Installing a firewall on Ubuntu
Friday June 30, 2006 (02:01 PM GMT)
By: Joe 'Zonker' Brockmeier
Ubuntu's desktop install provides a bunch of useful software for desktop users, but it doesn't install a firewall by default. Luckily, it's really simple to get a firewall up and running on Ubuntu.
Frankly, I'm glad that the default install doesn't set up a firewall. Most of my computers live behind a firewall at all times anyway, and I've always been annoyed by installers that demand I deal with firewall questions when I've already got the situation well in hand. If I want a firewall on a machine, I can set one up on my own. Since Ubuntu is, in part, aimed at corporate desktops, a firewall is unnecessary for many installations.
But if an Ubuntu desktop is your sole machine that connects directly to the Internet, then it's a good idea to configure one. Technically speaking, Ubuntu does include a firewall -- you could configure everything by hand using iptables. That, however, is a little more detailed than many users care to get. Instead, we'll look at installing a GUI application to configure a firewall in just a few easy steps.
We'll look at two packages that configure firewalls. The first is Lokkit, an application that walks you through a few simple steps and configures a basic firewall for you. Lokkit is dead easy to use, and requires very little understanding of firewalls to set up, but it provides few options, and it's not a good choice if you want to set up a complex firewall.
By contrast, Guarddog, a flexible GUI firewall configuration program, is much more complex than Lokkit. Choose Guarddog only if you know what you're doing.
To install Lokkit or Guarddog, fire up Synaptic or Adept and install the appropriate package. If you prefer to use APT, just run sudo apt-get install gnome-lokkit for Lokkit, or sudo apt-get install guarddog to install Guarddog.
Configuring your firewall with Lokkit
Configuring a basic firewall with Lokkit is a snap. You'll need to run it with superuser privileges, so open the Run Command dialog with Alt-F2 and run gksudo gnome-lokkit. After entering your password, you'll see a Configure Firewalling dialog.
Lokkit's configuration wizard is fairly self-explanatory. I'd recommend starting with the High Security option, unless you have a need for DCC file transfer over IRC. Also, if you're using DHCP to grab an IP address from a cable modem or DSL modem, you want to make sure to say "yes" when Lokkit asks about enabling DHCP. If you have a cable modem or DSL, you probably do pull the IP address via DHCP.
If the computer is the only one on the network, it's probably not necessary to enable any services, and it's safe to tell Lokkit "no" when it asks about doing that. By default, even if you select no here, Lokkit will leave SSH open to machines on the local network as long as you say "yes" when Lokkit asks if it's safe to trust hosts connected via your network interface.
After answering a few questions, Lokkit will say it's ready to enable the firewall, and then you can either apply the changes and start the firewall or cancel.
If you suspect you're having problems with the firewall, you can re-run Lokkit and select Disable Firewall to remove all of your firewall rules.
Lokkit is easy to use, and it sets up a decent set of firewall rules. However, even if you pick the most restrictive rules, Lokkit leaves SSH and VNC open, and allows ping and services such as BitTorrent to operate. If you want really tight firewall rules, or need to set up a more complex firewall, look to Guarddog.
Configuring your firewall with Guarddog
To set up a firewall with Guarddog, run gksudo guarddog. You can run Guarddog as a regular user, but you'd have to load the firewall rules separately as the superuser later.
Guarddog is much more complex than Lokkit. The first thing you'll see when firing up Guarddog is the Zones tab. Zones are basically sets of IP addresses, which are used to define firewall rules that apply to those addresses. For example, if your machine is on a local area network with IP addresses in a private network, you can set up a zone for all of those addresses. By default, Guarddog comes with two pre-configured zones; the Internet zone, for all IP addresses that don't match other zones, and a Local zone, for IP addresses on the local machine.
To set up a zone for your LAN, click on New Zone, and then under Zone Addresses, click on New Address. In the Address field, you can add a single address or a network mask to cover an entire network. Let's say your LAN is in the 10.0.0.0 range, and your IP addresses range from 10.0.0.1 to 10.0.0.255. You could set the address as 10.0.0.0/24.
You'd want to set zones other than Local and Internet so you can set up firewall rules to address those machines, if it's necessary to have different rules for local machines than you do for machines connected via the Internet zone. The best way to think of the Internet zone is as the "most hostile" zone. That is, you want to allow the bare minimum when it comes to traffic coming from Internet hosts.
Next you have the protocol configurations. Here you need to tell Guarddog exactly which protocols you want to enable. This can be a bit tricky, as anything that's not explicitly allowed is disabled. By default, nothing -- not even DNS, HTTP, or POP3 -- is allowed. Select all of the protocols you wish to enable for each zone, and then click "Apply." After approving the rules, see if you can browse the Web, get email, and whatever else you need to do. If not, you may need to tweak the allowed protocols a bit.
Guarddog also allows you to set logging options. You may wish to disable logging if you're not likely to read the logs to see what's being blocked or rejected. For desktop users, logging is probably unnecessary unless you're trying to troubleshoot a problem with the firewall.
Finally, under the Advanced tab, you can configure custom protocols if Guarddog doesn't include rules to match a protocol that you need to enable. See the Guarddog help for this if you need to add a protocol.
If you want to use your desktop machine as a router and firewall for a bunch of machines, you may need to set up Network Address Translation (NAT) using IP Masquerade. That's a bit beyond the scope of this article, and Guarddog. To set your system up as a router, have a look at Guidedog instead.
It may take a little tweaking to get everything set up the way you want it with Guarddog, but it's probably worth the time and effort.
Either Lokkit or Guarddog should be sufficient to protect your Linux desktop. If neither of these strikes your fancy, Ubuntu does offer other firewall configuration tools that might be more to your liking.
You make it fun
It will make you fun