A question regarding ufw

[Dangertux]

Maybe I wasn't clear. ufw just sets the iptables rules, right?? I just wanted to know where the script that sets iptables rules at startup is and how it sets the iptables rules

You are correct, ufw is just a front end for iptables. I told you earlier in the post where the scripts that ufw loads at start up are located. To reiterate that point

UFW default rules (the policies and rules that come with UFW by default) are stored in

Code:

/etc/ufw/before.rules
/etc/ufw/after.rules
/etc/ufw/before6.rules
/etc/ufw/after6.rules

UFW user rules (rules created by you, example : allowing traffic to SSH) are stored in

Code:

/lib/ufw/user.rules
/lib/ufw/user6.rules

These files are loaded by UFW when it starts, if it is scheduled as an upstart job (starts at boot time) they will be loaded then. Otherwise they will be loaded when you give the

Code:

sudo ufw enable

command.

As far as iptables goes, you can create a script anywhere to interact with that, starting an iptables script is often done either via an upstart job, using the service iptables-save command , or adding the iptables script to the network interface's pre-up.d startup scripts.

Outside of that I'm not sure what else you're looking for.

[jsvidyad]

How do I find if the ufw is set up as an upstart job?

Do you think I am un-necessarily worrying and that ufw will set the necessary iptables rules automatically during system startup? I have been concerned with this because of my earlier surprise with firestarter.

It would be nice if ufw is a set and forget firewall, the kind which is set up on the windows 7 computers I have to use in my office.

[jsvidyad]

Can you please help me with this?

[Dangertux]

How do I find if the ufw is set up as an upstart job?

Do you think I am un-necessarily worrying and that ufw will set the necessary iptables rules automatically during system startup? I have been concerned with this because of my earlier surprise with firestarter.

It would be nice if ufw is a set and forget firewall, the kind which is set up on the windows 7 computers I have to use in my office.

Hey , if you run the followign command

Code:

intictl show-config

it will list all the current upstart jobs if ufw is an upstart job it will show something like this

Code:

ufw
start on ((starting network-interface or starting network-manager) or starting networking)
stop on runlevel [!023456]

As for your other questions, yes I do think you're being a little too worried, particularly considering firewalls really don't do much in a default configuration if you don't have any services running. As far as being worried about installing a server accidentally goes, I really don't think that's likely. You don't just go looking for tetris and come back with apache. So I think that may be a little too paranoid of a stance.

Like I said, in its default configuration, with a default Ubuntu install UFW really won't do much for you. The bottom line is UFW is set and forget, Firestarter has problems, it's been out of development for a long time, and really was never that great of a front end to begin with.

[jsvidyad]

So, what you are saying is that once ufw has been enabled and configured, it will automatically set the firewall(iptables) rules at startup everytime the system is turned on and boots into ubuntu? Does this mean that I don't have to check to see if ufw is active and if the iptables rules have been set each time I boot into ubuntu? The only reason I was worried about this was because as I mentioned earlier, firestarter promised the same but did not deliver the results once when I checked the iptables rules(they were empty with default rule set to ACCEPT).

[Dangertux]

So, what you are saying is that once ufw has been enabled and configured, it will automatically set the firewall(iptables) rules at startup everytime the system is turned on and boots into ubuntu? Does this mean that I don't have to check to see if ufw is active and if the iptables rules have been set each time I boot into ubuntu? The only reason I was worried about this was because as I mentioned earlier, firestarter promised the same but did not deliver the results once when I checked the iptables rules(they were empty with default rule set to ACCEPT).

Yes -- ufw will set the rules at start up.

You really need to understand though, and I'm not sure you're clear on this part. UFW's default policy IE: if you type

Code:

sudo ufw enable

is this to DENY INPUT, ALLOW FORWARD and ALLOW OUTPUT. This is not the most restrictive policy in the world, however if you are just worried about accidentally installing a service and you don't have any currently installed it's fine.

As I said earlier Firestarter was very buggy. As you said earlier, you're currently not running any services so really a default UFW firewall will do nothing that your system isn't already doing.

I'm sorry if I sound short, I'm not trying to I'm just trying to make sure you understand what I'm saying.

[jsvidyad]

The default rules right now seem to be INPUT-DROP,FORWARD-DROP and OUTPUT-ACCEPT. I just want to make sure someone else can't get into the computer. For that, these rules are good enough, right?

[The Cog]

Assuming that ufw is configured as an upstart job, you will find its configuration file in /etc/init, probably /etc/init/ufw.conf. upstart is a program loaded very early in the boot process, and uses the rules in this folder to decide when other processes should be started and stopped.

[Dangertux]

The default rules right now seem to be INPUT-DROP,FORWARD-DROP and OUTPUT-ACCEPT. I just want to make sure someone else can't get into the computer. For that, these rules are good enough, right?

That's a very broad question : and a firewall is not a one stop shop for that.

To elaborate a lot of people misunderstand what a firewall is. A firewall is essentially a filter for incoming and outgoing connections, nothing more nothing less. It can become more complicated when you're adding a deep packet inspection firewall and or intrusion prevention system which Ubuntu does not come with by default. You would have to install something along the lines of Snort or OSSEC to have that functionality.

In all reality a firewall protecting nothing with unrestrictive outbound rules is essentially useless. If you would like to understand more about how attackers can "get into your computer" remotely , and how a firewall can and can not help you I would suggest reading this . I wrote it to address this particular question that a lot of people have.

In lieu of that I suggest that if you are truly paranoid about system security, you look into other things besides a firewall. NoScript and similar browser addons, mandatory access controls such as Apparmor (comes with Ubuntu but needs to be configured) or SELinux, and ensuring that you're giving your programs proper permissions in the discretionary access control scheme.

These are all things that can help you secure your system, additionally don't download from untrusted repositories, and generally use common sense.

But ultimately no a firewall is not the end all be all of system security.

[jsvidyad]

Hello,

I want to get something clarified. When I have set up ufw on a laptop and I switch between wired and wireless connections, what happens? Will the firewall be up and running in both cases? Or when I switch, will I have to restart ufw? Does the same firewall rules protect me for both wired and wireless connections? Do the firewall rules set up by ufw depend on the kind of network interface used for the network connection in any way?