Lab 05 - Security and Firewall Settings

Here you will learn how to use ufw utility to configure the firewall.

5.1.1 Disable and reset UWF

  1. Before you start, make sure the ufw is installed on the system. Type sudo ufw status and press Enter. If the system shows an error message, then you have to install the ufw utility. To do this, type sudo apt-get install ufw and press Enter.
  2. Disable the ufw firewall by typing sudo ufw disable and press Enter.
  3. Make sure the ufw is inactive. Type sudo ufw status and press Enter. Record your output:
  4. Resetting the ufw will clear/remove all existing rules and allow us to start from a clean slate. Type sudo ufw --force reset and press Enter.

5.1.2 Set default rules and add rules

Most systems will need only a few ports open for incoming connections, and have the remaining ports closed. To start with an easy basis of rules, the sudo ufw default command can be used to set the default response to incoming and outgoing connections. To deny all incoming and allow all outgoing connections, you will use the following commands:

  1. Deny all incoming connections: Type sudo ufw default deny incoming and press Enter.
  2. Allow all outgoing connections: Type sudo ufw default allow outgoing and press Enter.

Add rules

Rules can be added in two ways, by denoting the port number or by using the service name. For the port number, you can also allow packets based on TCP or UDP.

  1. To allow both incoming and outgoing connections on TCP port 22 for SSH, you can run sudo ufw allow ssh. You can also run sudo ufw allow 22/tcp.
  2. Enable the UFW. Type sudo ufw enable and press Enter.
  3. Check the ufw configuration, type sudo ufw status, and press Enter. Record your output:

Now is a good time to allow the other connections that we might need. If we're securing a web server with FTP access, we might need these commands:

  1. To allow web service, type sudo ufw allow www or sudo ufw allow 80/tcp and press Enter.
  2. To allow web https service, type sudo ufw allow https or sudo ufw allow 443/tcp and press Enter.
  3. To allow FTP service, type sudo ufw allow ftp or sudo ufw allow 21/tcp, and press Enter.
  4. To allow TELNET service, type sudo ufw allow telnet or sudo ufw allow 23/tcp, and press Enter.
  5. Check the ufw configuration, type sudo ufw status, and press Enter. Record your output:

Port Ranges

You can also specify port ranges with UFW.

  1. To allow ports 1000 through 2000 using TCP protocol, use the command: sudo ufw allow 1000:2000/tcp
  2. To allow ports 6500 through 8000 using UDP protocol, use the command: sudo ufw allow 6500:8000/udp

Advanced Rules

Along with allowing or denying based solely on ports, UFW also allows you to allow/block by IP addresses, subnets, and an IP address/subnet/port combinations.

  1. Check your host windows IP by typing w and press Enter. The system will display who is logged on the server. Record the IP address from the FROM field under your login ID:
  2. Now, allow connections for your IP address:
    Type sudo ufw allow from <your IP address>, for example, sudo ufw allow from 192.168.247.1.
  3. To allow connections from a specific subnet, allow incoming connections from 198.51.100.0/24 subnet.
    Type sudo ufw allow from 198.51.100.0/24, and press Enter.
  4. To allow a specific IP address/port combination, allow incoming connections from 192.168.1.100 on TCP port 22.
    Type sudo ufw allow from 192.168.1.100 to any port 22 proto tcp, and press Enter.
  5. To allow MySQL from a specific IP address or subnet, allow incoming MYSQL connection from 15.15.15.0/24 subnet on TCP port 3306.
    Type sudo ufw allow from 15.15.15.0/24 to any port 3306, and press Enter.
  6. To allow incoming connections from 15.15.15.0/24 subnet on TCP port 1000 ~ 1100.
    Type: sudo ufw allow from 15.15.15.0/24 to any port 1000:1100 proto tcp, and press Enter.
  7. Display the ufw configuration as numbered list of rules, type sudo ufw status numbered, and press Enter. Record your output:

Denying Connections

Our default is set up to deny all incoming connections. This makes the firewall rules easier to administer since we are only allowing certain ports and IP addresses through. However, if you want to flip it and open up all your server's ports (not recommended), you could allow all connections and restrictively deny ports you don't want to give access to by replacing "allow" with "deny" in the commands above.

  1. Deny access to the web service from 198.51.100.0/24, and insert this ruler on the top number: type sudo ufw insert 1 deny from 198.51.100.0/24 to any port 80 proto tcp, and press Enter.
  2. Block outgoing SMTP mail by running the command: sudo ufw deny out 25

Remove Rules

To remove a rule, add delete before the rule implementation. There are three options to delete rules:

  • delete the rules by service names
  • delete the rules by the port numbers
  • delete the rules by the number in a numbered list
  1. If you no longer wish to allow Telnet traffic, you could run: sudo ufw delete allow telnet
  2. If you no longer allow the TCP connections from port 1000 to 2000, you could run: sudo ufw delete allow 1000:2000/tcp
  3. Execute sudo ufw status numbered to list out all the current rules in a numbered list. Find out the number for the
    6500:8000/udp       ALLOW IN Anywhere
    6500:8000/udp (v6)  ALLOW IN Anywhere (v6)
    , then issue the command: sudo ufw delete [number] to delete the UDP protocol from port 6500 to 8000.
    Enter your commands to delete the above rules for v4 and v6:

  4. Display the ufw configuration as numbered list of rules, type sudo ufw status numbered, and press Enter. Record your output:

5.1.3 Firewall Logging

  1. You can enable logging with the command: sudo ufw logging on

Log levels can be set by running sudo ufw logging low|medium|high|full, selecting either low, mediumhigh, or full from the list. The default setting is low. A normal log entry will resemble the following and will be located at /var/log directory.

  1. Active the ufw logging: type sudo ufw logging on, and press Enter.
  2. Then, change the log level to high: type sudo ufw logging full, and press Enter.
  3. Reboot the system by typing sudo reboot, and press Enter.
  4. After the system boot up, log in to the Linux using the PuTTY program.
  5. Change to the /var/log directory.
  6. Using an editor to open ufw.log file. Copy one line of content from the ufw.log to here:

The initial values list the date, time, and hostname of your server. Additional important values include:

  • [UFW BLOCK]: This location is where the description of the logged event will be located. In this instance, it blocked a connection.
  • IN: If this contains a value, then the event was incoming
  • OUT: If this contains a value, then the event was outgoing
  • MAC: A combination of the destination and source MAC addresses
  • SRC: The IP of the packet source
  • DST: The IP of the packet destination
  • LEN: Packet length
  • TTL: The packet TTL, or time to live, or how long it will bounce between routers until it expires (if no destination is found).
  • PROTO: The packet's protocol
  • SPT: The source port of the package
  • DPT: The destination port of the package
  • WINDOW: The size of the packet the sender can receive
  • SYN URGP: Indicates if a three-way handshake is required. 0 means it is not.

5.1.4 Reset the UFW

That should cover many of the commands that are commonly used when using UFW to configure a firewall. Let us reset the settings:

  1. Disable the ufw server by running the command: sudo ufw disable
  2. Resetting ufw will clear/remove all existing rules and allow us to start from a clean slate: sudo ufw --force reset

5.1.5 Configure a new ufw firewall strategies

Now, you are going to create new firewall strategies, before enabling the ufw service, set up defaults rules:

  1. To set the defaults used by UFW, use the following commands:

    sudo ufw default deny incoming
    sudo ufw default allow outgoing
    sudo ufw allow ssh

  2. Enable the ufw service by using the command: sudo ufw enable.

The firewall Strategies

Configure a firewall with UFW with following rules:

  • Allow TCP connections on Port 80
  • Allow TCP connections on Port 443
  • Allow all incoming POP3
  • Allow all incoming on Port 587 for SMTP
  • Allow 192.168.1.200 to access SIP service on TCP port 560
  • Allow 192.168.1.200 to access UDP port 3000 ~ 3100
  • Allow 192.168.100.0/24 to access Port 5432
  • Block Outgoing BitTorrent connections on TCP port 6881~6889
  1. List the ufw configuration as numbered list of rules, type sudo ufw status numbered, and press Enter. Record your output:
  2. Disable the ufw server by running the command: sudo ufw disable.
  3. Resetting ufw will clear/remove all existing rules: sudo ufw --force reset
  4. Shutdown your Linux server.

Print out your Lab result in PDF format, then submit it before the due date.