Difference between revisions of "Firewalls"

<!--T:2-->

<!--T:2-->

Running a local firewall is almost always a good practice.  Even when you are behind a network firewall, a local firewall protects you from threats on the inside of your network.

Running a local firewall is almost always a good practice.  Even when you are behind a network firewall, a local firewall protects you from threats on the inside of your network.

=UFW= <!--T:3-->  

=UFW= <!--T:3-->  

<!--T:4-->

<!--T:4-->

UFW stands for Uncomplicated FireWall, and is a program for managing a netfilter firewall. It provides a command line interface and aims to be uncomplicated and easy to use.  UFW is far simpler than iptables and a good place to start unless you have very specialized needs.

UFW stands for Uncomplicated FireWall, and is a program for managing a netfilter firewall. It provides a command line interface and aims to be uncomplicated and easy to use.  UFW is far simpler than iptables and a good place to start unless you have very specialized needs.

==Installing UFW== <!--T:5-->

==Installing UFW== <!--T:5-->

You can install the {{ic|ufw}} package using you favorite package manager or the command:

You can install the {{ic|ufw}} package using you favorite package manager or the command:

  <tvar|usercmd1>{{UserCmd|command=pamac install ufw}}</>

  <tvar|usercmd1>{{UserCmd|command=pamac install ufw}}</>

<!--T:7-->

<!--T:7-->

  <tvar|usercmd2>{{UserCmd|command=sudo systemctl enable ufw.service}}</>

  <tvar|usercmd2>{{UserCmd|command=sudo systemctl enable ufw.service}}</>

  <tvar|usercmd3>{{UserCmd|command=sudo ufw enable}}</>

  <tvar|usercmd3>{{UserCmd|command=sudo ufw enable}}</>

<!--T:8-->

<!--T:8-->

To view the current configuration you can use the command {{ic|ufw status}}.  Here is what it looks like in a new install:

To view the current configuration you can use the command {{ic|ufw status}}.  Here is what it looks like in a new install:

<pre>Status: active

<pre>Status: active

Logging: on (low)

Logging: on (low)

Default: deny (incoming), allow (outgoing), disabled (routed)

Default: deny (incoming), allow (outgoing), disabled (routed)

New profiles: skip</pre>

New profiles: skip</pre>

<!--T:11-->

<!--T:11-->

You may notice a difference in the above two commands.  When we built the rules for ssh we used the name and for https we used the port number, 8443.  This is because UFW has a small database of applications it knows the ports for.  You can see the list with the command:

You may notice a difference in the above two commands.  When we built the rules for ssh we used the name and for https we used the port number, 8443.  This is because UFW has a small database of applications it knows the ports for.  You can see the list with the command:

<tvar|usercmd5>{{UserCmd|command=sudo ufw app list}}</>

<tvar|usercmd5>{{UserCmd|command=sudo ufw app list}}</>

<!--T:16-->

<!--T:16-->

For applications on the list you can add them by name.  If you want to review the configuration for one of the applications, you can use the command {{ic|ufw app info}}.  For example, to the configuration for ssh:

For applications on the list you can add them by name.  If you want to review the configuration for one of the applications, you can use the command {{ic|ufw app info}}.  For example, to the configuration for ssh:

<pre>Profile: SSH

<pre>Profile: SSH

Title: SSH server

Title: SSH server

Description: SSH server

Description: SSH server

Port:

Port:

<!--T:18-->

<!--T:18-->

{{tip|When using ufw app the commands are case sensitive but when adding rules they are not}}

{{tip|When using ufw app the commands are case sensitive but when adding rules they are not}}

<!--T:19-->

<!--T:19-->

Rules can be removed with the {{ic|ufw delete}} command.  For example, to delete our 8443 rules we could use the command:

Rules can be removed with the {{ic|ufw delete}} command.  For example, to delete our 8443 rules we could use the command:

  <tvar|usercmd8>{{UserCmd|command=sudo ufw delete allow 8443/tcp}}</>

  <tvar|usercmd8>{{UserCmd|command=sudo ufw delete allow 8443/tcp}}</>

<!--T:22-->

<!--T:22-->

You can also delete them by number.  This is easier if you have a numbered list which you can see with the command:

You can also delete them by number.  This is easier if you have a numbered list which you can see with the command:

<pre>Status: active

<pre>Status: active

     <!--T:23-->

     <!--T:23-->

To                        Action      From

To                        Action      From

     --                        ------      ----

     --                        ------      ----

<!--T:24-->

<!--T:24-->

==GUFW== <!--T:25-->

==GUFW== <!--T:25-->

[[File:gufw.jpg|thumb|left|240px]]

[[File:gufw.jpg|thumb|left|240px]]

<!--T:26-->

<!--T:26-->

Prefer to use GUI applications and still want to manage your firewall? No problem.  GUFW is a GTK front-end for UFW that aims to make managing a Linux firewall as accessible and easy as possible. It features pre-sets for common ports and p2p applications.

Prefer to use GUI applications and still want to manage your firewall? No problem.  GUFW is a GTK front-end for UFW that aims to make managing a Linux firewall as accessible and easy as possible. It features pre-sets for common ports and p2p applications.

<!--T:27-->

<!--T:27-->

If it is not installed already gufw can be installed from the repos:

If it is not installed already gufw can be installed from the repos:

  <tvar|usercmdA>{{UserCmd|command=pamac install gufw}}</>

  <tvar|usercmdA>{{UserCmd|command=pamac install gufw}}</>

<!--T:28-->

<!--T:28-->

<!--T:30-->

<!--T:30-->

iptables is included as part of the Linux kernel.  iptables is significantly more complicated than using a tool like UFW.  As a result, a full tutorial on iptables is beyond the scope of this wiki.  Using iptables on Manjaro should be the same for every distribution of Linux so there is plenty of available documentation.  Some of this is linked [[Firewalls#See_Also|below]].  Here are some basics to get you started.

iptables is included as part of the Linux kernel.  iptables is significantly more complicated than using a tool like UFW.  As a result, a full tutorial on iptables is beyond the scope of this wiki.  Using iptables on Manjaro should be the same for every distribution of Linux so there is plenty of available documentation.  Some of this is linked [[Firewalls#See_Also|below]].  Here are some basics to get you started.

<!--T:31-->

<!--T:31-->

To enable loading rules on startup you can use the command:

To enable loading rules on startup you can use the command:

  <tvar|usercmdB>{{UserCmd|command=sudo systemctl enable iptables.service}}</>

  <tvar|usercmdB>{{UserCmd|command=sudo systemctl enable iptables.service}}</>

<!--T:32-->

<!--T:32-->

This will load the rules from the file {{ic|/etc/iptables/iptables.rules}}.

This will load the rules from the file {{ic|/etc/iptables/iptables.rules}}.

<!--T:33-->

<!--T:33-->

To display the currently loaded rules:

To display the currently loaded rules:

  <tvar|usercmdC>{{UserCmd|command=sudo iptables -L}}</>

  <tvar|usercmdC>{{UserCmd|command=sudo iptables -L}}</>

<!--T:34-->

<!--T:34-->

To save the current rules to a file

To save the current rules to a file

  <tvar|usercmdD>{{UserCmd|command=sudo sh -c "iptables-save > /etc/iptables/iptables.rules"}}</>

  <tvar|usercmdD>{{UserCmd|command=sudo sh -c "iptables-save > /etc/iptables/iptables.rules"}}</>

<!--T:35-->

<!--T:35-->

To load the rules from a file

To load the rules from a file

  <tvar|usercmdE>{{UserCmd|command=sudo sh -c "iptables-restore > /etc/iptables/iptables.rules"}}</>

  <tvar|usercmdE>{{UserCmd|command=sudo sh -c "iptables-restore > /etc/iptables/iptables.rules"}}</>

<!--T:36-->

<!--T:36-->