Build a secure desktop firewall with ufw – part I

Part one – Build a basic firewall

I’ve recently been using Debian again, and noticed that after configuring a mixed system, Firestarter (a GUI based firewall utility) fails to start. This is not a problem as it gave me the opportunity or excuse to look at a terminal set-up (which is optimal) for desktop use. After all, sometimes X11 fails after an install or an upgrade –which demonstrates the necessity of a terminal orientated firewall.

I eventually came across ufw –which also has a GUI front end (Gufw), but GUI is not the subject of this article. The problem is, exhaustive walk-through documentation to configure a ufw firewall is lacking –even in way of the man page or the official Ubuntu wiki –with bits and pieces fragmented all over the net (a common BSD critique of Gnu-Linux software documentation, but at least documentation is not overwhelming as with BSD’s). Thus, this article –which amounts to a relatively short manual in of itself, which largely is the result of trial and error, and is intended to be a “hold your hand”/illustrative guide to building a prohibitive desktop firewall.

To sum ufw up in a few sentences, it’s a command line type firewall with syntax based on OpenBSD’s PF –only it works with iptables. It’s a Ubuntu project, that has made it into the Debian repositories. Ufw is under active development and its capabilities are rapidly changing. For the record, the version I use herein is 0.29-5. To find your installed version, cast the following.
# ufw version

List desktop communication programs

At of the time of writing, ufw is available on Debian testing. I can’t suggest Debian testing (as base) as it’s too unstable at this point in time –in my estimation. [It’s now been released as Debian 6 stable, otherwise known as squeeze.] As hinted at earlier, programs from both testing and unstable can be installed simultaneously onto stable (Lenny) –some work extremely well– if Debian stable is configured to do so (creating a mixed Debian system) –but this is a topic for another article and one that might come to fruition, time permitting.

This article presents two rule sets, the first (part one of this article) is simple –dealing with FTP, HTTP, HTTPS, and EMail with IMAP and SMTP– and the second (part two) is more complete –covering rule deletion (and creation), and server port destination (effectively, blocking unauthorized outgoing connections). The earlier is meant as a didactic exercise to explain the latter –although the first is a good base in of itself. It’s not suggested unless a minimal, quick and easy set-up is desired. (Feel free to skip past the rule deletion of the first rule set and go directly onto the second –once both are published). The third –last and final part, written in first person– gives a quick skim of the advanced rule set (suggested in part two). It introduces how to: allow and block IP addresses, enable/disable free access of ports per app, enable/disable firewall logging, editing of ufw files, and ends with a few caveats such as with pinging.

Administration of ufw is entirely done as root in this article. Use sudo if preferred. As of ufw version 0.31.1-1 (on Ubuntu 12.04 LTS, at least), ufw refuses to start up again (after being shut down from sudo) unless invoked from root. Ubuntu users: “sudo su” should get you into root.

The article assumes that the reader is familiarized with terms such as firewall, port, and is comfortable issuing terminal commands.

Write down desktop communication programs

First of all, identify and jot down communications applications that need to connect to the net. All have corresponding ports that must be open for the desired program to connect. In addition to the port numbers, find out the protocol for each port (in each program) –if they are tcp or udp type ports (see URL links below for listings). Most are either one or the other. Some are non-defined –meaning they use both. A typical list might look somewhat like the following.

  • Web surfing: http=80/tcp, https=443/tcp
  • FTP: 20 or 21/tcp
  • IRC: check the IRC program but probably 6667/tcp (but not necessary, see IM section below)
  • DNS (53/udp) will be covered later one in the second firewall example (in part two)

If an IMAP based mail program is used:

  • IMAP4=143/tcp (official, IM-retrieves EMail), 993/tcp (over encrypted ssl, official)

Or if POP is used:

  • POP EMail: 109/tcp (POP2), 110/tcp (POP3), 995/tcp (POP3 over SSL) –all official

SMTP EMail (needed regardless of is POP or IMAP is being used): officially 25/tcp and 587/tcp, unofficially 465/tcp

If no EMail client –such as Thunderbird– is used and/or EMail service via a web interface is used –as with GMail via a browser as with most university EMail services– don’t worry about opening EMail ports. Otherwise, the SMTP and either IMAP or POP ports are needed. For instance (from the Google page on how to configure Thunderbird for IMAP GMail), GMail uses port 993 (SSL) for SMTP and 587 for SMTP. Google doesn’t tell us, but any good listing of ports will identify 993 and 587 as both tcp.

Example 1 – A simple firewall

Let’s get started.

# aptitude install ufw
# ufw enable

Rule set creation

Configure a somewhat prohibitive default. Do not allow traffic initiated from outside your network –but for connections initiated inside (supposedly by you).

# ufw default deny

Add a few rules to enable desktop needs (see previous list as reference)

For FTP, use the following command from root.

# ufw allow 21/tcp

For HTTP …

# ufw allow 80/tcp

For HTTPS …

# ufw allow 443/tcp

EMail SMTP

# ufw allow 993/tcp

and EMail IMAP

# ufw allow 587/tcp

Alternatively, all ports can be written in one pass (“/tcp” in this case, but “/udp” should have its’own line –if it were called for).
ie.,

# ufw allow 21,80,443,587,993/tcp

Note: Don’t leave a space between commas and port numbers. Note: When issuing multiple ports per rule, make sure you don’t mistakenly use a “.” instead of a “,” between ports, or you’ll get an “ERROR: Port ranges must be numeric” error.

Instant messenger (IM) programs (including IRC)

Instant messenger ports need not be reserved as IM clients will get though this firewall –although less dependable than when pertinent ports are open. The next part in this three part series deals with reserving IM ports as the more strict nature of the next rule set will necessitate this.

Restart ufw

After rule set adjustments, do the following.

# ufw disable && ufw enable

Firewall persistence

To enable firewall automatically on reboot check the following.

# cat /etc/ufw/ufw.conf

should be set to …

#set to yes to start on boot
ENABLED=yes

rather than …

#set to yes to start on boot
ENABLED=no

On reboot, check to see if the ufw is running.

# ufw status

If all this seems too contorted to go through every time you install (if you have a habit of doing so on one or many work stations), an executable list can be made with your personal firewall configuration (commands). I’ll leave that to your discretion, but you could write a script not unlike the one below. Name it simpleFirewall.sh and execute it from a root shell as so …

sh simpleFirewall.sh

The script could contain the following.

#Simple firewall

ufw default deny

#FTP, HTTP, HTTPS, SMTP, IMAP

ufw allow 21,80,443,587,993/tcp

ufw disable && ufw enable

ufw status

cat /etc/ufw/ufw.conf

The last line notifies if ufw is enabled to start on boot-up.

The second part to this article, will cover how to create a more secure firewall than in part one. This will encompass rule deletion (as well as rule creation), reserving instant messenger ports (MSN, and GTalk/Jabber), blocking outgoing connections (in a more strict fashion than that accounted for in the first rule set), and blocking unauthorized inward communication (via port server destination).

by Maurice Cepeda

All rights reserved. All brands mentioned are properties of their respective owners. This article does not guarantee nor does it insinuate results of any sort –as it’s written under the WFM (Works For Me) premise, and for informational purposes. By reading this article, the reader forgoes any accountability of the writer. The reading and consequential use of this article implies acceptance of the stipulations mentioned herein.

Advertisements

5 thoughts on “Build a secure desktop firewall with ufw – part I

  1. Pingback: Build a secure desktop firewall with ufw-part II « Le Blog de Maurice

  2. “AcidMoon
    May 26th, 2010, 06:40 PM
    If your not a hardcore iptables fan take a look at: https://mauroandres.wordpress.com/?s=ufw.

    Bam! Well said! I hope you’re not unhappy with my post. The link about securing UFW is probably the best on the net :)”

    Seriously, thanks for the vote of confidence AcidMoon!! I tidied up part one and two of the series because of it. I haven’t posted part three, as it’s on a computer that died on me a few months ago. I do plan to get the computer up and running or at least salvage the hard drive. So, eventually part three will be posted.

    Sources
    http://ubuntuforums.org/showthread.php?t=1493587&page=2
    http://ubuntuforums.org/archive/index.php/t-1493587.html

  3. Pingback: Stine-Blog » All in one website from the ground up. A Virtual Debian How-to

  4. Now if only we could create rules for apps, too. Like ufw should open the 51234 tcp port when I start Transmission and close it when I close Transmission. Maybe I should read the part two? :) Thank you for a great article, Maurice!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s