Basic Ubuntu Linux Firewall Configuration
Previous | Table of Contents | Next |
Updating Ubuntu Linux | Using Firestarter to Configure an Ubuntu Linux Firewall |
A firewall is a vital component in protecting an individual computer system or network of computers from external attack (typically from an internet connection). Any computer connected directly to an internet connection must run a firewall to protect against malicious activity. Similarly, any internal network must have some form of firewall between it and an external internet connection.
Ubuntu Linux is supplied with powerful firewall technology known as iptables built-in. Entire books can, and indeed have, been written about configuring iptables. If you would like to learn about iptables we recommend Linux Firewall Configuration - Packet Filtering and iptables.
Fortunately Ubuntu Linux also provides some tools which make firewall configuration for the average user easy. This chapter will cover the steps necessary to configure an Ubuntu Linux firewall using those tools.
Ubuntu Linux Firewall Options
Ubuntu Linux provides two firewall configuration options. The first is a basic yet effective and easy to use firewall configuration system called lokkit. Another, more advanced, option is called Firestarter. And yet another option is to use a tool called Guarddog.
In this chapter we will explore lokkit and in the next chapter (Using Firestarter to Configure an Ubuntu Linux Firewall) we will look at the Firestarter firewall configuration tool in more detail.
Configuring a Basic Ubuntu Linux Firewall
The lokkit tool is available in two forms. The generic form is called lokkit and is designed to run from a text based terminal window. The second from is called gnome-lokkit and is a GUI based version of the tool.
The lokkit tools are not installed by default on Ubuntu, so before we can begin to configure a firewall we first need to install the appropriate packages. This is achieved using the apt-get command line tool. The first step is to launch a terminal window to gain access to the command-line. To do this, click on the desktop Applications menu and select Terminal from the Accessories menu. The resulting dialog provides a Linux command-line prompt. Type the following at the prompt:
sudo apt-get install gnome-lokkit
Enter your password when prompted. apt-get will then install the two packages.
Running the lokkit Firewall Tool
Unfortunately the last few releases of Ubuntu Linux contain a bug which prevents gnome-lokkit from running. If gnone-lokkit fails for you you will need to use lokkit. Fortunately, there is nothing in gnome-lokkit that cannot be achieved using lokkit. To launch lokkit start a Linux console to access the command prompt (click on the desktop Applications menu and select Terminal from the Accessories menu) and type the following at the command-line prompt:
sudo lokkit
Enter your password when prompted. Once loaded, lokkit should appear as follows:
Notice that Ubuntu Linux defaults the highest level of security. This follows the general rule of security that a system should start with everything locked down and then lifted gradually to provide only the functionality needed, and nothing more.
The most useful lokkit screen is the customization screen. To access this screen use the Tab key to navigate to the 'Customize button at the bottom of the screen. Once Customize is highlighted press the Enter or Space key to select it. The Customization screen should appear as follows:
Understanding the lokkit Firewall Customization Screen
The lokkit customization screen needs a little explanation. The first settings list the network devices present in the system and provides the option to set one or more of these as being trusted devices. Essentially data coming via a trusted device is not subject to any rules imposed by the firewall. This is useful if you have a system where one network device is connected to the outside world via an internet connection and another device is connected to a trusted, internal network. Assuming you truly trust the internal network and all the systems on it, then you can mark that device as being trusted.
The second section of the screen controls access to a number of different services which may or may not be running on your Ubuntu Linux system. Descriptions of these are as follows:
DHCP - This refers to the Dynamic Host Configuration Protocol. This is a system by which devices are dynamically provided IP addresses instead of having static IP addresses manually assigned by users or system administrators. If you obtain your address from a DCHP server (such as one built into a wireless router or provided by your company) then you will want to enable DHCP on this page to enable your system to negotiate with the DHCP server to obtain an IP address.
SSH - The secure shell provides an encrypted mechanism for allowing password protected remote access to your system. With SSH you can remotely log into to your system, copy files to and from your system and another systems and perform remote execution of programs. If you need remote access to your system you will need to activate this. If you do not need remote access leave this disabled. Note that the ssh server is not installed by default on Ubuntu Linux.
Telnet - Telnet provides remote terminal access to your system. It does not use encryption and use is strongly discouraged. Leave this disabled and use SSH instead for remote access.
WWW (HTTP) - If you are hosting a web server on your Ubuntu Linux System you will need to enable HTTP traffic through the firewall to enable web page requests to reach the http server. If you do not plan to host a web server, leave this disabled. Note that the Apache web server is not installed by default on Ubuntu Linux.
mail (SMTP) - Specified whether the firewall block Simple Mail Transfer Protocol traffic. This is only necessary if you are hosting a mail server on your Ubuntu Linux system. If you only use a mail client to download email from a POP3 or IMAP server you can safely leave this disabled. Note that the SMTP server is not installed by default on Ubuntu Linux.
FTP - Controls whether File Transfer Protocol traffic is permitted through the firewall. Unless you plan to set up an ftp server (unlikely for typical users) leave this option disabled. Note that the FTP server is not installed by default on Ubuntu Linux.
To activate or deactivate a option use the Tab key to navigate to the required option and press the space bar to toggle the selection. Activated options are marked with an asterisk (*). When you have finished making selections tab to the OK button to return to the main screen and tab to OK again to exit lokkit.