Firewall Tools for Ubuntu Security
“Does Ubuntu have a firewall, and how do I turn it on?” is a popular question among new Ubuntu users. The answer is a bit complicated, but it’s an understandable inquiry for those migrating from the Windows world. WorksWithU addresses that question below by taking a look at Ubuntu’s firewall and some of the tools available for managing it.
We’ll answer the first question first: Ubuntu, like most Linux distributions, ships with a built-in firewall in the form of iptables, so it does indeed have a firewall. However, by default, iptables is not “activated,” in the sense that it’s not configured to do anything besides allow all traffic through.
For most Ubuntu users, that’s probably fine. A normal installation doesn’t have any services running that constitute security risks, and there’s usually little need for a firewall on Ubuntu–especially if you’re behind a router or some other device that abstracts your computer from the public Internet.
On the other hand, if you plan on installing software that will open up additional ports, or if you don’t trust other computers on your network, telling the system to block certain types of traffic can be a good idea. iptables-based firewalls can also come in handy for things like parental control, since they make it easy to prevent access to certain websites and services.
Firewall Tools
While iptables is very powerful, it’s also pretty complicated to use, unless you enjoy typing complex and obscure commands in the terminal. Fortunately, a number of tools exist that provide user-friendly frontends for iptables, making it easy to configure firewall rules without reading volumes of man pages. Here, we’ll take a look at three such tools available for the Ubuntu desktop.
gufw
First on our list is gufw. gufw is a graphical interface for ufw, or “uncomplicated firewall,” Ubuntu’s native frontend for managing traffic rules. ufw is a relatively new tool, having made its debut with Ubuntu 8.04 in 2008. Although earlier versions of the utility lacked advanced features, most Lucid users should find that it more than meets their needs.
In my experience, gufw lives up to its promise of providing uncomplicated firewall configuration. It doesn’t offer as many advanced options as its command-line companion ufw, but it provides a straightforward interface for blocking and allowing access to certain ports from certain hosts.
gufw would be a little more user-friendly if it made it possible to block services by selecting them from a list, rather than entering the port number manually. Port numbers are easy enough to look up, but for non-geeks who just want to block websites or services like AIM instant messaging, this might not be obvious.
Firestarter
Firestarter, which has been around for a while, is another tool that provides a simple graphical interface for communicating with iptables. It offers a few more features than gufw, such as a list of active connections:
Another cool feature built into Firestarter is Internet connection sharing, which makes it simple to allow other computers to connect to the Internet through your computer, if you have multiple network interfaces. NetworkManager can now also do this, but Firestarter was the first application I know of to make connection sharing as easy as pressing a few buttons.
My only major gripe with Firestarter is the bug described in this forum post, which still seems to be present in Lucid. By default, the “Add Rule” button was grayed out, and the only way to enable it was to right-click in a certain part of the Firestarter window. Once I figured this out, however, configuring the firewall policy was pretty straightforward.
The wizard that runs when Firestarter is launched for the first time is also not as user-friendly as it could be, since it asks users what the name of their network interface is and whether it’s using dhcp. This is stuff that the application should probably be able to figure out on its own, and which non-geeks are unlikely to be able to answer.
Firewall Builder
Last but not least–especially in terms of features–is Firewall Builder. This cross-platform application may not look very pretty on the Gnome desktop, but it does offer a wide array of options.
Firewall Builder is available in open-source and commercial versions, and its main selling point is support for a variety of popular firewall backends for various operating systems, including Linux, OS X, Windows and others. In other words, it can apply a single traffic policy across multiple computers running different packet-filtering software. This design feature may come in handy for users who want a simple means of deploying a consistent firewall policy within a mixed-OS environment.
That said, Firewall Builder is certainly the most complicated of the utilities on our list, and requires some degree of geekiness to configure. If you just want to keep your kids (or parents) off Facebook, stick with gufw or Firestarter. But if you have more complex needs and don’t mind reading a little documentation to learn how to get started, Firewall Builder may be worth a look. It’s available from Ubuntu’s repositories, or you can grab the very latest builds from the developers’ website.
If you want a firewall which filters traffic by application instead of ports you should check out Anoubis: http://www.anoubis.org/index_1_en.html
It was covered in the german magazine “LinuxUser”.
There is kmyfirewall in the repos, an excellent full featured yet easy to implement firewall gui for KDE.
Very interesting blog post. Thanks.
mw88 and Arup: thanks for the tips. I’m not familiar with either of those applications (as regards the second one, I also have used KDE in a while, so I’m not very up to speed on k-anything these days).
David: glad you enjoyed the post. Thanks for the comment.
Christopher,
I just came back to KDE after 1999 with SUSE and PCLOS, after 2001 it was Gnome but KDE finally lured me back with its Pulse free pure sound and I am just amazed at how efficient it is with all the eye candy, memory consumption is at par with my Gnome installation but there is no annoying popping noise due to Pulse as it is with my Ubuntu Lucid, Kubuntu Lucid is just pure music, I am now permanently hooked on KDE. Maybe I overstepping but this is the future of Linux desktop, Gnome will be an alternative.
Arup: my suspicion is that as long as Ubuntu, Fedora and the other major distributions continue to use Gnome by default, KDE will remain an alternative desktop. But with the advent of Gnome 3 on the horizon, a lot could change in the next year, so we’ll see…
Christopher,
KDE is now a fully mature and very snappy alternative whereas Gnome 3 is in testing phase, this is the time for Ubuntu to take an initiative, maybe do one test release of KDE main instead of regular Gnome to get a feeler, I for one am sticking to KDE. Make sure you add the Kubuntu ppa to get the latest stable updates to your Kubuntu.
Christopher,
Its pretty clear that Canonical is on track to diverge their gnome offering away from what Gnome as a project envisions gnome 3 to be into something Canonical specific.
By release 11.04 I really don’t expect it will be appropriate to call the default Ubuntu desktop a gnome desktop at all as pretty much all the exposed UI will be Canonical specific and not part of Gnome 3 upstream codebase. I very much doubt Canonical will ship gnome-shell as the default desktop UI..ever.
shorewall is the best firewall package available. It does not have a GUI but is very easy to configure and put a firewall up.
It is very important to have
It is very important to have the best Firewall tools for any sort of platform to enable strength. Even though I am not really into Ubuntu, I enjoyed reading about the recommended Firewall tools that can be used for the Ubuntu platform. http://seomysitepro.com