UFW : Basic Usage2024/05/29 |
This is the basis of UFW (Uncomplicated FireWall). |
|
[1] | UFW is the frontend tool of nftables/iptables. On Ubuntu 24.04, default backend of UFW is nftables. |
root@dlp:~# update-alternatives --config iptables There are 2 choices for the alternative iptables (providing /usr/sbin/iptables). Selection Path Priority Status ------------------------------------------------------------ * 0 /usr/sbin/iptables-nft 20 auto mode 1 /usr/sbin/iptables-legacy 10 manual mode 2 /usr/sbin/iptables-nft 20 manual mode Press <enter> to keep the current choice[*], or type selection number: |
[2] | To use UFW, it needs to run UFW service. (running by default) Furthermore, even if service is running, UFW is disabled by default, so it needs to enable it manually. |
root@dlp:~# systemctl status ufw * ufw.service - Uncomplicated firewall Loaded: loaded (/usr/lib/systemd/system/ufw.service; enabled; preset: enab> Active: active (exited) since Tue 2024-05-28 23:53:09 UTC; 44s ago Docs: man:ufw(8) Process: 497 ExecStart=/usr/lib/ufw/ufw-init start quiet (code=exited, stat> Main PID: 497 (code=exited, status=0/SUCCESS) CPU: 2ms ..... ..... # current status root@dlp:~# ufw status Status: inactive # enable ufw root@dlp:~# ufw enable Firewall is active and enabled on system startup
root@dlp:~#
ufw status Status: active # disable ufw root@dlp:~# ufw disable Firewall stopped and disabled on system startup |
[3] | This is the basis to allow services or port by UFW. |
# incoming connections are all denied by default root@dlp:~# ufw status verbose Status: active Logging: on (low) Default: deny (incoming), allow (outgoing), disabled (routed) New profiles: skip # for example, allow SSH root@dlp:~# ufw allow ssh Rule added Rule added (v6) # for example, allow HTTP root@dlp:~# ufw allow http Rule added Rule added (v6) # for example, allow 2049/tcp root@dlp:~# ufw allow 2049/tcp Rule added Rule added (v6)root@dlp:~# ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip
To Action From
-- ------ ----
22/tcp ALLOW IN Anywhere
80/tcp ALLOW IN Anywhere
2049/tcp ALLOW IN Anywhere
22/tcp (v6) ALLOW IN Anywhere (v6)
80/tcp (v6) ALLOW IN Anywhere (v6)
2049/tcp (v6) ALLOW IN Anywhere (v6)
# * when running [ufw allow (service name)], the port set in [/etc/services] is allowed
|
[4] | This is the basis to delete rules by UFW. |
root@dlp:~# ufw status verbose Status: active Logging: on (low) Default: deny (incoming), allow (outgoing), disabled (routed) New profiles: skip To Action From -- ------ ---- 22/tcp ALLOW IN Anywhere 80/tcp ALLOW IN Anywhere 2049/tcp ALLOW IN Anywhere 22/tcp (v6) ALLOW IN Anywhere (v6) 80/tcp (v6) ALLOW IN Anywhere (v6) 2049/tcp (v6) ALLOW IN Anywhere (v6) # for example, delete the SSH allowing rule root@dlp:~# ufw delete allow ssh Rule deleted Rule deleted (v6) # for example, delete the 80/tcp allowing rule root@dlp:~# ufw delete allow 80/tcp Rule deleted Rule deleted (v6) # show status with rule number root@dlp:~# ufw status numbered Status: active To Action From -- ------ ---- [ 1] 2049/tcp ALLOW IN Anywhere [ 2] 2049/tcp (v6) ALLOW IN Anywhere (v6) # delete a rule with specifying rule number root@dlp:~# ufw delete 2
Deleting:
allow 2049/tcp
Proceed with operation (y|n)? y
Rule deleted (v6)
# to delete all rules and disable UFW, run like follows root@dlp:~# ufw reset
Resetting all rules to installed defaults. Proceed with operation (y|n)? y
Backing up 'user.rules' to '/etc/ufw/user.rules.20240528_235844'
Backing up 'before.rules' to '/etc/ufw/before.rules.20240528_235844'
Backing up 'after.rules' to '/etc/ufw/after.rules.20240528_235844'
Backing up 'user6.rules' to '/etc/ufw/user6.rules.20240528_235844'
Backing up 'before6.rules' to '/etc/ufw/before6.rules.20240528_235844'
Backing up 'after6.rules' to '/etc/ufw/after6.rules.20240528_235844'
root@dlp:~# ufw status Status: inactive |
[5] | This is the basis to allow services or ports with specific source or destination hosts. |
# for example, allow SSH only from [10.0.0.213] root@dlp:~# ufw allow from 10.0.0.213 to any port ssh Rule added # for example, allow [80/tcp] only from [10.0.0.213] to [10.0.0.30] root@dlp:~# ufw allow from 10.0.0.213 to 10.0.0.30 port 80 proto tcp Rule added # for example, limit SSH from [10.0.0.221] # * over 6 consecutive SSH trial within 30 seconds are denided root@dlp:~# ufw limit from 10.0.0.221 to any port ssh Rule added ufw status verbose Status: active Logging: on (low) Default: deny (incoming), allow (outgoing), disabled (routed) New profiles: skip To Action From -- ------ ---- 22/tcp ALLOW IN 10.0.0.213 10.0.0.30 80/tcp ALLOW IN 10.0.0.213 22/tcp LIMIT IN 10.0.0.221 |
[6] | To configure ICMP related settings, edit the configuration file below. Incoming connections are denied all by default but ICMP related connections are allowed. |
root@dlp:~#
vi /etc/ufw/before.rules # ICMP related connections are allowed by the settings below # if you'd like to deny them, simply comment out all like follows # ok icmp codes for INPUT # -A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT # -A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT # -A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT # -A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT # ok icmp code for FORWARD # -A ufw-before-forward -p icmp --icmp-type destination-unreachable -j ACCEPT # -A ufw-before-forward -p icmp --icmp-type time-exceeded -j ACCEPT # -A ufw-before-forward -p icmp --icmp-type parameter-problem -j ACCEPT # -A ufw-before-forward -p icmp --icmp-type echo-request -j ACCEPT # reload settings root@dlp:~# ufw reload Firewall reloaded # to allow [echo-request] from the specific IP address or network, set like follows # * answer to Ping from remote hosts
root@dlp:~#
vi /etc/ufw/before.rules # for example, allow [echo-request] from [10.0.0.0/24] # ok icmp codes for INPUT # -A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT # -A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT # -A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT # -A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT -A ufw-before-input -p icmp --icmp-type echo-request -s 10.0.0.0/24 -j ACCEPT # ok icmp code for FORWARD # -A ufw-before-forward -p icmp --icmp-type destination-unreachable -j ACCEPT # -A ufw-before-forward -p icmp --icmp-type time-exceeded -j ACCEPT # -A ufw-before-forward -p icmp --icmp-type parameter-problem -j ACCEPT # -A ufw-before-forward -p icmp --icmp-type echo-request -j ACCEPTroot@dlp:~# ufw reload Firewall reloaded |
Sponsored Link |