Many Ubuntu users are interested in learning how to enable a. The majority of people seem to be interested in filtering in an out bound connections on a Desktop installation.
Without getting into the inevitable debate on the merits of using a, I would like to pass on some basic information. Please understand that discussions about firewalls and understanding the technical details of a can become complicated very fast. The goal of this blog therefore is to enable users to feel comfortable with the basic manipulations on an Ubuntu Desktop installation.
You should also know, by default Ubuntu, unlike some operating systems, has no significant listening servers. You may list your listening servers with any of the following commands:
sudo bash -c “netstat -an | grep LISTEN | grep -v ^unix”
sudo lsof -i -n -P
Alternately you may perform a portscan from a second computer, ie nmap
I strongly advise the use of UFW (Uncomplicated FireWall) as it is installed by default, the syntax is easy to understand, and the defaults are more then adequate for the vast majority of users. If you prefer a graphical front end, install GUFW.
This is very easy:
sudo ufw enable
Deny incoming connections
This setting will deny all new incoming connections. Established connections (connections you request) are allowed.
sudo ufw default deny
Since we are not running a server, nothing further is required for incoming connections.
Deny outgoing connections
This is a bit harder as you need to know the services you wish to allow and write rules for outbound traffic you wish to allow. Common services you may wish to allow (and their ports) include:
DNS (Domain Name Service) = protocol udp port 53.
Web browsing = http protocol tcp port 80.
Secure web browsing = https protocol tcp port 443.
Mail = protocol tcp port 25.
FTP = protocol tcp port 20 and 21.
SSH = protocol tcp port 22.
VNC = protocol tcp port 5900.
Samba uses multiple ports , protocol udp ports 137 and 138 as well as tcp ports 139, and 445.
IRC protocol tcp , Ubuntu Servers defaults to 8001.
A listing of ports can be found here.
UFW will block outbound traffic based on the destination port on the server. To allow the outbound traffic listed above use:
sudo ufw allow out 53,137,138/udp
sudo ufw allow out 20,21,22,25,80,139,443,5900,8001/tcp
Then block all other outbound traffic with:
sudo ufw deny out to any
Keep in mind, order of the rules is critical. So if you need to allow additional traffic, you will need to insert a rule.
List your rules by number with:
sudo ufw status numbered
If you used the above syntax you will see :
To Action From
-- ------ ----
[ 1] 53,137,138/udp ALLOW OUT Anywhere (out)
[ 2] 20,21,22,25,80,139,443,5900,8001/tcp ALLOW OUT Anywhere (out)
[ 3] Anywhere DENY OUT Anywhere (out)
Say we wish to allow out telnet on port 23. We will need to add this before the third rule (which denies all outbound traffic). We do this using insert.
ufw insert 3 allow out 23
Peer-to-peer file sharing via torrents are popular and allowing torrent traffic is a bit complicated. The major reason for this is that IP providers often block common torrent ports, so it is almost impossible to know what ports will be used for the torrent transfer and it may be easier to disable yourif you use torrents.
The somewhat more complicated approach is to determine the inbound port for your torrent client, and allow inbound traffic on that port.
Using the “default” torrent ports as an example (bittorrent uses ports 6881-6999), the easiest settings for torrent sharing are to allow these ports in and allow all outbound traffic. Check your torrent application for the inbound port or ports (Transmission, the default client in Ubuntu, uses port 51413 for example).
#This first rule allow ports 6881-6999 inclusive
sudo ufw allow 6881:6999/tcp
# Allow all outbound traffic if we blocked it previously
sudo ufw delete deny out to any
If you need to delete a rule, simply use “delete”, for example:
sudo ufw delete deny out to all