Uncomplicated Awesome Firewall
Created at 2019-07-30 Updated at 2024-04-17 - 5 min. read
I was playing with the network on Ubuntu-based machine. Suddenly my eyes got stuck on a firewall and why it is used? So as the name suggests its a “WALL”. Which blocks the way of the network. If I need to explain to you in layman language. A firewall is like the wall of your home which protects you from all sorts of situations. Imagine your home without walls. Anyone can pop in and pop out without even informing you. Like your home has the main door where you can limit the entry and exit of anyone. The same handling can be achieved by a firewall, which can limit entry/exit to your internal network.
Managing firewall can be a complicated task but fortunately, ubuntu has UFW. UFW stands for Uncomplicated Firewall. One can easily start using it in 5-10 minutes. A good practice of securing the server includes blocking all ports and allowing only limited ports.
Below are the commands with their description
Enable UFW
sudo ufw enableDisable UFW
sudo ufw disableWhenever you enable ufw. Make sure to allow ssh by typing the following command
sudo ufw allow ssh
Where ssh is the name of the service. If you wish to open the port, type the following commandsudo ufw allow 22
It’s not easy to remember all the port number or remember all service and on which port they are communicating. Fortunately here ufw comes to rescue. It provides allow/deny to a service name. Which makes it easy to another level. UFW reads service from /etc/services
- To see get a list of services:
less /etc/services
To allow incoming TCP packets on port 1433
sudo ufw allow 1433/tcpTo allow incoming UDP packets on port 1433
sudo ufw allow 1433/udpTo allow incoming from specific ip
sudo ufw allow from<target>to<destination>port<port number>sudo ufw allow from 192.168.0.4 to any port 22To allow IP address 192.168.0.4 access to port 22 using TCP
sudo ufw allow from<target>to<destination>port<port number>proto<protocol name>sudo ufw allow from 192.168.0.4 to any port 22 proto tcpTo deny rule
sudo ufw deny<port>/<optional: protocol>sudo ufw deny 4333Delete existing rule
sudo ufw delete deny 80/tcpNumbered rule
sudo ufw status numbered
Now you can play with a number instead of port and servicesudo ufw delete 1Disable PING
In order to disable ping (icmp) requests, you need to edit /etc/ufw/before.rules and remove the following lines:1
2
3
4
5
6# ok icmp codes
-A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT
-A ufw-before-input -p icmp --icmp-type source-quench -j ACCEPT
-A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT
-A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT
-A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPTor change the “ACCEPT” to “DROP”
1
2
3
4
5
6# ok icmp codes
-A ufw-before-input -p icmp --icmp-type destination-unreachable -j DROP
-A ufw-before-input -p icmp --icmp-type source-quench -j DROP
-A ufw-before-input -p icmp --icmp-type time-exceeded -j DROP
-A ufw-before-input -p icmp --icmp-type parameter-problem -j DROP
-A ufw-before-input -p icmp --icmp-type echo-request -j DROP
Playing with IP range
In case you need to allow IP address from 10.0.0.1 to 10.0.0.8
You can handle IP range in the criteria of 2Y. Hence the IP range set can be of 2, 4, 8, 16, 32 and so onn.
Next step is to find the value of X. As we already have decided the IP range. According to that, the value of Y would be 3. This is so because there are total 8 IP that are in between 10.0.0.1 to 10.0.0.8
Which gets back to equation as 2Y = 8. Hence value of Y is 3.
The following equation would be needed to find the subnet of the network32 - X = Y
In the above equation, we need to find the value of X in order to get the correct value of subnet.
From the above, the value of X would be 29. Which would make the IP as 10.0.0.1/29
Let’s verify, 10.0.0.1/29 would get the IP range of 32 - 29 = 3
23 = 8. Hence IP range would be from 10.0.0.1 to 10.0.0.8
Using UFW is awesome and easy too.