with new version
Processing triggers for python-central ...

  :
  :
  :

Setting up mate-media-gstreamer (1.8.0+dfsg1-1~bpo70+1) ... 
#

Note – If you are still using Debian ‘Lenny’ you will find that this is too old for ‘ufw’ to have been included in the official Debian repositories, however you can install the ufw package from the Ubuntu ‘Gutsy Gibbon’ release on Debian ‘Lenny’. Since this is a very old version it does not allow a range of ports to be specified in a single rule, and you will have to reboot your system for any changes to take effect but it does appear to work..!

Configuring UFW

You should only open up the incoming ports you need, so we will start by setting default for all incoming connections to deny access, then add additional rules to allow access to certain ports and protocols.

# ufw default deny incoming
Default incoming policy changed to 'deny'
#

If you enabled the firewall at this point all incoming connections would be rejected, so you should add any additional rules before enabling the firewall.

Secure Shell (SSH)

If you want to be able to access your system remotely then you should be using SSH to connect securely, and since you can use it to copy files as well as login remotely this may be the only protocol you will ever need.

To enable SSH connections from remote machines you simply need to allow incoming connections to port 22, though is a good idea to also restrict any incoming connections to those that originate from your local subnet (network) as well.

# ufw allow from nnn.nnn.nnn.0/24 to any port 22 proto tcp

Assuming you are using a class C subnet then nnn.nnn.nnn are the first three octets of your network address. If you really wanted to allow incoming connections from ANY machine you can omit the subnet.

# ufw allow from any to any port 22 proto tcp


HyperText Transfer Protocol (HTTP)

If you are hosting any web pages on your system using ‘lighttpd‘ or ‘apache’ the you will need to allow incoming connections to port 80, and port 443 if you are using HTTPS.

# ufw allow from nnn.nnn.nnn.0/24 to any port 80 proto tcp
# ufw allow from nnn.nnn.nnn.0/24 to any port 443 proto tcp


File Transfer Protocol (FTP)

Enabling incoming connections to an FTP server is equally straight forward – however you will have to configure any ftp clients to use ‘passive’ FTP (which causes them to connect using just port 21).

# ufw allow from nnn.nnn.nnn.0/24 to any port 21 proto tcp


Samba

Samba allows Windows clients to connect to shares a Linux server, using the NetBIOS name service, datagram service, session service, and server message block – each of these uses a different port.

# ufw allow from nnn.nnn.nnn.0/24 to any port 137 proto udp
# ufw allow from nnn.nnn.nnn.0/24 to any port 138 proto udp
# ufw allow from nnn.nnn.nnn.0/24 to any port 139 proto tcp
# ufw allow from nnn.nnn.nnn.0/24 to any port 445 proto udp


Network File System (NFS)

Configuring UFW to allow incoming connections using NFS necessitates configuring NFS to use fixed port numbers for the port mapper and NFS server.

# vi /etc/default/nfs-common

# Options for rpc.statd.
STATDOPTS="-p 32765 -o 32766"

# vi /etc/default/nfs-kernel-server

# Options for rpc.mountd.
RPCMOUNTDOPTS="--manage-gids -p 32767"

Note – You need to enclose the options is quotes as shown above and restart the NFS server for the changes to take effect.

# /etc/init.d/nfs-kernel-server restart
Stopping NFS kernel daemon: mountd nfsd.
Unexporting directories for NFS kernel daemon....
Exporting directories for NFS kernel daemon....
Starting NFS kernel daemon: nfsd mountd.
#

Having configured NFS as above you will need to use the following commands to enable inbound connections from the local sub-net using UFW.

# ufw allow from nnn.nnn.nnn.0/24 to any port 111 proto tcp
# ufw allow from nnn.nnn.nnn.0/24 to any port 111 proto udp
# ufw allow from nnn.nnn.nnn.0/24 to any port 2049 proto tcp
# ufw allow from nnn.nnn.nnn.0/24 to any port 32765:32767 proto tcp
# ufw allow from nnn.nnn.nnn.0/24 to any port 32765:32767 proto udp


X Windows Display Manager (XDMCP)

If you have configured your X Windows display manager to accept incoming connections using XDMCP to provide access to the desktop remotely using X windows you will need to allow connections to following ports.

# ufw allow from nnn.nnn.nnn.0/24 to any port 177 proto tcp
# ufw allow from nnn.nnn.nnn.0/24 to any port 177 proto udp
# ufw allow from nnn.nnn.nnn.0/24 to any port 6000:6005 proto tcp
# ufw allow from nnn.nnn.nnn.0/24 to any port 7100 proto tcp

Because XDMCP is not secure you should really use VNC instead (unless you want to connect to an older system that doesn’t support VNC).

Virtual Network Computing (VNC)

If you want to be able to access to the desktop on another system remotely using VNC you will need to allow incoming connections to following ports on that system.

# ufw allow from nnn.nnn.nnn.0/24 to any port 5900 proto tcp


Enabling the firewall

Once you have configured the firewall rules you will need to enable UFW for them to take effect.

# ufw enable

This entry was posted in Debian, Linux, Networking, Raspbian and tagged , , , , , . Bookmark the permalink.

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s