Search This Blog

Wednesday, September 2, 2009

Open Source, Easy Firewall with GUFW

sudo apt-get install gufw

The easy way to use the firewall is to block all incoming traffic, and tune it.

If you have behind a NAT router and would like to trust the internal work, you can do this:
sudo ufw allow from 192.168.0.0/16

sudo ufw disable && sudo ufw enable

It is also a good idea to stop the ping request:
/etc/ufw/

before.rules:

# ok icmp codes
-A ufw-before-input -p icmp --icmp-type destination-

unreachable -j ACCEPT
-A ufw-before-input -p icmp --icmp-type source-quench -j ACCEPT
-A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT
-A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT
# Don't allow ping requests:
# -A ufw-before-input -p icmp --icmp-type echo-request -j ACCEP

If you are behind the NAT router, others might be able to ping you because the route responds to the request. Try to disable the echo back on the router directly.


Try ping yourself or ssh from any web-based ping and ssh to test your firewall!


more examples:
http://www.ubuntugeek.com/ufw-uncomplicated-firewall-for-ubuntu-hardy.html
http://manpages.ubuntu.com/manpages/jaunty/en/man8/ufw.8.html
http://ubuntuforums.org/showthread.php?t=823741

No comments: