Gufw

Gufw Managing ufw on Remote Host

Asked by Jeff Hochberg

Hello!

I just came across Gufw for the first time yesterday. I manage several headless Ubuntu Server VMs - including the configuration and ongoing caring/feeding of the ufw policies.

From what I can tell, Gufw is only capable of configuring the policies directly on the system it is running on top of. I saw someone mention that it's possible to use Gufw to manage a remote system, but it requires the display to be exported to where you want to manage ufw from.

For example - if I'm on my laptop and have two servers:

ubntvm01 - ufw.service - 192.168.1.10
ubntvm02 - ufw.service - 192.168.2.10

I would run Gufw from my laptop, then choose to connect either to 192.168.1.10 or 2.10 at which point I could make adds/moves/changes to the ufw policy.

Has there been any thought given to having a gufw.service daemon that would allow someone to connect to it remotely where they could use Gufw to manage policies remotely?

Thank you,

-JeffH

Question information

Language:
English Edit question
Status:
Answered
For:
Gufw Edit question
Assignee:
No assignee Edit question
Last query:
Last reply:
Revision history for this message
costales (costales) said : 		#1

Hi Jeff,
I think you are looking for this:
https://help.ubuntu.com/community/Gufw#Use_Gufw_without_Graphical_Environment_or_Remote_Computer
Best regards.

Revision history for this message
Jeff Hochberg (jhochberg) said : 		#2

I have seen the link you pointed me to. But it's a hack/workaround and is not desirable for a variety of reasons - mostly having additional unnecessary code on a server.

If it's a headless device (i.e. no desktop installed), then you have to effectively install Gnome and all of its dependencies just to be able to use Gufw on a remote machine to manage it. In reality, this is just exporting the display for Gufw to another system that is also a full desktop.

The purpose of a device being headless is I don't want to manage/maintain the desktop just for the purposes of managing a firewall ruleset.

What I am suggesting is a lightweight daemon you would install on a headless server (which does not require Gnome - or any other desktop for that matter) that would listen for connections from Gufw that's running on a remote system.

Revision history for this message
costales (costales) said : 		#3

Hi Jeff,

As Gufw is an UI for ufw, I think that daemon should be an ufw daemon (?).

Best regards

Revision history for this message
Jeff Hochberg (jhochberg) said : 		#4

I guess maybe I'm spoiled from working with commercial firewalls for too long.

I'm thinking of it in a similar fashion to managing a Check Point Firewall module with a centralized management GUI or a Palo Alto Networks NGFW with Panorama.

When you have a lot of individual host-based firewalls to manage - having a GUI that you can use to connect to them can be very helpful. But what Check Point and Palo Alto is doing is far more than just providing a GUI - they're also providing a centralized configuration store.

Revision history for this message
costales (costales) said : 		#5

Hi, yes, your idea is good, but needs a lot of work and redone, then, I
will keep it as a cool implementation :)
Thanks for your feedback!

Can you help with this problem?

Provide an answer of your own, or ask Jeff Hochberg for more information if necessary.

To post a message you must log in.