You might not realize it but Ubuntu has a very powerful firewall built in. However it isn't activated out of the box. Some firewall configuration tools are provided but aren't easy to use and definitely aren't recommended for those less-versed in networking fundamentals.
The firewall isn't activated because Ubuntu has no outward-facing services—there's no programs that allow incoming connections from the
Internet, apart from those under the user's control, like Firefox and Evolution, where any incoming connections are requested. The analogy is that Ubuntu is a house without windows or doors, so enacting further defenses against intruders isn't necessary.
But a firewall provides more than simple protection against incoming connections. It can protect you against unauthorized outgoing connections too, such as those enacted by spyware7 and also switch off some network diagnostic tools that hackers have been known to exploit.
To easily configure Ubuntu's firewall, you can use Firestarter. This is a simple GUI program that lets you control both incoming and outgoing connections. It works on the principles of policies and rules. Policies are sets of rules that define what outside agents can and can't access your computer (and, conversely, what your computer itself can and can't access across the network/Internet).
Firestarter can be installed via Synaptic (search for and install the firestarter package) and subsequently found on the Applications ^ Internet menu. when it first starts you'll need to complete a setup wizard. The default choices are usually correct although, if you use a wifi connection, be sure to select the right type of connection you want Firestarter to protect from the Detected device(s) dropdown list. You can find out the device that provides your network connection by right-clicking the NetworkManager icon, selecting Connection Information, and looking at the end of the line that's headed Interface.
when the wizard finishes, opt to save the settings. Configuring incoming connections
Once installed, Firestarter enacts a default policy of turning away unsolicited incoming connections (incoming connections that are requested, such as when Firefox requests a web page, are still allowed). Although extremely safe when it comes to security, turning away unsolicited connections isn't always desirable. For example, the file sharing software BitTorrent relies on other people connecting to your computer unsolicited in order to download file fragments. Additionally, services like
7. Ubuntu, and all Linuxes, has yet to see any spyware. It's pretty unlikely too, considering of open source software and the generally higher level of awareness of Ubuntu users. But never say never...
network file sharing rely on others being able to connect to your computer whenever they want to grab or drop-off files.
Therefore, it's sometimes necessary to allow some incoming connections, which is done by creating an inbound rule, as follows:
1. Start Firestarter and click the Policy tab. Ensure Inbound traffic policy is selected in the Editing dropdown list. Then right-click in the lower part of the window, underneath the Allow service heading. In the menu that appears, click Add Rule.
2. In the dialog that appears, select the type of incoming connection you want to allow from the Name dropdown list. If you want to allow network file sharing, select Samba (SMB). Once you've made your selection, the Port text field will be automatically filled-in. There should be no need to change this. See Figure 3.9, on the next page for an example taken from my test PC.
3. Under the When the source is heading, you can select Anyone, to allow literally any Internet-connected computer to connect to your computer (advisable in the case of BitTorrent), or IF! host or network to restrict it to a particular computer or range of computers. To only allow computers in your private network to connect, for example, you might type 192.168.1.1-255. This would add a layer of security if you simply want to enable network file sharing, for example.
4. Click the Add button and then click the Apply Policy button on the main toolbar. The change will take effect immediately and there's no need to reboot. once configuration is complete, you can close the Firestarter program (remember that Firestarter is simply a configuration program for the firewall, and not the firewall itself; it doesn't need to be running for the firewall to function).
By default Firestarter allows all outgoing connections. For example, should Firefox or Evolution attempt to connect to a website or mail server, it won't stop them. This is known as a permissive policy. To block all outgoing network connections from software, apart from that which you sanction, Firestarter needs to be switched to restrictive policy. The following steps describe how to enact a restrictive outgoing policy and then create rules so that software is allowed to make outgo-
Figure 3.9: Configuring an inbound rule in Firestarter (see Tip 37, on page 93)
ing connections (this is also known as creating a whitelist because only software you list is allowed through ):
1. Start Firestarter and ensure the Policy tab is selected. Then select Outbound traffic policy from the Editing dropdown list. Then select Restrictive by default, whitelist traffic.
2. In the space under the Allow service heading at the bottom of the program, right-click and select Add rule from the menu that appears.
3. In the Name dropdown list, select the type of connection you'd like to pass through unhindered. For example, to allow Firefox (and also ubuntu's software management subsystem) to work properly, you'll need to select HTTP, because HTTP is how web traffic is referred to technically. You will almost certainly want to allow this. Once that's done, the Port text field will be filled-in automatically. There should be no need to change this unless you know what you're doing.
4. If you need to manually create a rule (which is to say, those offered don't fit your requirements), type the port into the Port text field and then type the name of the new rule straight into the Name field (the Name field works as both a dropdown list and a text field). You can give the new rule any name you wish.
5. Regardless of whether you create your own rule or use one that's already defined, don't change anything under the When the source is heading. In this case, the settings are only for use when Firestarter is protecting a shared Internet connection. Just click the Add button to create the rule.
6. Click the Apply Policy button on the toolbar. The changes will take effect immediately and there's no need to reboot.
If you opt for a restrictive outgoing policy, at the very least you should create rules to allow HTTP, HTTPS, POP3, and SMTP. The first two will allow Firefox to fetch webpages unhindered while the latter two are necessary for getting and sending email (if you use IMAP instead of POP3 then, obviously, you should select that instead).
A restrictive policy can be a pain to maintain because some websites ask Firefox to fetch data using non-HTTP or HTTPS ports. In particular, this can be the case if certain types of plugins are used. In that case, you need to create a rule for each port that gets used, and that involves some technical knowledge of what port is being requested. Additionally, if you install new software that requires Internet access, the port it uses will need to be added.
Firestarter has another trick up its sleeve. It can stop network diagnostic responses being sent from your computer. Network diagnostic tools can be useful in problem-solving situations but there have been a number of occasions when they have been exploited by hackers. To turn off the ports, click Edit ^ Preferences within Firestarter, select ICMP Filtering on the left of the dialog box that appears, and put a check in the Enable ICMP filtering box (DON'T then put a check in any of the boxes beneath—that will RE-ENABLE the ports!). See Figure 3.10, on
^ Interface Events Policy Firewall
Network Settings ICMP Filtering ToS Filtering Advanced Options
ICMP filtering allows you to restrict control packet creation and reception by the firewall, potentially preventing Denial of Service i-P attacks, but also disabling many common network tools, g] Enable ICMP filtering;
Allow the following ICMP packet types
□ Echo request (ping) □ MS Traceroute □ Address Masking Q Echo reply (pong) Q Traceroute Q Redirection
□ Timestamping Q Unreachable Q Source Quenching
Figure 3.10: Turning off diagnostic tools responses in Firestarter (see Tip 37, on page 93)
the following page for an example from my test PC. Then click Accept. You can quit Firestarter following this.
Was this article helpful?