Gufw / ufw - Firewall Configuration For A Usable Desktop

networking
security

#1

So I've finally committed to setting up the firewall on my various machines and while it wasn't painless, at least the Gufw graphical firewall program worked and I was able to set up a comprehensive set of rules.

I believe this set of rules can be useful for other users of the community so I've elected to post them here. This may well allow you to avoid some headaches because Gufw has the useful option to load rules from a file.

Here's the file in question: [ EDIT: SEE POST #2 ] save it to something.profile then load it from the Firewall application.

Obviously not all of my rules will suit you so I'm gonna explain what each of them do and you'll be able to use the graphical interface to remove those you don't like / use. The rules are not perfect (some might be useless) and I will welcome constructive criticism.

The default rules are set to "deny" which means any packet entering or leaving your machine, if not concerned by one of the rules bellow, will be silently dropped.

  • Rule 1 : IRC. (Freenode) Those are the ports (from 6667 to 6697) that are necessary to connect to the Freenode IRC network and join the official #ubuntu-mate chatroom.
  • Rule 2 : DNS. Important if you want to be able to translate domain names to address. (This is pretty much mandatory if you want to browse the web.)
  • Rule 3 : HTTP(80) and HTTPS(443). Same thing: it's hard to browse the web without making outbound connections using those protocols.
  • Rules 4+5 : SSH. A protocol to securely connect to machines on a network. I access a number of GNU/Linux machines remotely using the SSH client on port 22. The two way connection is necessary because I'm not always using the same machine to access other machines. If you're not the admin of more than one GNU/Linux machine you don't need this.
  • Rule 6 : OpenVPN. I have a VPN running from my dedicated server, and it's by default listening on the UDP port 1194. If you don't use VPNs or if you use a different one (like Cisco VPNC) you don't need this.
  • Rule 7 : NTP. Knowing the correct time can be useful.
  • Rules 8+9+10+11 : E-mail. If you're using your web browser to access your email, you don't need to use the IMAP and SMTP protocols so you can snipe those rules. If you're using POP the port will probably be different too.
  • Rules 12+13+14+15 : DHCP. To be able to get an IP address in my LAN, and therefore access to the Internet.

  • The last rules (16+17+18+19) might be kind of weird to you. Those are actually not needed if you don't care what your kernel log file (/var/log/kern.log) looks like. The thing is I'm connected to a Massive LAN (Free WiFi access point for a residence / hotel where a lot of people live) that also happens to be massively hostile (loads of Windows machines around.) and the activity on the LAN generates a lot of multicast traffic that end up being logged to this file.

Lastly, and I'm afraid to say you can't correct that in the graphical interface, I've ran into a problem while attempting to ping a machine on the network.

If you don't need to ping machines on networks you don't need to do the following:

sudo nano /etc/ufw/before.rules

Then input the following after the section "# ok icmp code for FORWARD" :

# ok icmp code for OUTPUT
-A ufw-before-output -p icmp --icmp-type destination-unreachable -j ACCEPT
-A ufw-before-output -p icmp --icmp-type source-quench -j ACCEPT
-A ufw-before-output -p icmp --icmp-type time-exceeded -j ACCEPT
-A ufw-before-output -p icmp --icmp-type parameter-problem -j ACCEPT
-A ufw-before-output -p icmp --icmp-type echo-request -j ACCEPT

Then, save the file, exit the editor and run the command:

sudo service ufw restart

And you should be able to ping the net.


Website access restrictions
KDE Connect - rien n'apparait dans les deux listes pc/téléphone
#2

So, my paste was taken down by Mozzila for some reason, and I can no longer edit the post, so here’s updated firewall rules you can copy in a file such as custom.profile and load into gufw:

[fwBasic]
status = disabled
incoming = deny
outgoing = deny
routed = disabled

[Rule0]
ufw_rule = 6667,6697/tcp ALLOW OUT Anywhere (out)
description = 
command = /usr/sbin/ufw allow out proto tcp from any to any port 6697,6667
policy = allow
direction = out
protocol = tcp
from_ip = 
from_port = 
to_ip = 
to_port = 6697,6667
iface = 
routed = 
logging = 

[Rule1]
ufw_rule = 53 ALLOW OUT Anywhere (out)
description = DNS
command = /usr/sbin/ufw allow out from any to any port 53
policy = allow
direction = out
protocol = 
from_ip = 
from_port = 
to_ip = 
to_port = 53
iface = 
routed = 
logging = 

[Rule2]
ufw_rule = 80,443/tcp ALLOW OUT Anywhere (out)
description = WEB-OUT
command = /usr/sbin/ufw allow out proto tcp from any to any port 80,443
policy = allow
direction = out
protocol = tcp
from_ip = 
from_port = 
to_ip = 
to_port = 80,443
iface = 
routed = 
logging = 

[Rule3]
ufw_rule = 22 ALLOW OUT Anywhere (out)
description = SSH
command = /usr/sbin/ufw allow out from any to any port 22
policy = allow
direction = out
protocol = 
from_ip = 
from_port = 
to_ip = 
to_port = 22
iface = 
routed = 
logging = 

[Rule4]
ufw_rule = 22 ALLOW IN Anywhere (log)
description = SSH
command = /usr/sbin/ufw allow in log from any to any port 22
policy = allow
direction = in
protocol = 
from_ip = 
from_port = 
to_ip = 
to_port = 22
iface = 
routed = 
logging = log

[Rule5]
ufw_rule = 1194/udp ALLOW OUT Anywhere (out)
description = openvpn
command = /usr/sbin/ufw allow out proto udp from any to any port 1194
policy = allow
direction = out
protocol = udp
from_ip = 
from_port = 
to_ip = 
to_port = 1194
iface = 
routed = 
logging = 

[Rule6]
ufw_rule = 123/udp ALLOW OUT Anywhere (out)
description = NTP
command = /usr/sbin/ufw allow out proto udp from any to any port 123
policy = allow
direction = out
protocol = 
from_ip = 
from_port = 
to_ip = 
to_port = 123/udp
iface = 
routed = 
logging = 

[Rule7]
ufw_rule = 993/tcp ALLOW IN Anywhere
description = EMAIL - IN (IMAP)
command = /usr/sbin/ufw allow in proto tcp from any to any port 993
policy = allow
direction = in
protocol = tcp
from_ip = 
from_port = 
to_ip = 
to_port = 993
iface = 
routed = 
logging = 

[Rule8]
ufw_rule = 993/tcp ALLOW OUT Anywhere (out)
description = EMAIL - IN (IMAP)
command = /usr/sbin/ufw allow out proto tcp from any to any port 993
policy = allow
direction = out
protocol = tcp
from_ip = 
from_port = 
to_ip = 
to_port = 993
iface = 
routed = 
logging = 

[Rule9]
ufw_rule = 465/tcp ALLOW IN Anywhere
description = EMAIL - OUT (SMTP)
command = /usr/sbin/ufw allow in proto tcp from any to any port 465
policy = allow
direction = in
protocol = tcp
from_ip = 
from_port = 
to_ip = 
to_port = 465
iface = 
routed = 
logging = 

[Rule10]
ufw_rule = 465/tcp ALLOW OUT Anywhere (out)
description = EMAIL - OUT (SMTP)
command = /usr/sbin/ufw allow out proto tcp from any to any port 465
policy = allow
direction = out
protocol = tcp
from_ip = 
from_port = 
to_ip = 
to_port = 465
iface = 
routed = 
logging = 

[Rule11]
ufw_rule = 68/udp ALLOW OUT Anywhere (out)
description = DHCP 68
command = /usr/sbin/ufw allow out proto udp from any to any port 68
policy = allow
direction = out
protocol = udp
from_ip = 
from_port = 
to_ip = 
to_port = 68
iface = 
routed = 
logging = 

[Rule12]
ufw_rule = 68/udp ALLOW IN Anywhere
description = DHCP 68
command = /usr/sbin/ufw allow in proto udp from any to any port 68
policy = allow
direction = in
protocol = udp
from_ip = 
from_port = 
to_ip = 
to_port = 68
iface = 
routed = 
logging = 

[Rule13]
ufw_rule = 67/udp ALLOW IN Anywhere
description = DHCP 67
command = /usr/sbin/ufw allow in proto udp from any to any port 67
policy = allow
direction = in
protocol = udp
from_ip = 
from_port = 
to_ip = 
to_port = 67
iface = 
routed = 
logging = 

[Rule14]
ufw_rule = 67/udp ALLOW OUT Anywhere (out)
description = DHCP 67
command = /usr/sbin/ufw allow out proto udp from any to any port 67
policy = allow
direction = out
protocol = udp
from_ip = 
from_port = 
to_ip = 
to_port = 67
iface = 
routed = 
logging = 

[Rule15]
ufw_rule = 224.0.0.251 DENY IN Anywhere
description = HIDE MULTICAST NOISE
command = /usr/sbin/ufw deny in from any to 224.0.0.251
policy = deny
direction = in
protocol = 
from_ip = 
from_port = 
to_ip = 224.0.0.251
to_port = 
iface = 
routed = 
logging = 

[Rule16]
ufw_rule = 224.0.0.251 DENY OUT Anywhere (out)
description = HIDE MULTICAST NOISE
command = /usr/sbin/ufw deny out from any to 224.0.0.251
policy = deny
direction = out
protocol = 
from_ip = 
from_port = 
to_ip = 224.0.0.251
to_port = 
iface = 
routed = 
logging = 

[Rule17]
ufw_rule = 37.187.114.98 34627/tcp ALLOW OUT Anywhere (out)
description = SSH - LH
command = /usr/sbin/ufw allow out proto tcp from any to 37.187.114.98 port 34627
policy = allow
direction = out
protocol = tcp
from_ip = 
from_port = 
to_ip = 37.187.114.98
to_port = 34627
iface = 
routed = 
logging = 

[Rule18]
ufw_rule = 224.0.0.1 DENY IN Anywhere
description = HIDE MULTICAST NOISE
command = /usr/sbin/ufw deny in from any to 224.0.0.1
policy = deny
direction = in
protocol = 
from_ip = 
from_port = 
to_ip = 224.0.0.1
to_port = 
iface = 
routed = 
logging = 

[Rule19]
ufw_rule = 224.0.0.1 DENY OUT Anywhere (out)
description = HIDE MULTICAST NOISE
command = /usr/sbin/ufw deny out from any to 224.0.0.1
policy = deny
direction = out
protocol = 
from_ip = 
from_port = 
to_ip = 224.0.0.1
to_port = 
iface = 
routed = 
logging = 

[Rule20]
ufw_rule = ff02::fb DENY IN Anywhere (v6)
description = HIDE MULTICAST NOISE
command = /usr/sbin/ufw deny in from any to ff02:0000:0000:0000:0000:0000:0000:00fb
policy = deny
direction = in
protocol = 
from_ip = 
from_port = 
to_ip = ff02:0000:0000:0000:0000:0000:0000:00fb
to_port = 
iface = 
routed = 
logging = 

[Rule21]
ufw_rule = ff02::fb DENY OUT Anywhere (v6) (out)
description = HIDE MULTICAST NOISE
command = /usr/sbin/ufw deny out from any to ff02:0000:0000:0000:0000:0000:0000:00fb
policy = deny
direction = out
protocol = 
from_ip = 
from_port = 
to_ip = ff02:0000:0000:0000:0000:0000:0000:00fb
to_port = 
iface = 
routed = 
logging = 

[Rule22]
ufw_rule = ff02::1 DENY IN Anywhere (v6)
description = HIDE MULTICAST NOISE
command = /usr/sbin/ufw deny in from any to ff02:0000:0000:0000:0000:0000:0000:0001
policy = deny
direction = in
protocol = 
from_ip = 
from_port = 
to_ip = ff02:0000:0000:0000:0000:0000:0000:0001
to_port = 
iface = 
routed = 
logging = 

[Rule23]
ufw_rule = ff02::1 DENY OUT Anywhere (v6) (out)
description = HIDE MULTICAST NOISE
command = /usr/sbin/ufw deny out from any to ff02:0000:0000:0000:0000:0000:0000:0001
policy = deny
direction = out
protocol = 
from_ip = 
from_port = 
to_ip = ff02:0000:0000:0000:0000:0000:0000:0001
to_port = 
iface = 
routed = 
logging =

#3

Hi, everyone.Thanks, for the post #2. But I have some problems with creating a file such as custom.profile and with loading into gufw . I have had a mistake like @you do not have the permissions necessary to save the file. Please check that you typed the location correctly and try [email protected]

PS I solved my problem :slight_smile: sudo gedit ‘/etc/gufw/app_profiles/ubuntu-mate.profile’


#4

An interesting set of rules. Curious why you’re forwarding in 993 and 465 – you running your own email server?

You can also disable multicasting on the adapter globally (however this needs to be done on every reboot):
sudo ifconfig [networkAdapterName] -multicast
…no more 224.0.0.* in the log, however silly apps like Chromium (which is persistantly looking for cloud printers) will still attempt to connect anyway.


#5

Another useful tip when figuring out the source of IGMP snooping on the network – check your router’s default settings. Specifically, Network->LAN->IGMP Proxy. Not interested in “casting” my youtube playlist from my phone to the TV so, disabled.


#6

That was the plan, unfortunately in France it’s frowned upon by ISPs.