Monthly Archives: April 2010

Ubuntu UFW Uncomplicated Firewall Examples

See also: Securing an Ubuntu Server

UFW community documentation: https://help.ubuntu.com/community/UFW

UFW server documentation: https://help.ubuntu.com/10.04/serverguide/C/firewall.html

UFW page: https://wiki.ubuntu.com/UncomplicatedFirewall

Implementing a basic firewall on your Ubuntu server is simple.

UFW (Uncomplicated Firewall) is a simple configurator for Netfilter, the packet filtering system that is built into the Linux kernel. This will then filter IP packets that arrive at the server by port number. Port numbers are nothing magical, just an integer in the packet header that gets mapped to a service, like your web server. All the packets arriving with a certain port number are mapped to a service.

By default, when you turn on UFW, everything is filtered. Then, with very simple commands, you set rules to allow just the services you are providing. If you are just providing a web server, you would allow only the port needed for that.

Turning UFW on

By default, UFW is turned off. To turn it on:

sudo ufw enable

That is all there is to it. UFW is now running. When your system reboots, UFW will be started automatically.

Allowing SSH

By default, SSH uses port 22. Of course, you can configure OpenSSH to use a different port number…then open that port instead of 22.

sudo ufw allow 22

…or you can use the service name instead of the port number:

sudo ufw allow ssh

…or you can use the service application name instead of the port number:

sudo ufw allow OpenSSH

To get a list of service applications:

sudo ufw app list

The concept to retain is that rules can be set with a port number (22) or service name (ssh) or application name (OpenSSH).

Allowing Apache

By default, HTTP severs use port 80.

sudo ufw allow 80

…or you can use the service name instead of the port number:

sudo ufw allow http

…or you can use the service application name instead of the port number:

sudo ufw allow Apache

View status

To see the current status of UFW on your server:

sudo ufw status verbose

Example output:

Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing)
New profiles: skip

To                         Action      From
--                         ------      ----
22                         ALLOW IN    Anywhere
80/tcp                     ALLOW IN    Anywhere

A little more

The /etc/services (text) file is used to map service names to port numbers. This can be used to find out which ports are mapped to which services. The vast majority of the designations in this file are not implemented on a given system. This file’s main purpose is to allow service applications (programs) to get the port number to use for a service being provided.

Rules can be set with any of the following:

  • port number
  • service name
  • application name

List names service names

cat /etc/services

List available application names

sudo ufw app list

List implemented services and assigned ports

sudo lsof -i -nP

List active network connections

sudo netstat -p

UFW Help

Enter:

sudo ufw help

Help output:


Usage: ufw COMMAND

Commands:
 enable                          enables the firewall
 disable                         disables the firewall
 default ARG                     set default policy
 logging LEVEL                   set logging to LEVEL
 allow ARGS                      add allow rule
 deny ARGS                       add deny rule
 reject ARGS                     add reject rule
 limit ARGS                      add limit rule
 delete RULE|NUM                 delete RULE
 insert NUM RULE                 insert RULE at NUM
 reset                           reset firewall
 status                          show firewall status
 status numbered                 show firewall status as numbered list of RULES
 status verbose                  show verbose firewall status
 show ARG                        show firewall report
 version                         display version information

Application profile commands:
 app list                        list application profiles
 app info PROFILE                show information on PROFILE
 app update PROFILE              update PROFILE
 app default ARG                 set default application policy

XAMPP on Mac OSX with Virtual Hosts

XAMPP is an all-in-one LAMP development solution for multiple platforms. I use Linux on my main computer and OSX for my laptop.

I’ve selected XAMPP to provide the LAMP environment on my Mac. It is free, in on-going development and works well.

Because I have several projects in development at once, I need to be able to quickly update my Mac with the current state of a project and then develop and test. Subversion is part of that equation and Komodo IDE is too. Setting up LAMP on Linux is a snap, but installing everything on the Mac, even with MacPorts would be tedious. There are a few pre-packaged solutions, including XAMPP, MAMP and Zend Server. I chose XAMPP after a little research and it has worked well for me.

The Apache virtual server does not come enabled by default, so a little setup is needed.

Folder for virtual websites

Create the folder “www” in your home directory, this example is in Terminal:

cd ~
mkdir www

This is the folder where you will place each of the virtual site directories. You could just as well put this somewhere else, but a “www” directory here makes sense to me.

httpd.conf

Add the following to /Applications/XAMPP/etc/httpd.conf


	Options Indexes FollowSymLinks ExecCGI Includes
	AllowOverride All
	Order allow,deny
	Allow from all

In the above you will need to substitute your username for “yourusername”. This simply sets some Apache settings for the folder where your virtual sites will be.

In this same file find:

# Virtual hosts
#Include /Applications/XAMPP/etc/extra/httpd-vhosts.conf

…and un-rem out the Include line. This enables virtual hosting. Yay!

http-vhosts.conf

For each website, add a code block to /Applications/XAMPP/etc/extra/http-vhosts.conf


    DocumentRoot "/Users/yourusername/www/www.yourwebsitename.dev/public"
    ServerName yourwebsitename.dev
    ServerAlias www.yourwebsitename.dev
    ErrorLog "/Users/yourusername/www/www.yourwebsitename.dev/logs/error_log"
    CustomLog "/Users/yourusername/www/www.yourwebsitename.dev/logs/combined.log" common

In the above, just follow the same pattern I’ve shown for this example site. Don’t vary from this unless you want to do some research and testing. You can see I place a “public” folder insite the top directory for a particular virtual site – put your web documents to serve here.

hosts file

Edit your /etc/hosts file to add “www.yourwebsitename.dev” (your version of this) to a line starting with “127.0.0.1” like this:

127.0.0.1     www.yourwebsitename.dev

Restart Apache

Using the XAMPP control stop and re-start Apache.

Done.

SSH trick: temporarily return to your local shell

If you are using SSH to access a command shell on a remote system and you would like to temporarily return to a shell on your local system, there is an easy way to do so.

Simply type a tilda (“~”) and control-z.

This will place your SSH session into the background. You will be in a shell on your local system.

You can get the job number of the SSH session with:

jobs

Then, to return to the remote session (assuming that the job number you saw when you entered the above command was “1”), enter:

fg 1

Note that the remote shell will not print the prompt, press enter once to see the remote session prompt again.