Simplified Firewall lab using UFW

-

🖥️Firewall Lab

Firewalls are one of the most fundamental components in network security. They act as a protective barrier between your system and the outside world controlling which connections are allowed in or out. 

In cybersecurity, understanding how to configure and manage a firewall is an essential skill for defending systems from unauthorized access and attacks.

UFW (Uncomplicated Firewall) is a user-friendly command-line interface for managing firewall rules on Linux systems, particularly those that use iptables underneath (like Ubuntu, Debian, and Kali Linux). It simplifies complex firewall commands into readable and straightforward syntax. With UFW you can quickly implement network protection without needing to memorize intricate iptables rules.

This simplified lab provides a basic hands-on introduction to using UFW to secure a Linux system. You’ll learn how to:

  • Enable and manage UFW

  • Allow or deny traffic on specific ports

  • Set up default policies

  • Test and verify your firewall configuration

Check whether UFW is installed and active:
sudo ufw status

Expected output:
Status: inactive

Enable UFW
sudo ufw enable

Add Rules

Use UFW to allow or deny specific ports or services:

PurposeCommandDescription
Allow SSH    sudo ufw allow 22/tcp    Enables remote login
Allow HTTP    sudo ufw allow 80/tcp    Enables web traffic
Allow HTTPS    sudo ufw allow 443/tcp    Enables secure web traffic
Deny Telnet    sudo ufw deny 23        Blocks insecure service
Allow specific IP    sudo ufw allow from 192.168.1.10    Allows one trusted host

View Rules

Display active rules:

sudo ufw status numbered

Sample output:

[ 1] 22/tcp ALLOW Anywhere
[ 2] 80/tcp ALLOW Anywhere
[ 3] 23 DENY Anywhere

Delete or Reset Rules

To remove a rule using its number:

sudo ufw delete 3

To reset all configurations:

sudo ufw reset

Set Default Policies

Define default behavior for all connections:

sudo ufw default deny incoming
sudo ufw default allow outgoing

This ensures your system only accepts allowed traffic while still permitting outbound communication.

Disable UFW 

If you need to turn it off temporarily:
sudo ufw disable

Test the Configuration

You can verify allowed or blocked ports using:

ping <target-ip>
nc -zv <target-ip> 22
curl -I http://<target-ip>

Demonstration:

We firstly need to bridge our ubuntu VM to our physical network so we can test the UFW firewall from our host, as simple as hosting a txt file and trying to view it from our host. 




Access the vm settings and change the network settings to Bridged Adapter, and boot up the vm. 

We will create a folder where we put a text file with a content of " This traffic was allowed by the firewall" as a test demo while doing this lab.

We will need to host this file using the http module by python, for the sake of how quick and simple to get it up and running.

command: "python3 -m http.server 8080"


We can check that everything is working perfectly by opening up a browser and goto http://localhost:8080/file.txt

Now we need to check if we are able to access this txt file on our main host. Currently mine that would be a windows host. 

We need to grab the IP address of the ubuntu vm machine, that is bridged into our physical network.

I will use the "ifconfig" network command, you may not have it installed on your ubuntu, you need to get the net-tools by "sudo apt install net-tools -y" to have it installed.

Both the ubuntu vm and your main host should be on the same network, using the port number we used to host the text file (8080).


We were able to access it on our host machine.







Now we need to try to deny access to this file, we need to enable ufw, by default it will be inactive.
 

Now if we check again, we no more have access to the file.


To allow the traffic again, we need to tell the UFW firewall to allow any traffic coming from the tcp port 8080


And just like that we have access again. 


What if we need to specifically deny our host solely from accessing the hosted text file in our ubuntu vm? 

We will have to grab the IP address of the host machine. 


And deny it.

An important thing to note here is that the UFW firewall goes by the rules descendingly, which means in this case he will allow all traffic before looking into any other rules. Therefore, the deny rule here is ineffective. 

What we should do instead, is to put the specific deny rules that are not generalized on top of the rules list of the firewall.


Comments

Post a Comment

Popular posts from this blog

Common Network Commands: IP R

-
IP R Command Overview The `ip r` command is part of the `iproute2` package in Linux systems. It is used for displaying and manipulating the routing table, which determines how network packets are directed to their destinations. This command is vital for network configuration, management, and troubleshooting. Origin and Development The `iproute2` package was created to replace the older `net-tools` package, which included commands like `ifconfig` and `route`. The `ip` command provides a more unified interface for network management, supporting advanced features and modern networking protocols. It offers better capabilities for managing complex networking scenarios, making it a crucial tool for system and network administrators. Basic Functionality The `ip r` command serves several functions: - Displays current routing table entries. - Shows destination networks, gateways, and associated interfaces. - Allows for the addition, deletion, and modification of routes. Key Command Syntax 1. Di...
Read more

Junior Security Analyst Intro

-
Why SOC Analyst L1 is Considered a Triage Specialist. A Level 1 Security Operations Center (SOC) Analyst is often regarded as a triage specialist because they are the first responders to cybersecurity alerts. Much like how a triage nurse assesses patients' conditions in a hospital, a Level 1 SOC Analyst evaluates and categorizes alerts generated by security tools to determine their severity and prioritize response efforts. Their primary focus is to: Filter Noise: Modern networks generate massive amounts of data, with many false positives. SOC L1 analysts must sift through this data to identify real threats. Categorize Alerts: Assign severity levels to incidents, such as low, medium, or high priority. Initial Response: Perform basic investigations (e.g., checking IP addresses, scanning logs) and decide whether to escalate incidents to Level 2 or 3 analysts. This role is vital because it ensures that high-priority threats are addressed quickly and resources are allocated ...
Read more

Example of A Day in the Life of a Junior (Associate) Security Analyst

-
The day begins early for the Junior Security Analyst, stepping into the office or logging into their remote workstation. The quiet hum of servers and the glow of multiple screens set the stage for another day at the heart of the cybersecurity battlefield. Their first task is to review the handover notes from the previous shift or the daily briefing. This update includes summaries of unresolved incidents, ongoing investigations, and any notable changes in the organization’s threat landscape. Equipped with this crucial information, the analyst prepares to navigate a world where even the smallest anomaly could signify a major threat. Logging into the array of tools—a Security Information and Event Management (SIEM) platform, endpoint detection systems, firewalls, and intrusion detection/prevention systems (IDS/IPS)—the analyst is immediately immersed in the flow of alerts. Every beep, flash, and log entry represents a potential threat. The first challenge is triage. Like a digital detecti...
Read more