I recently enabled the Firewall on my desktop on Ubuntu. I probably did a quick lookup online to find out that sudo ufw enable
was enough to enable it. I entered the command and forgot about it.
$ sudo ufw enable
Firewall is active and enabled on system startup
Obviously, (and to be honest I was waiting for it), it didn’t take long for things to go bad. A few weeks later, while I was not at home and wanted to SSH on my machine via tailscale, I realized that I couldn’t and quickly remember about the Firewall.
Quick side note here: I configured sshd
to only bind to the tailscale IP address. I don’t want to expose my desktop on the internet.
Uncomplicated FireWall
ufw
was introduced by Ubuntu to ease firewall configuration.
On Linux, “Firewalling” is usually done through the Netfilter subsystem which can be configured via the userspace tool nftables (successor of iptables). Because nftables
is made to be very generic and provides a full interface for the Netfilter subsystem, while being very powerfull it is not easy to learn.
ufw
is a simplified interface on top nftables
. It helps the user to define simple Firewall rules.
This blog post describes basic use cases.
Allow SSH on tailscale only
A very cool feature of ufw
is the notion of app
. An app
is defined by a config file stored in /etc/ufw/applications.d
. Apps can be listed with ufw app list
.
On my system I already had the OpenSSH
app configured:
$ cat /etc/ufw/applications.d/openssh-server
[OpenSSH]
title=Secure shell server, an rshd replacement
description=OpenSSH is a free implementation of the Secure Shell protocol.
ports=22/tcp
Indeed, on Ubuntu, this configuration file is shipped with the openssh-server
package. Now to enable OpenSSH
on tailscale for both IPv4 and IPv6, I can simply run:
sudo ufw allow in on tailscale0 from any to any app OpenSSH