Ubuntu’s Uncomplicated Firewall (UFW)

Posted by gmendoza on September 20, 2008 under Tech Tips | 6 Comments to Read

Introduced first in Ubuntu 8.04, UFW is Ubuntu’s “uncomplicated firewall”, a remarkably easy to use tool for creating simple iptables firewall rules. The goal behind UFW is to make it easy for administrators and even third party packages to work with firewall rules in a clean and consistent manner. When UFW is enabled, the default set of rules work very well for the average server or desktop platform, as it blocks all non-essential inbound network access without hobbling certain types of useful protocols and return traffic.

In the following example, we will set up a very simple firewall adequate for almost anyone.

First, let’s check the status of UFW, and the currently installed iptables rule set. The following displays that UFW is disabled and that there are no rules for iptables INPUT chain.

Check firewall status

sudo ufw status
Firewall not loaded

sudo iptables -L INPUT -n | column -t
Chain             INPUT  (policy  DROP)
target            prot   opt      source     destination

Enable UFW

Now, let’s enable UFW and examine the change to iptables’ INPUT chain.

sudo ufw enable
Firewall started and enabled on system startup

sudo iptables -L INPUT -n | column -t
Chain             INPUT  (policy  DROP)
target            prot   opt      source     destination
ufw-before-input  all    --       0.0.0.0/0  0.0.0.0/0
ufw-after-input   all    --       0.0.0.0/0  0.0.0.0/0

The default policy was changed to drop all traffic, and two new chains are referenced. For a much better understanding of what the default rules are, take a look at the files “/etc/ufw/before.rules” and “/etc/ufw/after.rules“.

Connection Tracking

For your convenience, UFW also enables some very useful connection tracking rules, which intelligently inspect outbound application traffic and dynamically allows the return traffic for you. By default, TCP, UDP, FTP and IRC connection tracking modules are loaded, but others may be added to the IPT_MODULES variable in the file “/etc/default/ufw“.

For example, I sometimes need to use TFTP for sending and receiving firmware to and from routers. So I typically add “nf_conntrack_tftp” to the variable IPT_MODULES.

IPT_MODULES="nf_conntrack_ftp nf_nat_ftp nf_conntrack_irc nf_nat_irc nf_conntrack_tftp"

Remember to reload UFW so that the conntrack module is loaded.

sudo /etc/init.d/ufw restart

Allowing inbound services

If your system runs server applications such as DNS, SSH, TFTP and web, then you can add them to your firewall rules using these very simple commands. If you don’t run servers on your machine, this step can be skipped.

sudo ufw allow 53
sudo ufw allow 22/tcp
sudo ufw allow 69/udp
sudo ufw allow 80/tcp

Notice that the first command I used did not specify UDP or TCP. When omitted, UFW adds both protocols. DNS uses TCP for larger DNS exchanges like zone transfers and huge replies, so you’ll probably want both.

UFW displays the results very nicely.

sudo ufw status
Firewall loaded

To                         Action  From
--                         ------  ----
53:tcp                     ALLOW   Anywhere
53:udp                     ALLOW   Anywhere
22:tcp                     ALLOW   Anywhere
69:udp                     ALLOW   Anywhere
80:tcp                     ALLOW   Anywhere

SYN cookies and more

UFW can be used to load kernel options, too. These are defined in “/etc/ufw/sysctl.conf“. For example, I wanted to enable SYN cookies which was added to thwart certain TCP DoS attacks. Modify the following line to 1 in order to enable the feature.

net/ipv4/tcp_syncookies=1

Logging can suck

Okay, if you’re on a busy network and don’t want to fill up your syslog, you might want to disable UFW’s logging.

sudo ufw logging off

And really that’s all there is to it. Be sure to check out the man page for some more examples and features you may be interested in.

Word War Vi in Ubuntu

Posted by gmendoza on August 9, 2008 under Tech Tips | 8 Comments to Read

As described by the author, Word War Vi is “a retro styled side scrolling shoot’em up arcade game for linux”. The game play is fast paced, complemented by superb audio and very addictive.

At the time of this writing, there was no Ubuntu/Debian package, but compiling the game is a snap.

To get the latest version, please visit the Word War Vi site and download the source code.

Install Prerequisites and Dependencies

sudo apt-get install build-essential gnome-core-devel portaudio19-dev libvorbis-dev

Extract, Compile and Install
Replace x.xx in the file name with the current version number of the file downloaded. It shouldn’t need to be mentioned, but just in case. :-)

tar zxfv wordwarvi-x.xx.tar.gz
cd wordwarvi*
make && sudo make install

Execute and Have fun

wordwarvi

I noticed when running the game, my audio sounded a bit garbled. Changing the Sound Device seemed to clear it up, although the number varied depending on the sound card of each of the machines I’ve tested it on. Try incrementing the number until one sounds normal.

wordwarvi --sounddevice 0
wordwarvi --sounddevice 1
wordwarvi --sounddevice 2


Console Framebuffer in Ubuntu

Posted by gmendoza on December 25, 2007 under Tech Tips | 6 Comments to Read

The Linux console framebuffer allows you to achieve higher screen resolutions within your Linux console. However, as of this writing, Ubuntu 7.10 Gutsy by default does not load the required kernel modules. By passing the “vga=XXX” kernel option without these modules loaded, you are left with a blinking cursor in the upper-left hand corner of your screen. Here’s how to get the console framebuffer in working order.

1. Ensure the initrd image includes framebuffer support by adding “fbcon” and “vesafb” to /etc/initramfs-tools/modules.

$ echo "vesafb" | sudo tee -a /etc/initramfs-tools/modules
$ echo "fbcon" | sudo tee -a /etc/initramfs-tools/modules

2. Remove (or comment out) “vesafb” from blacklisted modules in /etc/modprobe.d/blacklist-framebuffer.

#blacklist vesafb

3. Add the desired framebuffer variable to the default kernel options section in /boot/grub/menu.lst. For 1024×768, the string should look like the following.

#defoptions=quiet splash vga=791

4. Update GRUB.

$ sudo update-grub

5. If Usplash is configured for a higher resolution than your framebuffer, it will appear off-centered. So adjust /etc/usplash.conf to use the same resolution.

xres=1024
yres=768

6. Update initramfs to rebuild the initrd image.

$ sudo update-initramfs -u

After rebooting, your usplash will appear as normal and you can Ctrl+Alt+F1 to a console after your X environment has finished loading. The text in your console should now appear much smaller and will be much easier to use for large amounts of console work.