Debian 12 bookworm
Sponsored Link

UFW : Basic Usage2023/07/13

 
This is the basis of UFW (Uncomplicated FireWall).
[1] Install UFW.
root@dlp:~#
apt -y install ufw

[2] UFW is the frontend tool of nftables/iptables.
On Debian 12, default backend of UFW is nftables.
root@dlp:~#
update-alternatives --config iptables

There are 2 choices for the alternative iptables (providing /usr/sbin/iptables).

  Selection    Path                       Priority   Status
------------------------------------------------------------
* 0            /usr/sbin/iptables-nft      20        auto mode
  1            /usr/sbin/iptables-legacy   10        manual mode
  2            /usr/sbin/iptables-nft      20        manual mode

Press <enter> to keep the current choice[*], or type selection number:
[3] To use UFW, it needs to run UFW service.
Furthermore, even if service is running, UFW is disabled by default, so it needs to enable it manually.
root@dlp:~#
systemctl enable --now ufw

Synchronizing state of ufw.service with SysV service script with /lib/systemd/systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install enable ufw

root@dlp:~#
systemctl status ufw

*  ufw.service - Uncomplicated firewall
     Loaded: loaded (/lib/systemd/system/ufw.service; enabled; preset: enabled)
     Active: active (exited) since Wed 2023-07-12 18:50:17 CDT; 1min 23s ago
       Docs: man:ufw(8)
    Process: 1254 ExecStart=/lib/ufw/ufw-init start quiet (code=exited, status=>
   Main PID: 1254 (code=exited, status=0/SUCCESS)
        CPU: 775us

# current status

root@dlp:~#
ufw status

Status: inactive
# enable ufw

root@dlp:~#
ufw enable

Firewall is active and enabled on system startup
root@dlp:~#
ufw status

Status: active
# disable ufw

root@dlp:~#
ufw disable

Firewall stopped and disabled on system startup
[4] This is the basis to allow services or port by UFW.
# incoming connections are all denied by default

root@dlp:~#
ufw status verbose

Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

# for example, allow SSH

root@dlp:~#
ufw allow ssh

Rule added
Rule added (v6)

# for example, allow HTTP

root@dlp:~#
ufw allow http

Rule added
Rule added (v6)

# for example, allow 2049/tcp

root@dlp:~#
ufw allow 2049/tcp

Rule added
Rule added (v6)

root@dlp:~#
ufw status verbose

Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
22/tcp                     ALLOW IN    Anywhere
80/tcp                     ALLOW IN    Anywhere
2049/tcp                   ALLOW IN    Anywhere
22/tcp (v6)                ALLOW IN    Anywhere (v6)
80/tcp (v6)                ALLOW IN    Anywhere (v6)
2049/tcp (v6)              ALLOW IN    Anywhere (v6)

# * when running [ufw allow (service name)], the port set in [/etc/services] is allowed
[5] This is the basis to delete rules by UFW.
root@dlp:~#
ufw status verbose

Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
22/tcp                     ALLOW IN    Anywhere
80/tcp                     ALLOW IN    Anywhere
2049/tcp                   ALLOW IN    Anywhere
22/tcp (v6)                ALLOW IN    Anywhere (v6)
80/tcp (v6)                ALLOW IN    Anywhere (v6)
2049/tcp (v6)              ALLOW IN    Anywhere (v6)

# for example, delete the SSH allowing rule

root@dlp:~#
ufw delete allow ssh

Rule deleted
Rule deleted (v6)

# for example, delete the 80/tcp allowing rule

root@dlp:~#
ufw delete allow 80/tcp

Rule deleted
Rule deleted (v6)

# show status with rule number

root@dlp:~#
ufw status numbered

Status: active

     To                         Action      From
     --                         ------      ----
[ 1] 2049/tcp                   ALLOW IN    Anywhere
[ 2] 2049/tcp (v6)              ALLOW IN    Anywhere (v6)

# delete a rule with specifying rule number

root@dlp:~#
ufw delete 2

Deleting:
 allow 2049/tcp
Proceed with operation (y|n)? y
Rule deleted (v6)

# to delete all rules and disable UFW, run like follows

root@dlp:~#
ufw reset

Resetting all rules to installed defaults. Proceed with operation (y|n)? y
Backing up 'user.rules' to '/etc/ufw/user.rules.20230712_185512'
Backing up 'before.rules' to '/etc/ufw/before.rules.20230712_185512'
Backing up 'after.rules' to '/etc/ufw/after.rules.20230712_185512'
Backing up 'user6.rules' to '/etc/ufw/user6.rules.20230712_185512'
Backing up 'before6.rules' to '/etc/ufw/before6.rules.20230712_185512'
Backing up 'after6.rules' to '/etc/ufw/after6.rules.20230712_185512'

root@dlp:~#
ufw status

Status: inactive
[6] This is the basis to allow services or ports with specific source or destination hosts.
# for example, allow SSH only from [10.0.0.215]

root@dlp:~#
ufw allow from 10.0.0.215 to any port ssh

Rule added
# for example, allow [80/tcp] only from [10.0.0.215] to [10.0.0.30]

root@dlp:~#
ufw allow from 10.0.0.215 to 10.0.0.30 port 80 proto tcp

Rule added
# for example, limit SSH from [10.0.0.220]
# * over 6 consecutive SSH trial within 30 seconds are denided

root@dlp:~#
ufw limit from 10.0.0.220 to any port ssh

Rule added
root@dlp:~#
ufw status verbose

Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
22/tcp                     ALLOW IN    10.0.0.215
10.0.0.30 80/tcp           ALLOW IN    10.0.0.215
22/tcp                     LIMIT IN    10.0.0.220

# when using limit, following ruleset are configured

root@dlp:~#
nft list ruleset | grep 'dport 22'

# Warning: table ip filter is managed by iptables-nft, do not touch!
                ip saddr 10.0.0.215 tcp dport 22 counter packets 0 bytes 0 accept
# Warning: table ip6 filter is managed by iptables-nft, do not touch!
                ip saddr 10.0.0.220 tcp dport 22 ct state new xt match recent counter packets 0 bytes 0
                ip saddr 10.0.0.220 tcp dport 22 ct state new xt match recent counter packets 0 bytes 0 jump ufw-user-limit
                ip saddr 10.0.0.220 tcp dport 22 counter packets 0 bytes 0 jump ufw-user-limit-accept
[7] To configure ICMP related settings, edit the configuration file below.
Incoming connections are denied all by default but ICMP related connections are allowed.
root@dlp:~#
vi /etc/ufw/before.rules
# ICMP related connections are allowed by the settings below
# if you'd like to deny them, simply comment out all like follows
# ok icmp codes for INPUT
# -A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT
# -A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT
# -A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT
# -A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT

# ok icmp code for FORWARD
# -A ufw-before-forward -p icmp --icmp-type destination-unreachable -j ACCEPT
# -A ufw-before-forward -p icmp --icmp-type time-exceeded -j ACCEPT
# -A ufw-before-forward -p icmp --icmp-type parameter-problem -j ACCEPT
# -A ufw-before-forward -p icmp --icmp-type echo-request -j ACCEPT

# reload settings

root@dlp:~#
ufw reload

Firewall reloaded
# to allow [echo-request] from the specific IP address or network, set like follows
# * answer to Ping from remote hosts

root@dlp:~#
vi /etc/ufw/before.rules
# for example, allow [echo-request] from [10.0.0.0/24]
# ok icmp codes for INPUT
# -A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT
# -A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT
# -A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT
# -A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT
-A ufw-before-input -p icmp --icmp-type echo-request -s 10.0.0.0/24 -j ACCEPT

# ok icmp code for FORWARD
# -A ufw-before-forward -p icmp --icmp-type destination-unreachable -j ACCEPT
# -A ufw-before-forward -p icmp --icmp-type time-exceeded -j ACCEPT
# -A ufw-before-forward -p icmp --icmp-type parameter-problem -j ACCEPT
# -A ufw-before-forward -p icmp --icmp-type echo-request -j ACCEPT

root@dlp:~#
ufw reload

Firewall reloaded
Matched Content