Open main menu

UFW

Revision as of 15:57, 12 December 2017 by Freephile (talk | contribs) (added Category:Firewall using HotCat)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Definition

The "uncomplicated" firewall or UFW is an interface to iptables in Ubuntu.

Implementations

For machines with a GUI you can use firestarter. For headless servers, we use ufw as front-ends to iptables

If you think firewalls are uncomplicated, either you have never administered one, or you have been doing it for a long time. UFW is ONLY a front-end to iptables


Recipes

Take the output from querying the rules on a server named it and apply to whatever other host you need

ssh it sudo cat /etc/firestarter/inbound/allow-from | /usr/bin/awk '{ print "sudo ufw allow from " $1 " to any app Apache # add rule for " $2 }' | /bin/sed s/,//

Gotcha

Save your firewall rules when manipulating iptables directly or you will lose them upon reboot!!!


Because Firestarter (and ufw) are just front-ends to iptables, parsing their respective rulesets will not necessarily give you the full picture of what iptables is configured to do.


Check against the IPs which are present in actual iptables:

iptables-save | grep ACCEPT | awk '{print $4}' | grep ^[[:digit:]] | sort -un

Sample Usage

# show the status
ufw status
# take a closer look (adds protocol info)
ufw status verbose

# rules can be complicated to delete because you need the exact syntax of the 'create' rule

# add ability to connect to the Postgres server
ufw allow from 192.168.1.12 to any port 5432

ufw --dry-run delete allow from 192.168.1.12 to any port 8080
# if a dry run returns a list of rules, then it was "successful".  No output or an error message indicates failure
# deleting a bunch of "allow" rules on port 8080
ufw status verbose |grep 8080 |sed 's/8080/ufw delete/'|sed 's/IN/from/'|sed 's/$/ to any port 8080/'|sh

ufw limit ssh/tcp
# automatically limit the number of ssh attempts from a certain host over a period of time

Reference and HOWTO