Adsense Leaderboard Ad

11.24.2017

UFW (Uncomplicated Firewall) Basics

UFW or Uncomplicated Firewall Basics


UFW or Uncomplicated Firewall is Ubuntu's twist on the old faithful iptables.  Personally being an old hat I was very happy with iptables.  It worked well and I was proficient enough to write rules on the fly. UFW was built to be a "user friendly" front end for iptables.  There are some things you will need to know right off the bat if you are used to iptables.

Saving UFW rules:

Iptables rules are effective as soon as you hit enter, but they are not persistent.  Meaning they will not survive a reboot or a restart.  With UFW the rules are effective immediately also, but they are also saved.  This took me a minute to figure out.  Short story... No need for a save command.

I spent some time searching for the above information, so I figured I would put that front and center.  Now let's hit some basics.

Installing UFW:

First you will want to ensure UFW is installed.

sudo apt-get install ufw

By default UFW is set to deny all incoming connections, and allow all outgoing connections.

Checking UFW status and Listing UFW rules:

Simple, ask...

sudo ufw status
The status will be either active or disabled.

The above command will also list any rules you have set.

NOTE: You can also add verbose for more information.

sudo ufw status verbose
You can also list them numbered.  This comes in handy if you have a large amount of rules.

sudo ufw status numbered

Setting UFW default policy:

UFW (and iptables) uses "default policies" to act on traffic that is not explicitly called out by a rule.  As a connection request comes in, UFW will check the rules sequentially and if it does not match a rule, it will use the action specified in the default policy.

You can set the default policy to deny incoming traffic like so:

sudo ufw default deny incoming

and allow outgoing traffic like so:

sudo ufw default allow outgoing

Open a specific port:

If you want to open a specific port, say port 22/SSH, it's simple.  We will add the SSH port first before enabling UFW to ensure we do not get locked out of our system.

sudo ufw allow 22
or

sudo ufw allow ssh
The above works for any specific port. For example you can open 443/HTTPS for a web server like so:

sudo ufw allow 443

Enabling or Disabling UFW:

Once you are sure you have SSH open, you can go ahead and enable UFW. 
NOTE: You will see a warning about disrupting SSH connections.  If you set the 22/SSH port rule above, you will be fine.  If not you run the chance of being locked out.

sudo ufw enable

Disable is similar....

sudo ufw disable

Now let's move on to more interesting configurations.

Opening up a specific port range:

Often it is necessary to open a port range.  For example 137-138 for Samba.  You can use the colon to specify port ranges like so:

sudo ufw allow 137:138/udp
NOTE: When specifying port ranges, you MUST include the protocol.  In this case Samba using 137/138 UDP.

Allowing a connection from a specific host:

You can specific a host that is allowed to connect to your system by IP address like so:

sudo ufw allow from 10.0.0.10

Allowing a connection from specific host on specific port:

You can mix and match these rules (port, host, protocol, interface, etc..)

If you want to allow only one specific host to SSH to your system you can do that like so:

sudo ufw allow from 10.0.0.10 to any port 22

Allowing a connection over a specific network interface:


You may want to limit some traffic to a specific network interface, maybe a management interface?  To restrict SSH traffic to the eth0 interface:

sudo ufw allow in on eth0 to any port 22
It is good security practice to make your rules as granular as possible.  To find the name of your network interface you can use the "ip addr" command.

Allowing connections from a specific network subnet:

If you want to allow traffic from a specific subnet, just add the CIDR to the network address like so:

sudo ufw allow from 10.0.0.0/24
and limit that subnet to a specific port:

sudo ufw allow from 10.0.0.0/24 to any port 22
Limit that subnet to a specific port on a specific interface:

sudo ufw allow in on eth0 from 10.0.0.0/24 to any port 22
(See where we are going with this?)

Denying specific traffic:

All of the above "allow" commands can be changed to deny command simply by changing the word allow to deny like so:

Deny traffic from 10.0.0.0/24 subnet:
sudo ufw deny from 10.0.0.0/24

Deny Traffic on port 80:
sudo ufw deny 80

or

sudo ufw deny http

Deleting Rules:

You can delete rules by either specifying the number of the rule (view numbered) or typing out the specific rule.

For example, let's say you wanted to close up port 443:

sudo ufw delete allow 443

You can also use the number of the rule in the chain.  We briefly covered using the numbered option above, but here is an example:

savona@biguntu:~$ sudo ufw status numbered verbose
Status: active

     To                         Action      From
     --                         ------      ----
[ 1] 22                         ALLOW IN    Anywhere                  
[ 2] 137/udp                    ALLOW IN    10.0.0.3                  
[ 3] 138/udp                    ALLOW IN    10.0.0.3                  
[ 4] 139/tcp                    ALLOW IN    10.0.0.3                  
[ 5] 445/tcp                    ALLOW IN    10.0.0.3                  
[ 6] 22 on enp7s0               ALLOW IN    10.0.0.0/24               

savona@biguntu:~$ sudo ufw delete 6
Deleting:
 allow in on enp7s0 from 10.0.0.0/24 to any port 22
Proceed with operation (y|n)? y
Rule deleted

Disabling and resetting UFW:

You can disable UFW simply by giving it the disable command:

sudo ufw disable

NOTE: Disabling UFW will not delete the rules, if you re-enable it, the rules you set will still be there.

Disabling UFW would be handy for testing connection issue to rule out the firewall.

You can also reset UFW.  Resetting UFW will delete all the rules and disable the firewall.  This will not effect default policies.

sudo ufw reset

Now you should have a good understanding of the basic of UFW.  Uncomplicated firewall simplified the administration of iptables a fair amount. Of course being an old hat, I still prefer iptables, respect UFW and just shake my head at firewalld.

11.23.2017

List Installed Kernels and Currently Running Kernel

Question sent in by Tim from Kansas City.

Q: Is there a way I can check to see if I a system has a newer kernel installed?  For example, if a system has installed a new kernel, but has not yet rebooted to load it?

A: Yes, you can check the currently running kernel as well as which kernels are installed.  This will give you version numbers and you can see if there is an installed version higher than the running version.

To check which kernel is currently running on your system, use the uname command with the "release" or -r switch.  This will output the kernel version (release) number.

uname -r
Sample output:

savona@biguntu:~$ uname -r
4.13.0-16-generic


Now that you know which kernel you are currently running, you can check the installed kernels and see if there are any later releases.

For Debian based systems (Ubuntu, Mint, etc..) you can use dpkg (output truncated for readability).

savona@biguntu:~$ dpkg --list | grep linux-image
ii  linux-image-4.13.0-16-generic              4.13.0-16.19
ii  linux-image-4.13.0-17-generic              4.13.0-17.20
ii  linux-image-extra-4.13.0-16-generic        4.13.0-16.19
ii  linux-image-extra-4.13.0-17-generic        4.13.0-17.20
ii  linux-image-generic                        4.13.0.17.18

For RedHat or RPM based systems (CentOS, Fedora, etc..) you can use the rpm command.

[savona@Cetnos7VM ~]$ rpm -q kernel
kernel-3.10.0-693.el7.x86_64
kernel-3.10.0-693.5.2.el7.x86_64

11.20.2017

How to Hide the Mouse Pointer (Cursor) to Create a Kiosk or Dashboard

Question sent in by K.G. from New Jersey

Q: I created a system that boots and loads a browser in kiosk mode to show a slideshow in my company office.  Is there a way I can hide the mouse pointer?  It shows up even if I disconnect the mouse.

A: Yes, the easiest way is to install the unclutter package.  Unclutter is a package that will hide the mouse pointer, but it's flexible because all you need to do is move the mouse to show the pointer again.  Another reason why it is so flexible is because it is available for Red Hat, CentOS, Fedora, Ubuntu, Debian, etc...

To install in Ubuntu:

sudo apt-get install unclutter

Once you have the package installed you just need to add one line to a configuration file.

For Ubuntu:

Add the following line to the ~/.config/lxsession/LXDE/autostart file:

unclutter -idle 0
or run the following command, which will add the line for you.

sudo echo "unclutter -idle 0" >> ~/.config/lxsession/LXDE/autostart

Good luck!

See the man pages for a complete list of options, it is a nifty little piece of software.

P.S. This package also comes in RPM flavor for people using Red Hat, CentOS, or Fedora.