Outdated documentation

This page is out of date. Please use the main navigation to find the latest documentation.

Introduction

gNewSense features a simple, efficient firewall which is installed by default, called ufw (uncomplicated firewall). To check that it's installed on your computer, run

 ufw

in a terminal.

Basic configuration

Configuring and using a firewall, like ufw, is a simple, effective proof against those who try to gain access to your system.

Firstly, open up a terminal. To enable ufw, type:

 sudo ufw enable

into your terminal. UFW needs root access, as it's managing your network connection. To deny any intruders, enter this into your terminal:

 sudo ufw default deny

This command, by default, blocks access to your computer for all ports. You can still browse the Internet, etc., but there are some protocols that you may need that are disabled as well.

Advanced configuration

By-port configuration

Here's a simple list of common ports that you may need to enable for your system:

Service

Description

Port Number

FTP

File Transfer Protocol

TCP 20/21 (usually 21)

IMAP

Popular email protocol

TCP 143

IPP

Internet Printing Protocol

UDP & TCP 631

NFS

Network File System

UDP & TCP 2049, UDP 111

POP3

Popular email protocol

TCP 110

SMB/CIFS

Samba (Windows shared folders)

TCP 445

SMTP

Email protocol for outgoing messages

TCP 25

SSH

Secure Shell, used for controlling a remote system

TCP 22

Telnet

Older protocol, similar to SSH

TCP 23 (by default)

VNC

Virtual Network Computing

TCP 5900 (by default

If there is another protocol that you need to use that isn't listed here, you can most likely find the port needed in the documentation for said protocol.

Now, to enable the ports you need, there is another simple command to enter in your terminal:

 sudo ufw allow **

where ** is the port number. To enable strictly a UDP or TCP port, you can use the following two commands respectively:

 sudo ufw allow **/udp

or

 sudo ufw allow **/tcp

For example, to allow POP3 and SMTP support for my email, I would type:

 sudo ufw allow 110/tcp
 sudo ufw allow 25/tcp

These commands allow you to enable access for any port you may need.

By-IP configuration

However, what if you need to enable access from an IP address? Once again, this is simple. Just enter the following command into your terminal:

 sudo ufw allow from **.**.**.**

where **.**.**.** is the IP address you wish to enable. But what if you needed to enable a range of IP addresses, for example, 100.100.100.0, 100.100.100.1, 100.100.100.2, 100.100.100.3 and so on, up to 100.100.100.8? There is another easy command to allow this:

 sudo ufw allow from 100.100.100.0/8

Other useful commands

UFW has its name (Uncomplicated Firewall) for a reason, it's really simple, yet effective. That's all the commands you need to know to set up UFW on your gNewSense system. However, there's a few more useful tricks you can utilize.

Removing rules

To remove a rule, which you may need to do (for example, if you no longer use the POP3 protocol, you wouldn't need the port enabled), simply type:

 sudo ufw delete allow **

or, for my example with POP3:

 sudo ufw delete allow 110/tcp

Limiting connections

In order to protect yourself from denial of service (floods of packets sent to your computer) or brute force (repeated computational attempts to guess your password) attacks, you can limit the amount of connection attempts to a particular port.

Limiting connections with UFW allows a maximum of 6 connections per 30 seconds, enough to delay a brute force attack for a long, long time, or enough to stop a denial of service attack. To limit a connection, use the following command:

 sudo ufw limit **

to limit a port. To limit POP3 connections:

 sudo ufw limit 110/tcp

or to limit connections for a web server:

 sudo ufw limit www/tcp

Enabling full access

If you want to enable full access (for example, if you're using a program temporarily and don't know the ports required), simply type the opposite of 'sudo ufw default deny', which is:

 sudo ufw default allow

Monitoring connections

There's one more handy UFW trick that's worth learning. If you want to monitor your connections, you can enable logging by using the following command:

 sudo ufw logging on

and turn it off by:

 sudo ufw logging off

And that's all there is to it. By gNewSense 3.x, there will be a few new improvements for UFW, including levels of logging and a graphical user interface for UFW called GUFW. For more information about UFW, please refer to the project's homepage at https://launchpad.net/ufw.


CategoryOutdated

Documentation/Firewall (last edited 2013-08-30 02:24:30 by FelipeLopez)