## page was copied from UFW #title Uncomplicated Firewall - UFW ||<>|| = Introduction = For an introduction to firewalls, please see [[Firewall]]. == UFW - Uncomplicated Firewall == The default firewall configuration tool for Ubuntu is {{{ufw}}}. Developed to ease {{{iptables}}} firewall configuration, {{{ufw}}} provides a user friendly way to create an IPv4 or IPv6 host-based firewall. By default UFW is enabled but all ports are left open (otherwise there would be no Internet access following installation). [[Gufw]] is a GUI that is available as a frontend. = Basic Syntax and Examples = == Set Default Rule == Setting the default mode of ufw is recommended before turning it on Set Default Deny: {{{ sudo ufw default deny }}} Set Default Allow: {{{ sudo ufw default allow }}} == Enable and Disable == === Enable ufw === To turn UFW on: {{{ sudo ufw enable }}} {{attachment:IconsPage/note.png}} Unless you have used set the default to deny when you initially enable ufw it is in ALLOW mode, and will allow everything incoming and outgoing until you make rulesets. === Disable ufw === To disable ufw use: {{{ sudo ufw disable }}} == Allow and Deny == === Allow === {{{ sudo ufw allow / }}} '''example:''' To allow incoming tcp and udp packet on port 53 {{{ sudo ufw allow 53 }}} '''example:''' To allow incoming tcp packets on port 53 {{{ sudo ufw allow 53/tcp }}} '''example:''' To allow incoming udp packets on port 53 {{{ sudo ufw allow 53/udp }}} === Deny === {{{ sudo ufw deny / }}} '''example:''' To deny tcp and udp packets on port 53 {{{ sudo ufw deny 53 }}} '''example:''' To deny incoming tcp packets on port 53 {{{ sudo ufw deny 53/tcp }}} '''example:''' To deny incoming udp packets on port 53 {{{ sudo ufw deny 53/udp }}} == Delete Existing Rule == To delete a rule, simply prefix the original rule with delete. For example, if the original rule was: {{{ ufw deny 80/tcp }}} Use this to delete it: {{{ sudo ufw delete deny 80/tcp }}} == Services == You can also allow or deny by service name since ufw reads from /etc/services To see get a list of services: {{{ less /etc/services }}} === Allow by Service Name === {{{ sudo ufw allow }}} '''example:''' to allow ssh by name {{{ sudo ufw allow ssh }}} === Deny by Service Name === {{{ sudo ufw deny }}} '''example:''' to deny ssh by name {{{ sudo ufw deny ssh }}} == Status == {{attachment:IconsPage/important.png}} Checking the status of ufw will tell you if ufw is enabled or disabled and also list the current ufw rules that are applied to your iptables. To check the status of ufw: {{{ sudo ufw status Firewall loaded To Action From -- ------ ---- 22:tcp DENY 192.168.0.1 22:udp DENY 192.168.0.1 22:tcp DENY 192.168.0.7 22:udp DENY 192.168.0.7 22:tcp ALLOW 192.168.0.0/24 22:udp ALLOW 192.168.0.0/24 }}} if ufw was not enabled the output would be: {{{ sudo ufw status Status: inactive }}} == Logging == To enable logging use: {{{ sudo ufw logging on }}} To disable logging use: {{{ sudo ufw logging off }}} = Advanced Syntax = You can also use a fuller syntax, specifying the source and destination addresses and ports. == Allow Access == This section shows how to allow specific access. === Allow by Specific IP === {{{ sudo ufw allow }}} '''example:'''To allow packets from 207.46.232.182: {{{ sudo ufw allow from 207.46.232.182 }}} === Allow by Subnet === You may use a net mask : {{{ sudo ufw allow from 192.168.1.0/24 }}} === Allow by specific port and IP address === {{{ sudo ufw allow from to port }}} '''example:''' allow ip address 192.168.0.4 access to port 22 for all protocols {{{ sudo ufw allow from 192.168.0.4 to any port 22 }}} === Enable PING === __Note__: Security by obscurity may be of very little actual benefit with modern cracker scripts. '''By default, UFW allows ping requests'''. You may find you wish to leave (icmp) ping requests enabled to diagnose networking problems. You need to edit '''/etc/ufw/before.rules''' and remove edit the following lines: {{{ # ok icmp codes -A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT -A ufw-before-input -p icmp --icmp-type source-quench -j ACCEPT -A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT -A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT -A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT }}} Change the "ACCEPT" to "DROP" or {{{ # ok icmp codes -A ufw-before-input -p icmp --icmp-type destination-unreachable -j DROP -A ufw-before-input -p icmp --icmp-type source-quench -j DROP -A ufw-before-input -p icmp --icmp-type time-exceeded -j DROP -A ufw-before-input -p icmp --icmp-type parameter-problem -j DROP -A ufw-before-input -p icmp --icmp-type echo-request -j DROP }}} == Deny Access == === Deny by specific IP === {{{ sudo ufw deny from }}} '''example:'''To block packets from 207.46.232.182: {{{ sudo ufw deny from 207.46.232.182 }}} === Deny by specific port and IP address === {{{ sudo ufw deny from to port }}} '''example:''' deny ip address 192.168.0.1 access to port 22 for all protocols {{{ sudo ufw deny from 192.168.0.1 to any port 22 }}} === Advanced Blocking Rules === Blocking IP addresses is not so straight forward if you have an existing set of rules as IPTABLES matches in order. So if you started with default deny and added in port 80 for a public server : {{{ sudo ufw allow 80 }}} But then find IP address 111.222.3.44 is hacking your server : {{{ sudo ufw deny 111.222.3.44 }}} '''will do nothing (you allowed access with your first rule).''' You need to edit '''/etc/ufw/before.rules''' and add a section "Block IP" after "Drop INVALID packets" : {{{ -A ufw-before-input -s 111.222.3.44 -j DROP #Assuming no loging is desired of course) # drop INVALID packets # uncomment to log INVALID packets #-A ufw-before-input -m conntrack --ctstate INVALID -j LOG --log-prefix "[UFW B$ -A ufw-before-input -m conntrack --ctstate INVALID -j DROP # Block IP # This it is efective :) -A ufw-before-input -s 111.222.3.44 -j DROP }}} == Advanced Example == '''Scenario:''' You want to block access to port 22 from 192.168.0.1 and 192.168.0.7 but allow all other 192.168.0.x IPs to have access to port 22 {{{ sudo ufw deny from 192.168.0.1 to any port 22 sudo ufw deny from 192.168.0.7 to any port 22 sudo ufw allow from 192.168.0.0/24 to any port 22 }}} {{attachment:IconsPage/important.png}} This puts the specific rules first and the generic second. Once a rule is matched the others will not be evaluated (see manual below) so you must put the specific rules first. '''As rules change you may need to delete old rules to ensure that new rules are put in the proper order.''' To check your rules orders you can check the status; for the scenario the output below is the desired output for the rules to work properly {{{ sudo ufw status Firewall loaded To Action From -- ------ ---- 22:tcp DENY 192.168.0.1 22:udp DENY 192.168.0.1 22:tcp DENY 192.168.0.7 22:udp DENY 192.168.0.7 22:tcp ALLOW 192.168.0.0/24 22:udp ALLOW 192.168.0.0/24 }}} '''Scenario change:''' You want to block access to port 22 to 192.168.0.3 as well as 192.168.0.1 and 192.168.0.7. {{{ sudo ufw delete allow from 192.168.0.0/24 to any port 22 sudo ufw status Firewall loaded To Action From -- ------ ---- 22:tcp DENY 192.168.0.1 22:udp DENY 192.168.0.1 22:tcp DENY 192.168.0.7 22:udp DENY 192.168.0.7 sudo ufw deny 192.168.0.3 to any port 22 sudo ufw allow 192.168.0.0/24 to any port 22 sudo ufw status Firewall loaded To Action From -- ------ ---- 22:tcp DENY 192.168.0.1 22:udp DENY 192.168.0.1 22:tcp DENY 192.168.0.7 22:udp DENY 192.168.0.7 22:tcp DENY 192.168.0.3 22:udp DENY 192.168.0.3 22:tcp ALLOW 192.168.0.0/24 22:udp ALLOW 192.168.0.0/24 }}} {{attachment:IconsPage/important.png}} If you simply add the deny rule the allow would have been above it and been applied instead of the deny = Other Resources = * For instructions on using ufw first see the [[https://help.ubuntu.com/8.04/serverguide/C/firewall.html| official server guide]]. * The most recent syntax and manual can be retrieved by getting the [[http://manpages.ubuntu.com/manpages/man8/ufw.8.html|man page]]. Otherwise open a terminal window and type: {{{ man ufw }}} * [[Firewall]] - wiki homepage for firewall related documentation. * [[Iptables]] - interface to the netfilter subsystem in the Linux kernel. * [[Ubuntu:UbuntuFirewall]] - UFW Project wiki page. * [[Gufw]] - Graphic User Interface for UFW. ---- CategoryNetworking CategorySecurity