Antony's Logo

Antony's pages of stuff

  • Geek Home
  • HTML & Web Code
    • 2d Canvas
    • 3d Canvas
    • Javascript
  • Command Line
    • Windows CL
    • Windows CL Elevated
    • Windows Powershell
    • Unix & Linux
  • Other Stuff
    • Electronics
    • TV & Radio
    • Excel
    • Powerpoint
    • Word
  • Contact

F*@#ing Linux



Things I have found out about whilst trying to use Ubuntu Firewall.



What is a UFW -?

UFW (Uncomplicated Firewall) is a frontend for iptables and the default firewall configuration tool in Ubuntu.

By default UFW is disabled so first it will need to be installed:

sudo apt-get install ufw 

I'm going to add basic allow rule for OpenSSH access from my local network

sudo ufw allow from 192.168.1.0/24 to any port 22

Well known port allocations

  • 20 – FTP Data (For transferring FTP data)
  • 21 – FTP Control (For starting FTP connection)
  • 22 – SSH (For secure remote administration which uses SSL to encrypt the transmission)
  • 23 – Telnet (For insecure remote administration)
  • 25 – SMTP (Mail Transfer Agent for e-mail server such as SEND mail)
  • 53 – DNS (Special service which uses both TCP and UDP)
  • 67 – Bootp
  • 68 – DHCP
  • 69 – TFTP (Trivial file transfer protocol uses udp protocol for connection less transmission of data)
  • 80 – HTTP/WWW(Apache)
  • 88 – Kerberos
  • 110 – POP3 (Mail delivery Agent)
  • 123 – NTP (Network time protocol used for time syncing uses UDP protocol)
  • 137 – NetBIOS (nmbd)
  • 139 – SMB-Samba (smbd)
  • 143 – IMAP
  • 161 – SNMP (For network monitoring)
  • 389 – LDAP (For centralized administration)
  • 443 – HTTPS (HTTP+SSL for secure web access)
  • 514 – Syslogd (udp port)
  • 636 – ldaps (both ctp and udp)
  • 873 – rsync
  • 989 – FTPS-data
  • 990 – FTPS
  • 993 – IMAPS
  • 1194 – openVPN
  • 1812 – RADIUS
  • 995 – POP3s
  • 2049 – NFS (nfsd, rpc.nfsd, rpc, portmap)
  • 2401 – CVS server
  • 3306 – MySql
  • 3690 – SVN
  • 6000-6063-X11

The "deny" command works similar to the "allow" command and is used to close a port in the firewall:

sudo ufw deny 80

Then check your UFW configured status

sudo ufw status

If you need more detail of status you can use

sudo ufw status verbose

or when adding or removing rules use the rule number

sudo ufw status numbered

using Numbered entries it makes it easier to add or delete rules

sudo ufw insert 1 deny from 221.194.0.0/16 to any
sudo ufw insert 2 allow ntp
sudo ufw delete 1

After we’ve configured UFW, we can turn it on using this command.

 sudo ufw enable

To disable (stop) UFW, run this command.

sudo ufw disable

If you need to reload UFW (reload rules), run the following.

sudo ufw reload

In order to restart UFW after changes, you will need to disable it first, and then enable it again.

sudo ufw disable && sudo ufw enable

Then recheck your UFW configured status

Getting more clever with ufw by adding comments use comment 'COMMENT'

sudo ufw insert 2 deny from 221.194.0.0/16 to any comment 'block 221.194.47.249 & 221.194.47.229 - from 221.194.0.0 to 221.194.255.255'

You can enable logging with the command:

sudo ufw logging on

Specifying 'on' simply enables logging at log level 'low' if logging is currently not enabled.

With the setting as low. A normal log entry located at /var/logs/ufw.log and will resemble the following log structure:

Dec  6 08:50:53 <my-server-hostname> kernel: [ 7818.432401] [UFW BLOCK] IN=enp0s18 OUT= MAC=01:00:5e:00:00:11:c8:91:g9:06:50:10:08:00 SRC=192.168.1.254 DST=224.0.0.1 LEN=36 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2 
Dec  6 09:58:36 <my-server-hostname> kernel: [11881.028665] [UFW BLOCK] IN=enp0s18 OUT= MAC=00:13:d3:ae:4c:a5:09:21:5f:71:1g:be:08:00 SRC=192.168.1.68 DST=192.168.1.100 LEN=56 TOS=0x00 PREC=0x00 TTL=128 ID=23030 PROTO=UDP SPT=51895 DPT=2054 LEN=36

The initial values list the date, time, and your device hostname. Additional important values include:

  • [UFW BLOCK]: Short description of the logged event; e.g. [UFW BLOCK] . In this instance, it blocked a connection.
  • IN: If set, then the event was an incoming event.
  • OUT: If set, then the event was an outgoing event.
  • MAC: A combination of the destination and source MAC addresses
  • SRC: This indicates the source IP, who sent the packet initially.
  • DST: The IP of the packet destination
  • LEN: Packet length
  • TOS: This refers to the TOS field of the IPv4 header
  • PREC: I believe this refers to the Precedence field of the IPv4 header.
  • TTL: The packet TTL, or time to live. How long it will bounce between routers until it expires, if no destination is found.
  • ID: ufw’s internal ID system, it might be the operating system’s ID.
  • PROTO: The packet’s protocal
  • SPT: The source port of the package
  • DPT: The destination port of the package
  • WINDOW: The size of the packet the sender can receive
  • RES: This bit is reserved for future use & is always set to 0.
  • SYN URGP: Indicated if a three-way handshake is required. 0 means it is not. Doesn’t really matter for firewall log reading.

ufw supports multiple logging levels. ufw defaults to a loglevel of 'low' when a loglevel is not specified.
LEVEL may be 'on', 'off', 'low', 'medium', 'high' and 'full'.Users may specify a loglevel with:

sudo ufw logging LEVEL

Log levels are defined as:
off disables ufw managed logging
low logs all blocked packets not matching the defined policy (with rate limiting), as well as packets matching logged rules
medium log level low, plus all allowed packets not matching the defined policy, all INVALID packets, and all new connections. All logging is done with rate limiting.
high log level medium (without rate limiting), plus all packets with rate limiting
full log level high without rate limiting

Log levels above medium generate may quickly fill up your disk. Log level medium may generate a lot of logging output on a busy system.

If you want to turn off UFW completely and delete all the rules, you can use "reset" command:

sudo ufw reset

Whilst creating my ufw I needed to work out my external IP address the quickest way was to use the following:

curl -4 icanhazip.com

The next step to secure your server ports is to use intrusion prevention framework like fail2ban

Jump to Ubuntu, Linux and me on....

  • Uncomplcated Fire Wall (UFW)
  • Fail2ban
  • HandBrakeCLI
  • Screen
  • htpassword
  • apt
  • Nginx
  • CHOWN
  • rsync
  • youtube-dl
  • vi
  • Putty

by Ant Monkey on Juice © 

Contact me here