Hey there folks,
I’m trying to figure out how to configure my UFW, and I’m just not sure where to start. What can I do to see the intetnet traffic from individual apps so I can know what I might want to block? This is just my personal computer and I’m a total newbie to configuring firewalls so I’m just not sure how to go about it. Most online guides seem to assume one already knows what they want to block but I don’t even know how/where to monitor local traffic to figure out what I can/should consider blocking.
By default it should be configured to allow all outgoing, and block all incoming. That’s perfectly fine for a desktop/laptop and you don’t need to mess with it.
You can’t really do that much outgoing filtering with a firewall that will be useful, because basically everything operates on port 80/443, and often connects to the same CDNs or datacenter IPs for multiple services.
Instead DNS blocking is a much more effective way to handle it, plus uBlock Origin in your browser.
Just to clarify this comment for other “total newbies”: yes, the UFW default config is fine and “you don’t need to mess with it”.
But by default UFW itself is not even enabled on any desktop OS. And you also don’t need to mess with that. It’s because the firewall is on the router.
OP said clearly that this “is just my personal computer” and here we all are spreading unintentional FUD about firewall configs as if it’s for a public-facing server.
This pisses me off a bit because I remember having exactly the same anxiety as OP, to the point of thinking Linux must be incredibly insecure - how does this firewall work? dammit it’s not even turned on!! And then I learned a bit more about networking.
This discussion should have begun with the basics, not the minutiae.
Many people use laptops and use other wifi networks or tether to their phone, both can expose you because of unknown firewall states or IPv6 being used.
Yes, I am one of those people, literally all the time. This is the point of laptops.
And I use default Ubuntu Desktop config, kept up to date of course.
If that makes me and OP sitting targets, then maybe we should address this concern to the people who make distros rather than to a random anxious newbie.
Its good practice to have a firewall local as well. However, you are right it about it not being to critical
If you really need one take white list approach. Block everything you don’t need and only open what you need. Have fun finding out what you need.
Lots of good answers here but I’ll toss in my own “figure out what you need” experience from my first firewall funtime. (Disclaimer: I used nftables – it should be similar to ufw in terms of defaults though).
- Right off the bat, everything unneeded was blocked. I “needed” no configuration, except for maybe…
- Whatever CUPS runs on (when I use it)
- Sometimes I ran
python -m http.server– I unblocked port 8000 for personal use. - I chose to unblock port 53 (DNS). I wanted to connect to another computer via hostname IIRC (e.g. connecting to raspberry-pi.local. I might be misremembering this though).
- At one point I played with NGINX – that’s port 80 (HTTP) and port 443 (HTTPS).
- SSH was already permitted (port 22 – you need root access to enable traffic through ports below 1024 anyway so this wasn’t an issue for running typical apps)
I didn’t use WireShark back then, really. I think I just ran something like
sudo lsof -nP -iTCP -sTCP:LISTEN
which showed me a bunch of port traffic (mostly just harmless language servers).
You don’t have to dive to deep into all the “egress” and “ingress” and whatnot unless you’re doing something special. Or your software uses a weird port. (LocalSend lol)
You don’t need a firewall on the LAN. It is just an annoyance to have to open ports later. Extra bureaucracy without benefits. This isn’t Windows, you can can easily control your processes, choose if they bind to the network interface and on which port.
In a nutshell,
-
Use wireshark
-
See if theres any weird connections going on (i.e you visit pancakes.com and wireshark shows unrelatedsite.com making a request as well)
-
Block unrelatedsite.com
“What about firewalls?”
Block from ports 1000 'till the very end (65565 if I’m not mistaken.) – that is your “bread and butter” approach.
“W-what if I’m using a port past 1000?”
Nah, you (very likely) aren’t and never will.
This is not great advise to say the least. You want to block all incoming but allow all outgoing.
Also visiting a https site will not magically ports. It uses 443/tcp and if you are using a site with WebRTC (used for calls on platforms like teams) ports 443/UDP and 50000-65535/UDP. However, there is no reason you need to know that unless you are in a professional field
