Ubuntu firewall

TBA.

Table of contents

• Introduction
• Final word

Introduction

A firewall is a system that provides network security by filtering incoming and outgoing network traffic based on a set of user-defined rules. In general, the purpose of a firewall is to reduce or eliminate the occurrence of unwanted network communications while allowing all legitimate communication to flow freely. In most server infrastructures, firewalls provide an essential layer of security that, combined with other measures, prevent attackers from accessing the server in malicious ways.

For a web server, we only want to allow remote login (ssh) from a limited range of IP-addresses, and for web clients to connect on the standard web ports (http and https). Everything else should be blocked.

Sources:

• DO: What is a firewall
• DO: ufw
• DO: ufw essentials

The ports to keep open:

 22 : ssh
 80 : http
443 : https

Drush uses wget to download projects. Wget uses http and https so a firewall that keeps these ports open will not interfere with normal operations to keep the site up to date.

UFW

UFW, or Uncomplicated FireWall, is an interface to iptables (i.e. the standard program to mange the tables implemented by the Gnu/Linux kernel firewall). UFW is geared towards simplifying the process of configuring a firewall. While iptables is a solid and flexible tool, it can be difficult to learn how to use it to properly configure a firewall. UFW is easier to work with.

UFW is installed by default on Ubuntu. If it is not for some reason, you can install it with the following command:

$ sudo apt install ufw

To check its status, you may use the following command:

$ sudo ufw status verbose
Status: inactive

If the status is inactive, even if rules are defined, the status command will not let you see them.

However, this command will:

$ sudo ufw show added
Added user rules (see 'ufw status' for running firewall):
(None)

The above indicates that no rules have been added yet.

If you get a warning about duplicate apache profiles, navigate to /etc/ufw/applications.d. You will probably find two identical apache profiles. Remove apache2.2-common.

Setting up default policies

By default, UFW is set to deny all incoming connections and allow all outgoing connections. But to make sure the UFW rules are set to the defaults before we start adding new rules, do the following:

$ sudo ufw default deny incoming
$ sudo ufw default allow outgoing

Allowing incoming connections

To allow incoming connections using ssh and web, do:

$ sudo ufw allow ssh
$ sudo ufw allow http
$ sudo ufw allow https

To get an overview over rules added:

$ sudo ufw show added
Added user rules (see 'ufw status' for running firewall):
ufw allow 22/tcp
ufw allow 80/tcp
ufw allow 443/tcp

Enabling UFW

To enable UFW, use this command:

$ sudo ufw enable
Command may disrupt existing ssh …. Proceed with operation (y|n)? y
Firewall active and is enabled on system startup

The warning that says the command may disrupt existing means that your current connection may go dead. However, as long as there is a firewall rule that allows ssh connections, you will be able to log in again.

You may disable UFW with the following command:

$ sudo ufw disable
Firewall stopped and disabled on system startup

When the firewall is active, the following command will tell you what rules that are set:

$ sudo ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

To                 Action    From
--                 ------    ----
22/tcp             ALLOW IN  Anywhere
80/tcp             ALLOW IN  Anywhere
443/tcp            ALLOW IN  Anywhere
22/tcp (v6)        ALLOW IN  Anywhere (v6)
80/tcp (v6)        ALLOW IN  Anywhere (v6)
443/tcp (v6)       ALLOW IN  Anywhere (v6)

Adjusting permissions

If you want to allow a subnet of IP addresses, you can do so using CIDR notation to specify a netmask. For example, to allow access on port 22 for all addresses starting with “129.240” (but no other) you may specify that using this format: “129.240.0.0/16”. You also need to delete the rule that allows connections to port 22 from anywhere. The following sequence of commands accomplish this:

$ sudo ufw allow from 129.240.0.0/16 to any port 22
$ sudo ufw status numbered
Status: active

     To                 Action    From
     --                 ------    ----
[ 1] 22/tcp             ALLOW IN  Anywhere
[ 2] 80/tcp             ALLOW IN  Anywhere
[ 3] 443/tcp            ALLOW IN  Anywhere
[ 4] 22/tcp             ALLOW IN  129.240.0.0/16
[ 5] 22/tcp (v6)        ALLOW IN  Anywhere (v6)
[ 6] 80/tcp (v6)        ALLOW IN  Anywhere (v6)
[ 7] 443/tcp (v6)       ALLOW IN  Anywhere (v6)
$ sudo ufw delete 1

The order of commands is significant, if you delete the first port 22 rule before adding the one with a restricted IP range, you will lock yourself out.

To learn the public IP-adress of the PC your browser runs on, visit WhatIsMyIPAddress.com.

To learn a web server's public address from the CLI, type:

$ hostname -I
138.68.64.125

Check current IP-address for HNM-PC: whatismyipaddress.com. History:

IPv4: 77.16.60.64 (2020-01-30)
IPv4: 77.16.61.93 (2020-01-31)
IPv4: 77.16.217.106 (2020-03-29)

I.e.: The IP-address assigned by Telenor seems to change pretty randomly.

These are the IP-addresses I currently whitelist:

91.205.187.70   (pvn.no)
138.68.64.125   (do18)
138.68.64.217   (do19)
167.172.177.32  (do20)
167.172.182.56  (karde)
165.227.146.209 (snp)
129.240.0.0/16  (UiO)
77.16.0.0/16    (HNM-PC - Telenor)
77.18.0.0/16    (HNM-PC - Telenor)

Final word

[TBA]

---

Last update: 2018-11-06 [gh].