Uncomplicated Awesome Firewall

Created at 2019-07-30 Updated at 2019-07-30

I was playing with the network on Ubuntu-based machine. Suddenly my eyes got stuck on a firewall and why it is used? So as the name suggests its a “WALL”. Which blocks the way of the network. If I need to explain to you in layman language. A firewall is like the wall of your home which protects you from all sorts of situations. Imagine your home without walls. Anyone can pop in and pop out without even informing you. Like your home has the main door where you can limit the entry and exit of anyone. The same handling can be achieved by a firewall, which can limit entry/exit to your internal network.

Managing firewall can be a complicated task but fortunately, ubuntu has UFW. UFW stands for Uncomplicated Firewall. One can easily start using it in 5-10 minutes. A good practice of securing the server includes blocking all ports and allowing only limited ports.

Below are the commands with their description

  • Enable UFW
    sudo ufw enable

  • Disable UFW
    sudo ufw disable

  • Whenever you enable ufw. Make sure to allow ssh by typing the following command
    sudo ufw allow ssh
    Where ssh is the name of the service. If you wish to open the port, type the following command
    sudo ufw allow 22

It’s not easy to remember all the port number or remember all service and on which port they are communicating. Fortunately here ufw comes to rescue. It provides allow/deny to a service name. Which makes it easy to another level. UFW reads service from /etc/services

  • To see get a list of services:
    less /etc/services
  • To allow incoming TCP packets on port 1433
    sudo ufw allow 1433/tcp

  • To allow incoming UDP packets on port 1433
    sudo ufw allow 1433/udp

  • To allow incoming from specific ip
    sudo ufw allow from<target>to<destination>port <port number>
    sudo ufw allow from 192.168.0.4 to any port 22

  • To allow IP address 192.168.0.4 access to port 22 using TCP
    sudo ufw allow from <target> to <destination> port <port number> proto <protocol name>
    sudo ufw allow from 192.168.0.4 to any port 22 proto tcp

  • To deny rule
    sudo ufw deny <port>/<optional: protocol>
    sudo ufw deny 4333

  • Delete existing rule
    sudo ufw delete deny 80/tcp

  • Numbered rule
    sudo ufw status numbered
    Now you can play with a number instead of port and service
    sudo ufw delete 1

  • Disable PING
    In order to disable ping (icmp) requests, you need to edit /etc/ufw/before.rules and remove the following lines:

    1
    2
    3
    4
    5
    6
    # ok icmp codes
    -A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT
    -A ufw-before-input -p icmp --icmp-type source-quench -j ACCEPT
    -A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT
    -A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT
    -A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT

    or change the “ACCEPT” to “DROP”

    1
    2
    3
    4
    5
    6
    # ok icmp codes
    -A ufw-before-input -p icmp --icmp-type destination-unreachable -j DROP
    -A ufw-before-input -p icmp --icmp-type source-quench -j DROP
    -A ufw-before-input -p icmp --icmp-type time-exceeded -j DROP
    -A ufw-before-input -p icmp --icmp-type parameter-problem -j DROP
    -A ufw-before-input -p icmp --icmp-type echo-request -j DROP

Playing with IP range

In case you need to allow IP address from 10.0.0.1 to 10.0.0.8
You can handle IP range in the criteria of 2Y. Hence the IP range set can be of 2, 4, 8, 16, 32 and so onn.
Next step is to find the value of X. As we already have decided the IP range. According to that, the value of Y would be 3. This is so because there are total 8 IP that are in between 10.0.0.1 to 10.0.0.8
Which gets back to equation as 2Y = 8. Hence value of Y is 3.

The following equation would be needed to find the subnet of the network
32 - X = Y
In the above equation, we need to find the value of X in order to get the correct value of subnet.
From the above, the value of X would be 29. Which would make the IP as 10.0.0.1/29

Let’s verify, 10.0.0.1/29 would get the IP range of 32 - 29 = 3
23 = 8. Hence IP range would be from 10.0.0.1 to 10.0.0.8

Using UFW is awesome and easy too.

Table of Content

  1. Playing with IP range
Site by Ashutosh Kumar Singh using Hexo & Random

Traveller - Developer - Foodie - Biker - Cyclist - Rider - Technocrat