How to Configure Ubuntu’s Firewall
Sunday, January 18, 2009 5:27:56 PM
Ubuntu has a very powerful firewall built in. However it isn’t activated out of the box.
The firewall isn’t activated because Ubuntu has no outward-facing services. There’s no programs that allow incoming connections from the Internet, apart from those under the user’s control.
To easily configure Ubuntu’s firewall, you can use Firestarter. This is a simple GUI program that lets you control both incoming and outgoing connections.
Firestarter can be installed via "Synaptic Package Manager"(search for and install the firestarter package)
or type this in a terminal:
sudo apt-get install firestarter
After the installation is finished, you can find the GUI under System > Administration > Firestarter
When you launch Firestarter for the first time, it will take you through a setup wizard
Click forward, and you will be able to select the network device. If you are using DHCP for your machine, make sure you select that checkbox here, cable and dsl users should check this option.
The Detected device default choice is usually correct although, if you use a wifi connection, be sure to select the right type of connection you want Firestarter to protect from the Detected device(s) dropdown list. You can find out the device that provides your network connection by right clicking the NetworkManager icon, selecting Connection Information, and looking at the end of the line that’s headed Interface.
click forward and then save.
The firewall is now installed and will continue running whether or not you are running the GUI, but the GUI will not be started up automatically unless you add it to the startup.
Configuring incoming connections
Firestarter has a default policy of turning away unsolicited incoming connections (incoming connections that are requested, such as when Firefox requests a web page, are still allowed). Although extremely safe when it comes to security, turning away unsolicited connections isn’t always desirable. For example, the file sharing software BitTorrent relies on other people connecting to your computer unsolicited in order to download file fragments. Additionally, services like network file sharing rely on others being able to connect to your computer whenever they want to grab or drop-off files. Therefore, it’s sometimes necessary to allow some incoming connections, which is done by creating an inbound rule.
1. Start Firestarter and click the Policy tab. Ensure Inbound traffic policy is selected in the Editing dropdown list. Then right-click in the lower part of the window in the white empty area, underneath the Allow service heading. In the menu that appears, click "Add Rule".
2. In the dialog that appears, select the type of incoming connection you want to allow from the Name dropdown list. If you want to allow network file sharing, select Samba (SMB). Once you’ve made your selection, the Port text field will be automatically filled-in. There should be no need to change this.
Under the When the source is heading, you can select Anyone, to allow literally any Internet-connected computer to connect to your computer (advisable in the case of BitTorrent), or IP host or network to restrict it to a particular computer or range of computers. To only allow computers in your private network to connect, for example, you might type 192.168.1.100. This would add a layer of security if you simply want to enable network file sharing
For example click the Add button and then click the Apply Policy button on the main toolbar. The change will take effect immediately and there’s no need to reboot. Once configuration is complete, you can close the Firestarter program (remember that Firestarter is simply a configuration program for the firewall, and not the firewall itself; it doesn’t need to be running for the firewall to function).
Configuring outgoing connections
By default Firestarter allows all outgoing connections. For example, should Firefox or Evolution attempt to connect to a website or mail server, it won’t stop them. This is known as a permissive policy. To block all outgoing network connections from software, apart from that which you sanction, Firestarter needs to be switched to restrictive policy. The following steps describe how to enact a restrictive outgoing policy and then create rules so that software is allowed to make outgoing connections (this is also known as creating a whitelist because only software you list is allowed through)
1. Start Firestarter and ensure the Policy tab is selected. Then select Outbound traffic policy from the Editing dropdown list. Then select Restrictive by default, whitelist traffic.
2. In the space under the Allow service heading at the bottom of the program, right click and select "Add rule" from the menu that appears.
3. In the Name dropdown list, select the type of connection you’d like to pass through unhindered. For example, to allow Firefox (and also Ubuntu’s software management subsystem) to work properly, you’ll need to select HTTP, because HTTP is how web traffic is referred to technically. You will almost certainly want to allow this. Once that’s done, the Port text field will be filled-in automatically. There should be no need to change this unless you know what you’re doing.
4. If you need to manually create a rule (which is to say, those offered don’t fit your requirements), type the port into the Port text field and then type the name of the new rule straight into the Name field (the Name field works as both a dropdown list and a text field). You can give the new rule any name you wish.
Regardless of whether you create your own rule or use one that’s already defined, don’t change anything under the When the source is heading. In this case, the settings are only for use when Firestarter is protecting a shared Internet connection. Just click the Add button to create the rule.
Click the Apply Policy button on the toolbar. The changes will take effect immediately and there’s no need to reboot.
If you opt for a restrictive outgoing policy, at the very least you should create rules to allow HTTP, HTTPS, POP3, and SMTP. The first two will allow Firefox to fetch webpages unhindered while the latter two are necessary for getting and sending email (if you use IMAP instead of POP3 then, obviously, you should select that instead).
A restrictive policy can be a pain to maintain because some websites ask Firefox to fetch data using non-HTTP or HTTPS ports. In particular, this can be the case if certain types of plugins are used. In that case, you need to create a rule for each port that gets used, and that involves some technical knowledge of what port is being requested. Additionally, if you install new software that requires Internet access, the port it uses will need to be added.
Turning off network diagnostic tools
Firestarter can also stop network diagnostic responses being sent from your computer. Network diagnostic tools can be useful in problem solving situations but there have been a number of occasions when they have been exploited by hackers. To turn off the ports, click Edit > Preferences within Firestarter, select ICMP Filtering on the left of the dialog box that appears, and put a check in the Enable ICMP filtering box (DON’T then put a check in any of the boxes beneath—that will RE-ENABLE the ports)
click accept and you're done hopefully you now know have a good idea how Firestarter works.