Linux Hack of the Week #20: Uncomplicating Firewalls For the Rest of Us
ho doesn’t love firewalls? Firewalls give us that warm fuzzy feeling disallowing nasty traffic into our squeaky clean computers. However, it turns out that firewalls are not always that easy to configure.
The primary firewall for Linux is called Iptables. Iptables is configured with techno-black magic rules that specify your zone, your port, your interface, and all the details that sometimes you probably don’t care too much about.
Luckily, Iptables has a plethora of different front ends to simplify configuration for input, output, forwards, NATing (insert your favorite firewall phrase here). In this article, we will cover one such tool called UFW.
The name UFW stands for Uncomplicated FireWall. On modern versions of Ubuntu, UFW is installed by default. You can also easily install it with one command:
Once UFW is installed, enable it with sudo ufw enable:
Note: You should not be enabling UFW over an SSH connection. Doing so will cause you to unexpectedly lose your session and lock you out! It is recommended to enable the ssh rule beforehand (See Configuring Rules for UFW).
Once enabled you can check UFW status with sudo ufw status verbose:
Having a set of sane defaults is a good step for securing a machine from unwanted traffic. By default, UFW denies all incoming traffic and allows all outgoing traffic.
Configuring Rules for UFW
UFW has a wide variety of ways to configure rules for all sorts of network configurations. One of the more common use cases is allowing traffic for trusted applications.
A service that is ubiquitous for remote administration is SSH. Allow it by running the following:
Verify your rules list:
Notice that the status lists 22 which is the port that SSH uses by default.
You can ask UFW to list the currently allows apps:
To disallow an app, use the deny keyword. Let’s say you are running a web server and you do NOT want to allow HTTP traffic (strictly HTTPS traffic). You can disallow HTTP traffic this way:
Allowing/Disallowing Traffic Over Specific Ports
Let’s say you have a different security policy and SSH is listening on port 2222. You can enable it like this:
Notice, the allow command specified tcp. You can specify tcp or udp when defining rules.
Just like denying apps, you run a similar command for denying ports. Telnet is an old outdated tool for running remote commands against servers. To disallow traffic for telnet (port 23) run the following:
Deleting a rule
Going back to the HTTP example, your server now has a redirect of HTTP to HTTPS traffic. You can remove the rule from earlier by doing:
Note: This will not explicitly allow HTTP. You must allow it explicitly (see SSH example above).
The same syntax can be used for deleting a rule for ports: (using port 2222 from earlier)
Firewalls on Linux are not always easy to configure. Having a firewall with a solid configuration can help protect a machine from a wide variety of malicious traffic.
Facing growing threats and a rapidly expanding attack surface, understaffed and alert-fatigued organizations need more efficient ways to eliminate their exposure to vulnerabilities. Automox is a modern cyber hygiene platform that closes the aperture of attack by more than 80% with just half the effort of traditional solutions.
Cloud-native and globally available, Automox enforces OS & third-party patch management, security configurations, and custom scripting across Windows, Mac, and Linux from a single intuitive console. IT and SecOps can quickly gain control and share visibility of on-prem, remote and virtual endpoints without the need to deploy costly infrastructure.
Experience modern, cloud-native patch management today with a 15-day free trial of Automox and start recapturing more than half the time you're currently spending on managing your attack surface. Automox dramatically reduces corporate risk while raising operational efficiency to deliver best-in-class security outcomes, faster and with fewer resources.