Andrea Davanzo

Hamburger menu icon

Setup ufw

I'm not the only one who thinks Linux netfilter/iptables is complex. In my honest opinion, it's unnecessarily complex. While I agree that it's powerful, its complexity is rarely used in most cases. Coming from a traditional firewall background, the syntax I'd expect to see is something like this:

netfilter/iptables 
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
Cisco IOS 
access-list 100 permit tcp any any eq 80
interface FastEthernet0/1
 ip access-group 100 out
Fortigate Firewall 
config firewall policy
    edit 1
        set src-intf any
        set dst-intf any
        set action accept
        set service http
    next
end
OpenBSD pf 
pass in proto tcp from any to any port 80

I've tried to learn netfilter/iptables, but I always gave up. It's just too complicated. If you try to compare these, and you're not familiar with Cisco IOS or Fortigate, OpenBSD pf is probably the most human-readable. I believe that OpenBSD's pf (Packet Filter) syntax is more readable than netfilter/iptables for several key reasons:

  1. Human-readable syntax: pf uses a more natural language-like syntax, making rules easier to understand and write. It avoids complex command-line options and cryptic flags common in iptables. Rules are often expressed in a way that resembles English sentences, enhancing clarity.
  2. Clear and concise rules: pf rules are typically shorter and more focused on specific actions. This reduces the need for complex chains and table manipulations found in iptables. The syntax promotes a more straightforward approach to firewall configuration.
  3. Logical grouping and modularity: pf allows for logical grouping of rules using "table" constructs. This enables better organization and reusability of rule sets. It simplifies complex firewall configurations by breaking them down into smaller, more manageable units.
  4. Strong emphasis on security: pf is designed with security in mind, incorporating features like stateful inspection and implicit deny rules. This helps prevent accidental misconfigurations that could compromise system security. The syntax encourages a more secure approach to firewall configuration.
  5. Excellent documentation and community support: OpenBSD provides comprehensive documentation for pf, including detailed man pages and tutorials. A strong and active community offers support and assistance. This makes it easier for users to learn and troubleshoot pf configurations.

While netfilter/iptables is undoubtedly powerful and flexible, its complexity can often hinder its usability. OpenBSD's pf, on the other hand, strikes a balance between power and simplicity, making it a popular choice for many network administrators.

UFW

If you're a Linux user who wants to set up a firewall without losing your mind during a DDoS attack, UFW might be your sanity saver. UFW (Uncomplicated Firewall) shares some similarities with pf in terms of its user-friendly syntax and focus on simplicity. Both tools aim to make firewall configuration more accessible to users, avoiding the complexity of underlying technologies like iptables. This makes them easier to learn and use, especially for those who are new to firewall administration. However, they differ in their underlying implementation. UFW is a user-friendly front-end for iptables, providing a more intuitive interface for common firewall tasks. On the other hand, pf is a standalone packet filtering system, offering a more granular level of control over network traffic.

My default UFW setup

Below a resume of how I generally setup a UFW firewall

Default policies

ufw default deny incoming
ufw default allow outgoing

These two UFW rules set default policies for incoming and outgoing traffic on your system:

  • ufw default deny incoming: This rule specifies that by default, all incoming traffic to your system is blocked. This means that unless you explicitly allow specific incoming connections, they will be denied. This is a security-conscious approach, as it prevents unauthorized access to your system.
  • ufw default allow outgoing: This rule specifies that by default, all outgoing traffic from your system is allowed. This means that your system can initiate connections to other systems without explicit permission. However, it's important to note that while this rule allows outgoing traffic, it doesn't necessarily mean that all outgoing traffic will be successful. Network policies and firewall rules on other systems may still block connections.

Allow your IP address

If you're the lucky duck with a static IP address, you can add a special rule to UFW that lets your own traffic through. 

ufw allow from 1.2.3.4 comment 'my ip'

Enable the firewall

The last step is to enable the firewall.

Warning: Before enable the firewall be sure that you have added a rule that give you access to the server! 
ufw enable

References

  • https://man.openbsd.org/pf.conf.5
  • https://www.openbsd.org/faq/pf/
  • https://www.centron.de/en/tutorial/a-deep-dive-into-iptables-and-netfilter-architecture/
  • https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-with-ufw-on-ubuntu

Author:

Date: