Firewall, Tailscale and Ubuntu

Gauthier Jolly

November 14, 2021

Firewall, Tailscale and Ubuntu

I recently enabled the Firewall on my desktop on Ubuntu. I probably did a quick lookup online to find out that sudo ufw enable was enough to enable it. I entered the command and forgot about it.

$ sudo ufw enable
Firewall is active and enabled on system startup

Obviously, (and to be honest I was waiting for it), it didn’t take long for things to go bad. A few weeks later, while I was not at home and wanted to SSH on my machine via tailscale, I realized that I couldn’t and quickly remember about the Firewall.

Quick side note here: I configured sshd to only bind to the tailscale IP address. I don’t want to expose my desktop on the internet.

Uncomplicated FireWall

ufw was introduced by Ubuntu to ease firewall configuration.

On Linux, “Firewalling” is usually done through the Netfilter subsystem which can be configured via the userspace tool nftables (successor of iptables). Because nftables is made to be very generic and provides a full interface for the Netfilter subsystem, while being very powerfull it is not easy to learn.

ufw is a simplified interface on top nftables. It helps the user to define simple Firewall rules.

This blog post describes basic use cases.

Allow SSH on tailscale only

A very cool feature of ufw is the notion of app. An app is defined by a config file stored in /etc/ufw/applications.d. Apps can be listed with ufw app list.

On my system I already had the OpenSSH app configured:

$ cat /etc/ufw/applications.d/openssh-server
[OpenSSH]
title=Secure shell server, an rshd replacement
description=OpenSSH is a free implementation of the Secure Shell protocol.
ports=22/tcp

Indeed, on Ubuntu, this configuration file is shipped with the openssh-server package. Now to enable OpenSSH on tailscale for both IPv4 and IPv6, I can simply run:

sudo ufw allow in on tailscale0 from any to any app OpenSSH