Uncomplicated Firewall UFW

As part of my continuing Ubuntu 20.04 training, I circled back around to their firewall.  UFW or Uncomplicated firewall.   I have a Fortinet 60E UTM firewall protecting my house.   The 221-C Wireless Access Point is integrated into the 60E.   Since going to Windows 10 with UTM and Avast firewall fully enabled, I decided to setup UFW on all the Ubuntu servers.   I will provide part of the configuration without giving away everything I protect my home with.

What is UFW:  Well it is called the uncomplicated firewall.   It is not exactly uncomplicated.  I will start with the commands to install it.   It is disabled to begin with because you need to configure to allow ssh or you will be locked out forever.   I enabled medium logging.   I will show both IPv4 and IPv6 rules.

sudo apt install ufw
sudo ufw logging medium
sudo ufw status verbose

Next, I modify a few configuration files for multicast traffic.   This will fix multicast errors.   

/etc/ufw/user.rules
### Multicast
-A ufw-before-input  -p igmp -d 224.0.0.0/3 -j ACCEPT
-A ufw-before-output -p igmp -d 224.0.0.0/3 -j ACCEPT

/etc/ufw/user6.rules
### Multicast
-A ufw6-before-input  -p icmpv6 -d ff00::/8 -j ACCEPT
-A ufw6-before-output -p icmpv6 -d ff00::/8 -j ACCEPT

Before you enable UFW,  setup your allow ssh traffic.  I did not give you the enable command for this reason. I have 8 layer 3 ports on the 60E with IPv4 and IPv6 subnets. I will give you one of each. IPv4 covers the most common subnet for home users. You might have 192.168.0.0/24 or 192.168.100.0/24. I have many more IPv4 subnets.  So you need to see what your workstation is using.

I included the entire delegated subnet for my IPv6.   You want to make sure your IPv4 subnet is enabled to allow ssh in.   

sudo ufw allow from 192.168.1.0/24 to any port ssh
sudo ufw allow from 2600:1702:980:25ef:0:0:0:0/64 to any port ssh

I have two DNS/DHCP Ubuntu servers for my house.   UFW on these servers needs port 53 commands.  I only want my IPv4 and IPv6 subnets allowed into these DNS servers.  UFW allows traffic out to the internet for DNS port 53.   These rules allow only my subnets to go into the DNS servers.  

#DNS
sudo ufw allow from 192.168.1.0/24 to any port 53
sudo ufw allow from 2600:1702:980:25ef:0:0:0:0/64 to any port 53

#DHCP
sudo ufw allow proto udp to any port 67 from 192.168.1.0/24
sudo ufw allow proto udp to any port 68 from 192.168.1.0/24
sudo ufw allow proto udp to any port 67 from 2600:1702:980:25ef:0:0:0:0/64
sudo ufw allow proto udp to any port 68 from 2600:1702:980:25ef:0:0:0:0/64

My desktop and dropbox servers have xRDP installed on them.   I use it for programming and a dropbox server.  They are Ubuntu Desktop GUI based. 

sudo ufw allow from 192.168.1.0/24 to any port 3389
sudo ufw allow from 2600:1702:980:25ef:0:0:0:0/64 to any port 3389

Many of my Ubuntu servers and desktops have samba shares. 

#samba shares
sudo ufw allow proto udp to any port 137 from 192.168.1.0/24
sudo ufw allow proto udp to any port 138 from 192.168.1.0/24
sudo ufw allow proto tcp to any port 139 from 192.168.1.0/24
sudo ufw allow proto tcp to any port 445 from 192.168.1.0/24

sudo ufw allow proto udp to any port 137 from 2600:1702:980:25ef:0:0:0:0/64
sudo ufw allow proto udp to any port 138 from 2600:1702:980:25ef:0:0:0:0/64
sudo ufw allow proto tcp to any port 139 from 2600:1702:980:25ef:0:0:0:0/64
sudo ufw allow proto tcp to any port 445 from 2600:1702:980:25ef:0:0:0:0/64

I have a few servers with WordPress and web sites on them.   The difference with these commands is I am allowing the web sites access from the internet.   You still come through the Fortinet 60E UTM.  

#wordpress and websites
sudo ufw allow http
sudo ufw allow https

To connect to my SQL server, I put on it’s UFW

sudo ufw allow proto tcp to any port 1433 from 192.168.1.0/24
sudo ufw allow proto udp to any port 1434 from 192.168.1.0/24

sudo ufw allow proto tcp to any port 1433 from 2600:1702:980:25ef:0:0:0:0/64
sudo ufw allow proto udp to any port 1434 from 2600:1702:980:25ef:0:0:0:0/64

sudo ufw enable : this is how you enable it.  Before enabling do this.   Make sure OpenSSH is there.

 sudo ufw app list
Available applications:
  CUPS
  OpenSSH

 sudo ufw enable
Command may disrupt existing ssh connections. Proceed with operation (y|n)?
Firewall is active and enabled on system startup 

sudo ufw status verbose
Status: active
Logging: on (medium)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip
To                         Action      From
--                         ------      ----
22/tcp                     ALLOW IN    192.168.1.0/24
22/tcp                     ALLOW IN    2600:1702:980:25ef::/64

sudo ufw app list:  Another server shows ssh and samba.

Available applications:
OpenSSH
Samba

sudo ufw status verbose 

Status: active Logging: on (medium) Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

To Action From -- ------ ----

22/tcp ALLOW IN 192.168.1.0/24
80/tcp ALLOW IN Anywhere
443/tcp ALLOW IN Anywhere
137/udp ALLOW IN 192.168.1.0/24 
138/udp ALLOW IN 192.168.1.0/24 
139/tcp ALLOW IN 192.168.1.0/24 
445/tcp ALLOW IN 192.168.1.0/24 
22/tcp ALLOW IN 2600:1702:980:25ef::/64 
80/tcp (v6) ALLOW IN Anywhere (v6) 
443/tcp (v6) ALLOW IN Anywhere (v6) 
137/udp ALLOW IN 2600:1702:980:25ef::/64 
138/udp ALLOW IN 2600:1702:980:25ef::/64 
139/tcp ALLOW IN 2600:1702:980:25ef::/64 
445/tcp ALLOW IN 2600:1702:980:25ef::/64