Firewall Tools for Ubuntu Security
“Does Ubuntu have a firewall, and how do I turn it on?” is a popular question among new Ubuntu users. The answer is a bit complicated, but it’s an understandable inquiry for those migrating from the Windows world. WorksWithU addresses that question below by taking a look at Ubuntu’s firewall and some of the tools available for managing it.
We’ll answer the first question first: Ubuntu, like most Linux distributions, ships with a built-in firewall in the form of iptables, so it does indeed have a firewall. However, by default, iptables is not “activated,” in the sense that it’s not configured to do anything besides allow all traffic through.
For most Ubuntu users, that’s probably fine. A normal installation doesn’t have any services running that constitute security risks, and there’s usually little need for a firewall on Ubuntu–especially if you’re behind a router or some other device that abstracts your computer from the public Internet.
On the other hand, if you plan on installing software that will open up additional ports, or if you don’t trust other computers on your network, telling the system to block certain types of traffic can be a good idea. iptables-based firewalls can also come in handy for things like parental control, since they make it easy to prevent access to certain websites and services.
While iptables is very powerful, it’s also pretty complicated to use, unless you enjoy typing complex and obscure commands in the terminal. Fortunately, a number of tools exist that provide user-friendly frontends for iptables, making it easy to configure firewall rules without reading volumes of man pages. Here, we’ll take a look at three such tools available for the Ubuntu desktop.
First on our list is gufw. gufw is a graphical interface for ufw, or “uncomplicated firewall,” Ubuntu’s native frontend for managing traffic rules. ufw is a relatively new tool, having made its debut with Ubuntu 8.04 in 2008. Although earlier versions of the utility lacked advanced features, most Lucid users should find that it more than meets their needs.
In my experience, gufw lives up to its promise of providing uncomplicated firewall configuration. It doesn’t offer as many advanced options as its command-line companion ufw, but it provides a straightforward interface for blocking and allowing access to certain ports from certain hosts.
gufw would be a little more user-friendly if it made it possible to block services by selecting them from a list, rather than entering the port number manually. Port numbers are easy enough to look up, but for non-geeks who just want to block websites or services like AIM instant messaging, this might not be obvious.
Firestarter, which has been around for a while, is another tool that provides a simple graphical interface for communicating with iptables. It offers a few more features than gufw, such as a list of active connections:
Another cool feature built into Firestarter is Internet connection sharing, which makes it simple to allow other computers to connect to the Internet through your computer, if you have multiple network interfaces. NetworkManager can now also do this, but Firestarter was the first application I know of to make connection sharing as easy as pressing a few buttons.
My only major gripe with Firestarter is the bug described in this forum post, which still seems to be present in Lucid. By default, the “Add Rule” button was grayed out, and the only way to enable it was to right-click in a certain part of the Firestarter window. Once I figured this out, however, configuring the firewall policy was pretty straightforward.
The wizard that runs when Firestarter is launched for the first time is also not as user-friendly as it could be, since it asks users what the name of their network interface is and whether it’s using dhcp. This is stuff that the application should probably be able to figure out on its own, and which non-geeks are unlikely to be able to answer.
Last but not least–especially in terms of features–is Firewall Builder. This cross-platform application may not look very pretty on the Gnome desktop, but it does offer a wide array of options.
Firewall Builder is available in open-source and commercial versions, and its main selling point is support for a variety of popular firewall backends for various operating systems, including Linux, OS X, Windows and others. In other words, it can apply a single traffic policy across multiple computers running different packet-filtering software. This design feature may come in handy for users who want a simple means of deploying a consistent firewall policy within a mixed-OS environment.
That said, Firewall Builder is certainly the most complicated of the utilities on our list, and requires some degree of geekiness to configure. If you just want to keep your kids (or parents) off Facebook, stick with gufw or Firestarter. But if you have more complex needs and don’t mind reading a little documentation to learn how to get started, Firewall Builder may be worth a look. It’s available from Ubuntu’s repositories, or you can grab the very latest builds from the developers’ website.