Categories
Science

Focussing with UFW – the Uncomplicated Firewall

I read the news too much. Far too much. It’s horribly addictive and most of the time it’s utterly miserable. Studiously avoid reality with UFW.

Ubuntu has a built in firewall that can block access to particular ip addresses. This can be used to block access to news of the outside world, should one desire. Identifying the appropriate ip address can take a little work, but once done, it works well. To enable the firewall, run

sudo ufw enable

To find the ip of a particular url use, you can use dig:

dig bbc.co.uk

With the ip, you can then block the website using ufw:

sudo ufw deny out to x.x.x.x comment “domain name”

Adding a comment is really handy – otherwise it’s very difficult to identify which ip address corresponds to which domain name, should you later wish to allow access. The dig and ufw commands can be combined, to give a really easy way to block particular domains:

dig +short www.bbc.com | awk ‘{printf(“sudo ufw deny out to %s comment \”www.bbc.com\”\n”,$1) }’

The +short option returns only the identified ip address, or a list of identified ip addresses if there are multiple. The awk command then generates the appropriate ufw deny access commands. This can be piped to bash without too many problems, but it’s probably best to check the output first. But be sure to get “www” in there if you need it. Sometimes you’ll get different servers – www.bbc.co.uk seems to have multiple servers, and which you get when you do the dns lookup with dig isn’t so clear. (I’m not an expert, so this may not be exactly right.)

On the whole, this actually works wonderfully. To get a list of current rules (e.g., to delete):

sudo ufw status numbered

and to delete a rule

sudo ufw delete n

where n is the corresponding number. To enable/disable:

sudo ufw enable

Disabling immediately allows access to anything blocked, and is super easy. Really I ought to extend the above into a set of scripts that allow for simple and easy blocking and unblocking based on a domain name…