You might not realize it but Ubuntu has a very powerful firewall built in. However it isn’t activated out of the box. Some firewall configuration tools are provided but aren’t easy to use and definitely aren’t recom-mended for those less-versed in networking fundamentals.
The firewall isn’t activated because Ubuntu has nooutward-facing ser-vices—there’s no programs that allow incoming connections from the
CONFIGUREUBUNTU’S FIREWALL 94
Internet, apart from those under the user’s control, like Firefox and Evolution, where any incoming connections are requested. The anal-ogy is that Ubuntu is a house without windows or doors, so enacting further defenses against intruders isn’t necessary.
But a firewall provides more than simple protection against incoming connections. It can protect you against unauthorized outgoing connec-tions too, such as those enacted by spyware7 and also switch off some network diagnostic tools that hackers have been known to exploit.
To easily configure Ubuntu’s firewall, you can use Firestarter. This is a simple GUI program that lets you control both incoming and outgoing connections. It works on the principles ofpoliciesandrules. Policies are sets of rules that define what outside agents can and can’t access your computer (and, conversely, what your computer itself can and can’t access across the network/Internet).
Installing Firestarter
Firestarter can be installed via Synaptic (search for and install the firestarterpackage) and subsequently found on the Applications→ Inter-net menu. When it first starts you’ll need to complete a setup wiz-ard. The default choices are usually correct although, if you use a wifi connection, be sure to select the right type of connection you want Firestarter to protect from the Detected device(s) dropdown list. You can find out the device that provides your network connection by right-clicking the NetworkManager icon, selectingConnection Information, and looking at the end of the line that’s headedInterface.
When the wizard finishes, opt to save the settings.
Configuring incoming connections
Once installed, Firestarter enacts a default policy of turning away unso-licited incoming connections (incoming connections that are requested, such as when Firefox requests a web page, are still allowed). Although extremely safe when it comes to security, turning away unsolicited con-nections isn’t always desirable. For example, the file sharing software BitTorrent relies on other people connecting to your computer unso-licited in order to download file fragments. Additionally, services like
7. Ubuntu, and all Linuxes, has yet to see any spyware. It’s pretty unlikely too, con-sidering of open source software and the generally higher level of awareness of Ubuntu users. But never say never...
CONFIGUREUBUNTU’S FIREWALL 95
network file sharing rely on others being able to connect to your com-puter whenever they want to grab or drop-off files.
Therefore, it’s sometimes necessary to allow some incoming connec-tions, which is done by creating an inbound rule, as follows:
1. Start Firestarter and click thePolicytab. EnsureInbound traffic pol-icy is selected in the Editingdropdown list. Then right-click in the lower part of the window, underneath theAllow serviceheading. In the menu that appears, clickAdd Rule.
2. In the dialog that appears, select the type of incoming connection you want to allow from the Name dropdown list. If you want to allow network file sharing, select Samba (SMB). Once you’ve made your selection, the Port text field will be automatically filled-in.
There should be no need to change this. See Figure 3.9, on the next page for an example taken from my test PC.
3. Under the When the source is heading, you can select Anyone, to allow literally any Internet-connected computer to connect to your computer (advisable in the case of BitTorrent), or IP, host or net-workto restrict it to a particular computer or range of computers.
To only allow computers in your private network to connect, for example, you might type 192.168.1.1-255. This would add a layer of security if you simply want to enable network file sharing, for example.
4. Click theAddbutton and then click theApply Policybutton on the main toolbar. The change will take effect immediately and there’s no need to reboot. Once configuration is complete, you can close the Firestarter program (remember that Firestarter is simply a configuration program for the firewall, and not the firewall itself;
it doesn’t need to be running for the firewall to function).
Configuring outgoing connections
By default Firestarter allows all outgoing connections. For example, should Firefox or Evolution attempt to connect to a website or mail server, it won’t stop them. This is known as a permissive policy. To block all outgoing network connections from software, apart from that which you sanction, Firestarter needs to be switched torestrictive pol-icy. The following steps describe how to enact a restrictive outgoing policy and then create rules so that software is allowed to make
outgo-CONFIGUREUBUNTU’S FIREWALL 96
Figure 3.9: Configuring an inbound rule in Firestarter (see Tip 37, on page93)
ing connections (this is also known as creating awhitelist because only software you list is allowed through ):
1. Start Firestarter and ensure thePolicytab is selected. Then select Outbound traffic policy from the Editing dropdown list. Then select Restrictive by default, whitelist traffic.
2. In the space under the Allow serviceheading at the bottom of the program, right-click and selectAdd rulefrom the menu that appears.
3. In theNamedropdown list, select the type of connection you’d like to pass through unhindered. For example, to allow Firefox (and also Ubuntu’s software management subsystem) to work prop-erly, you’ll need to select HTTP, because HTTP is how web traffic is referred to technically. You will almost certainly want to allow
CONFIGUREUBUNTU’S FIREWALL 97
this. Once that’s done, the Porttext field will be filled-in automat-ically. There should be no need to change this unless you know what you’re doing.
4. If you need to manually create a rule (which is to say, those offered don’t fit your requirements), type the port into the Port text field and then type the name of the new rule straight into the Name field (the Name field works as both a dropdown list and a text field). You can give the new rule any name you wish.
5. Regardless of whether you create your own rule or use one that’s already defined, don’t change anything under theWhen the source is heading. In this case, the settings are only for use when Firestarter is protecting a shared Internet connection. Just click theAdd but-ton to create the rule.
6. Click theApply Policybutton on the toolbar. The changes will take effect immediately and there’s no need to reboot.
If you opt for a restrictive outgoing policy, at the very least you should create rules to allow HTTP, HTTPS, POP3, and SMTP. The first two will allow Firefox to fetch webpages unhindered while the latter two are necessary for getting and sending email (if you use IMAP instead of POP3 then, obviously, you should select that instead).
A restrictive policy can be a pain to maintain because some websites ask Firefox to fetch data using non-HTTP or HTTPS ports. In particular, this can be the case if certain types of plugins are used. In that case, you need to create a rule for each port that gets used, and that involves some technical knowledge of what port is being requested. Additionally, if you install new software that requires Internet access, the port it uses will need to be added.
Turning off network diagnostic tools
Firestarter has another trick up its sleeve. It can stop network diag-nostic responses being sent from your computer. Network diagdiag-nostic tools can be useful in problem-solving situations but there have been a number of occasions when they have been exploited by hackers. To turn off the ports, click Edit → Preferences within Firestarter, select ICMP Filteringon the left of the dialog box that appears, and put a check in the Enable ICMP filtering box (DON’T then put a check in any of the boxes beneath—that will RE-ENABLE the ports!). See Figure 3.10, on
REPAIRWINDOWS FROM WITHINUBUNTU 98
Figure 3.10: Turning off diagnostic tools responses in Firestarter (see Tip37, on page93)
the following page for an example from my test PC. Then clickAccept. You can quit Firestarter following this.