Transcript from the "Uncomplicated Firewall" Lesson
>> Jem Young: So I previously have taught about IP tables, which are ways of routing, blocking, or denying requests to certain ports over certain protocols. But they're really onerous. And if you can't tell here, it's not a very friendly syntax. Fortunately the kind people at the Open Software Foundation and Ubuntu and Linux, and just the good citizens of the Internet, created something a little bit more lightweight called ufw, the uncomplicated firewall.
[00:00:33] If you can't tell, this uncomplicated firewall will be much less complicated. And again, a firewall just controls the access to these ports and who can get in and out of your computer.
>> Jem Young: And unlike IP tables, ufw has a much simpler syntax for basic services. So if I want to deny say HPS I can say ufw deny HPS.
[00:00:57] And it's much easier to reason about when you're think about on a surface level rather than a port level. And I don't have to be like, I don't have to think, I want to block all TCP traffic to port 4430. No, I can just say UFW deny HPS, and it's gonna block all traffic to port 443.
[00:01:15] So right now it's not running. So let's get it up and running because you know what I want? I want to close port 3000, yes.
>> Speaker 2: What's the difference between deny and reject?
>> Jem Young: Great question. I wonder if I cover that later? If not, I'll cover right now.
[00:01:30] So deny is, I'm trying to remember the difference. Deny black holes requests, okay, it doesn't respond to requests. So if I'm trying to get into port, I don't know, 47, I can just ping that port or try to access it, it'll just hang, it'll just hang and hang.
[00:01:49] But internally I've already dropped that request. I didn't do anything about it, but I won't respond explicitly that port is closed. Reject says, hey, this port is closed, and it sends a packet back to the server. The difference is sometimes you wanna be explicit about telling people that the port is closed, or something like you're using the wrong port, or you're trying to access the wrong server.
[00:02:12] You wanna be a good citizen to the people trying to use your service. Other times you wanna black hole them and not let them tell them anything about what's happening. You don't know if that port's open or if it's just taking a long time to respond or anything.
[00:02:25] Generally you always wanna black hole requests, unless you have a specific case when you wanna tell people that the service that you're trying to access is incorrect or the parameters are invalid or something like that. Great question though, I'm surprised they didn't put it in there, and I could have it backwards, wait, no, deny or reject, yes.
[00:02:43] A lot like the example we gave earlier when we're trying to ping frontendmasters.com and it just hangs and hangs. That's a good way of kind of, I'll say slowing down attackers. I don't wanna say deny attackers because they'll get around that. But it's good way of kind of eating resources cuz every time they try to connect to a service that just black holes them, it just hangs and hangs and it eats their computer resources, it kind of slows down their port crawling.
[00:03:08] Versus reject which is explicitly saying you're not allowed to do that. Great question though.
>> Jem Young: So ufw's installed but it may not be running, but let's check it out. So sudo ufw status,
>> Jem Young: It's inactive. So I'm gonna say sudo ufw start, should do it. It does not enable.
[00:03:37] I always do that. sudo ufw enable.
>> Jem Young: And this may interrupt my existing SSH connection, so we're just gonna say yes.
>> Jem Young: And we're good. I'll say this for you ufw, again, when you start getting into security and IP tables and routing, ufw's a little bit easier. But you can absolutely lock yourself out of the server.
[00:04:03] If I close port 22, which is my SSH port, I have no way of getting into the server at that point and I'm locked out, so be very careful. ufw's okay, you're probably not gonna do anything too bad, but if you start rejecting SSH requests or black holeing them in, you'll be in a world of hurt cuz there's no way to get in the server that point because the port is closed, it's literally locked up somewhere.
>> Jem Young: But we allowed SSH, so we're okay. So let's run ufw status again to see what's open. So sudo ufw status should be up and running, and it's running.
>> Jem Young: And let's find the command to show me what is the routes they're running, what's your firewall status? Let's say status verbose.
>> Jem Young: Nothing, so right now we're still okay because we didn't lock ourselves out completely. But I'm just gonna make sure I had a rule for this, so sudo ufw allow ssh. Now when I do go up, we see that we added a rule for SSH for now. It stays open because when you turn on ufw, by default it's not gonna block your SSH port because they know that if you enabled it when you're on your server you get kicked out and then you locked out.
[00:05:31] Fortunately, there are people that they try to make things a little bit easier for you. We want to enable a few other things, or actually, sorry, we didn't actually enable it. Or no, we did already enable it. Well I wanna allow a few other things, so I wanna allow HTTP.
[00:05:50] So sudo ufw allow htp, and you grant status again, and we see the status of our firewall. This is a much, much, much friendlier syntax than IP tables. [LAUGH] I don't know if any of you have ever done anything with IP tables, but they are not friendly at all, and they make sense once you kind of understand the syntax and what's happening.
[00:06:16] But ufw is just a nice wrapper, a clean wrapper around IP tables.
>> Jem Young: Yeah, that's just showing status, yes.
>> Speaker 3: We're gonna allow HTTPS and then use Nginx to redirect all the HTTP traffic to HTTPS?
>> Jem Young: Yes, you're jumping ahead. [LAUGH] No, it's okay. We will eventually, we're gonna open the HTTPS port, so that's port 443, when we turn on HTTPS.
[00:06:38] And that'll happen a little bit later. So using ufw without it looking it up, how would I create a rule to block all HTTP connections if I wanted to? It's not a trick?
>> Jem Young: Anybody, don't make me call on you.
>> Speaker 4: ufw reject?
>> Jem Young: Yeah, reject what?
>> Speaker 4: HTTP.
>> Jem Young: Yeah, nothing to it. And that's why it's called the uncomplicated firewall. It just simplifies your firewall and it makes it really easy to understand what's happening.
>> Jem Young: sudo reject http, nice.