Skip to content

UFW – Uncomplicated Firewall Primer Part Deux

by Tom B. on February 14th, 2012

A Netbook is a handy piece of tech when travelling. Of course these days with iPad and friends, Netbooks are collecting dust. However, I still have an Ubuntu Netbook I take on road trips now and again. Enjoying public Wi-Fi, or my kids favourite activity; watching movies is the perfect use for these tiny portable computers and you can’t beat the battery life. With Ubuntu on board, connecting to public Wi-Fi couldn’t be safer (relatively speaking) and with ufw built-in I can easily turn ‘ON‘ the firewall and disappear on the network. When active, ‘ufw‘ default behaviour will block all inbound traffic on the external interface minus ICMP, but more on that later. Let’s look at a few simple scenarios;

Protecting yourself while using Public Wi-Fi: $ sudo ufw enable

Sharing Windows files or printers among friends or other hosts on the same Public network. According to Microsoft the following ports should be open for proper SMB, Netbios communication:
$ sudo ufw allow 135/tcp
$ sudo ufw allow 136/tcp
$ sudo ufw allow 137/tcp
$ sudo ufw allow 138/tcp
$ sudo ufw allow 139/tcp
$ sudo ufw allow 135/udp
$ sudo ufw allow 136/udp
$ sudo ufw allow 137/udp
$ sudo ufw allow 138/udp
$ sudo ufw allow 139/udp
$ sudo ufw allow 445/tcp

However I would not recommend opening these ports when connected to Public networks, especially TCP 445 (Admin$ Share). Instead if you and your buddy are connected to the same Public network create a more specific rule, granting your friend full access by specifying their IP address.

Create ufw exception by IP address: $ sudo ufw allow from 192.168.1.1

However at times you may not fully trust your friend, and only want them accessing one specific port: $ sudo ufw allow from 192.168.1.1 to any port 139

The uncomplicated firewall is easy to manipulate. However you must remember, apply restrictive/specific rules before more generic. Don’t forget all rules are applied in a top down fashion. Let me give you an example;

You’ve got a great hack and wish to test it at the local Public Wi-Fi hotspot, however you don’t want your friend falling victim. Given what I said above this can be accomplished with two rules; the first a restrictive followed by a more generic rule. First (deny) your friends IP address blocking them from your hack, and second a more general allow rule granting access from any other host IP.

$ sudo ufw deny from 192.168.1.100 to any port 666
$ sudo ufw allow from 192.168.1.0/24 to any port 666

From → Open Source Firewalls

No comments yet

Leave a Reply

Note: XHTML is allowed. Your email address will never be published.

Subscribe to this comment feed via RSS