When to use a firewall (e.g. ufw)

David Fletcher dave at thefletchers.net
Fri Nov 20 12:37:14 UTC 2020 

On Fri, 2020-11-20 at 11:55 +0000, Peter Flynn wrote:
> On 20/11/2020 11:25, Ian Bruntlett wrote:
> > Hi,
> > 
> > I was wondering, when should a firewall (e.g. ufw) be installed on
> > a 
> > computer running Linux - Ubuntu Linux, to be more accurate.
> 
> If the computer has access to the Internet, you should use a
> firewall.
> 
> But in a domestic situation, with a firewall inside the router/hub 
> supplied by your provider, that's probably enough unless you punch
> holes in it

By which I assume you mean port forwarding to use a mail or web server
from inside your domestic network, as I do, otherwise my understanding
is that the router won't do anything to pass packets inside unless you
initiated it by having e.g. a web browser requesting a page from
somewhere.

I've always found help on iptables to be confusing at best. What I've
personally settled on doing is starting an iptables backup file by
exporting from iptables, which only needs to be done once, to get the
format which can then be easily added to with a text editor. Or just
take my example from below. I don't try to do anything smart, just drop
packets from anywhere that nuisance email etc. has originated to
prevent future access from there to my server. My iptables file has
thousands of entries, here is a small sample for example:-

# Block all packets from American Samoa no reason to get any contact
from there
-A INPUT -s 103.117.168.0/22 -p tcp -j DROP 
-A INPUT -s 103.238.156.0/23 -p tcp -j DROP 
-A INPUT -s 202.70.112.0/20 -p tcp -j DROP 

After manually editing the file I update iptables with

sudo iptables-restore < ServerSetup/iptables4backup

The question that seems to be frequently asked is, how to make sure the
iptables configuration gets restored during a system restart? I put
into my crontab file,

@reboot root CrontabRestart

which kicks off the CronTabRestart script in /usr/local/bin/ and
contains

#!/bin/bash

sleep 60s
iptables-restore < /home/administrator/ServerSetup/iptables4backup

sleep 60s
sendEmail -q \
 -f me at example.com \
 -t me at example.com \
 -u "Server reboot notification" \
 -m "Restoring iptables, starting noip2"

/usr/local/bin/noip2



I'm really not sure if the noip2 entry is necessary but AFAICT it does
no harm.

OK, that's how I as the non expert deals with firewalling. My ISP does
not yet provide IPv6 service, they've been dragging their feet for
years, hence I'm still only worried about IPv4.

Regards,

Dave

More information about the ubuntu-users mailing list