Attempting to Solve UFW Ep. 2

After 3 weeks battling with the so-called “Uncomplicated Firewall” I finally came across an answer to this nightmare, a redditor told me there is an application firewall called OpenSnitch. It doesn’t look too bad on the outside, and I loved it when I tried it.

UFW (and iptables) is based on ports, where they monitor simply traffic that comes in and out of different ports, they do not proactively monitor traffic used by different applications; OpenSnitch on the other hand, intercepts traffic generated by all applications and services, denying them by default, then leaves the choice to the user blocking or allowing them. This was exactly what I was looking for.

OpenSnitch in action

Of course, it is unlike UFW, where you can do as little as deny all incoming packets by default, and allow them to go through a select few ports only. This is an application firewall and you will need to be patient, manually approving all connections. This is very annoying but only at first. In the long run there won’t be more prompts (from approved programs).

There are drawbacks, OpenSnitch currently does not support filtering and blocking inbound traffic. To do so I will need to use the old method – iptables. Since the software is constantly updated and has many users, I think inbound filtering will come very soon.

Because I am such an idiot at setting up iptables on my own I decided to download a preset online and modified it to suit my needs.

# load firewall config with iptables-restore < iptables.rules

*filter

# 1: set default DROP policy
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]

# Allow OpenSnitch
-A INPUT -p udp -m udp --sport 53 -j NFQUEUE --queue-num 0 --queue-bypass

# 2: accept any related or established connection
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# 3: allow all traffic on the loopback interface
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT

# 4: allow outbound DHCP requests
-A OUTPUT -p udp --dport 67:68 -j ACCEPT

# 5: allow outbound DNS lookups
-A OUTPUT -p udp -m udp --dport 53 -j ACCEPT

# 6: allow outbound ping requests
-A OUTPUT -p icmp -j ACCEPT

# 7: allow outbound NTP requests
-A OUTPUT -p udp --dport 123 -j ACCEPT

# 8: allow outbound http/https requests
-A OUTPUT -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT

# 9: allow SMTP
-A OUTPUT -p tcp --dport 25 -m state --state NEW -j ACCEPT

# 10: allow incoming IMAP/IMAPS
-A OUTPUT -p tcp --dport 143 -m state --state NEW -j ACCEPT
-A OUTPUT -p tcp --dport 993 -m state --state NEW -j ACCEPT

# 11: access SSH server
-A OUTPUT -p tcp -m tcp --dport 22 -j ACCEPT

# 12: Wireguard Connections
-A INPUT -p udp --dport 51820 --sport 51820 -j ACCEPT

# 13: Ktorrent
-A INPUT -p tcp --dport 6881 -j ACCEPT
-A INPUT -p udp --dport 8881 -j ACCEPT

# 14: Misc
-A INPUT -p tcp --dport 1401 --sport 1401 -j ACCEPT
-A INPUT -p udp --dport 1194:1197 --sport 1194:1197 -j ACCEPT
-A INPUT -p udp --dport 1300:1303 --sport 1300:1303 -j ACCEPT
-A INPUT -p udp --dport 1400 --sport 1400 -j ACCEPT

# commit changes
COMMIT

It works, and perfectly working for me for the time being. Happy day, no more UFW and getting stuck on Kubuntu logo.