Ufw: Difference between revisions

From Lolly's Wiki
Jump to navigationJump to search
m (Text replacement - "[[Kategorie:" to "[[Category:")
 
(6 intermediate revisions by the same user not shown)
Line 1: Line 1:
[[Kategorie:Linux]]
[[Category:Linux]]
==Diable IPv6==
==Disable IPv6==
/etc/default/ufw
/etc/default/ufw
<source lang=bash>
<syntaxhighlight lang=bash>
# Set to yes to apply rules to support IPv6 (no means only IPv6 on loopback
# Set to yes to apply rules to support IPv6 (no means only IPv6 on loopback
# accepted). You will need to 'disable' and then 'enable' the firewall for
# accepted). You will need to 'disable' and then 'enable' the firewall for
# the changes to take affect.
# the changes to take affect.
IPV6=no
IPV6=no
</source>
</syntaxhighlight>


/etc/ufw/sysctl.conf
/etc/ufw/sysctl.conf
<source lang=bash>
<syntaxhighlight lang=bash>
# Uncomment this to turn off ipv6 autoconfiguration
# Uncomment this to turn off ipv6 autoconfiguration
net/ipv6/conf/default/autoconf=0
net/ipv6/conf/default/autoconf=0
net/ipv6/conf/all/autoconf=0
net/ipv6/conf/all/autoconf=0
</source>
</syntaxhighlight>




==Setup Rules==
==Setup Rules==
===Adding a rule===
===Adding a rule===
<source lang=bash>
<syntaxhighlight lang=bash>
# ufw allow log-all from 192.168.2.0/24 to any app OpenSSH  
# ufw allow log-all from 192.168.2.0/24 to any app OpenSSH  
Rule added
Rule added
Line 31: Line 31:
--                        ------      ----
--                        ------      ----
22/tcp (OpenSSH)          ALLOW IN    192.168.2.0/24 (log-all)
22/tcp (OpenSSH)          ALLOW IN    192.168.2.0/24 (log-all)
</source>
</syntaxhighlight>


===Inserting before===
===Inserting before===
<source lang=bash>
<syntaxhighlight lang=bash>
# ufw insert 1 allow log-all from 192.168.1.0/24 to any app OpenSSH  
# ufw insert 1 allow log-all from 192.168.1.0/24 to any app OpenSSH  
Rule inserted
Rule inserted
Line 55: Line 55:
[ 1] OpenSSH                    ALLOW IN    192.168.1.0/24 (log-all)
[ 1] OpenSSH                    ALLOW IN    192.168.1.0/24 (log-all)
[ 2] OpenSSH                    ALLOW IN    192.168.2.0/24 (log-all)
[ 2] OpenSSH                    ALLOW IN    192.168.2.0/24 (log-all)
</source>
</syntaxhighlight>


==Own applications==
==Own applications==
===nrpe===
/etc/ufw/applications.d/nrpe  
/etc/ufw/applications.d/nrpe  
<source lang=bash>
<syntaxhighlight lang=bash>
[NRPE]
[NRPE]
title=Nagios NRPE
title=Nagios NRPE
description=Nagios Remote Plugin Executor
description=Nagios Remote Plugin Executor
ports=5666/tcp
ports=5666/tcp
</source>
</syntaxhighlight>


===MySQL===
/etc/ufw/applications.d/mysql  
/etc/ufw/applications.d/mysql  
<source lang=bash>
<syntaxhighlight lang=bash>
[MySQL]
[MySQL]
title=MySQL Server (MySQL, MYSQL)
title=MySQL Server (MySQL, MYSQL)
description=Old and rusty SQL server
description=Old and rusty SQL server
ports=3306/tcp
ports=3306/tcp
</source>
</syntaxhighlight>


To inspect use:
===Exim===
<source lang=bash>
/etc/ufw/applications.d/exim
<syntaxhighlight lang=bash>
[Exim SMTP]
title=Mail Server (Exim, SMTP)
description=Small, but very powerful and efficient mail server
ports=25/tcp
 
[Exim SMTP Virusscanned]
title=Mail Server (Exim, SMTP Virusscanned)
description=Small, but very powerful and efficient mail server
ports=26/tcp
 
[Exim SMTPS]
title=Mail Server (Exim, SMTPS)
description=Small, but very powerful and efficient mail server
ports=465/tcp
 
[Exim SMTP Message Submission]
title=Mail Server (Exim, Message Submission)
description=Small, but very powerful and efficient mail server
ports=587/tcp
</syntaxhighlight>
 
Get a list of rules to set from Exim's configuration:
<syntaxhighlight lang=awk>
# exim -bP local_interfaces | awk '
BEGIN{
  ports[25]="Exim SMTP";
  ports[26]="Exim SMTP Virusscanned"
  ports[465]="Exim SMTPS";
  ports[587]="Exim SMTP Message Submission";
  from="any"; #                                <----- Look if it fits what you want
}
{
  gsub(/^.*= /,"");
  split($0,services,/ : /);
  for(service in services){
    split(services[service],part,/\./);
    ip=part[1]"."part[2]"."part[3]"."part[4];
    port=part[5];
    printf "ufw allow log from %s to %s app \"%s\"\n",from,ip,ports[port];
  }
}'
ufw allow log from any to 192.168.5.103 app "Exim SMTP"
ufw allow log from any to 192.168.5.103 app "Exim SMTP Virusscanned"
ufw allow log from any to 192.168.5.103 app "Exim SMTPS"
</syntaxhighlight>
 
==Inspect your application profile==
<syntaxhighlight lang=bash>
# ufw app info MySQL
# ufw app info MySQL
Profile: MySQL
Profile: MySQL
Line 83: Line 134:
Port:
Port:
   3306/tcp
   3306/tcp
</source>
</syntaxhighlight>

Latest revision as of 03:41, 26 November 2021

Disable IPv6

/etc/default/ufw

# Set to yes to apply rules to support IPv6 (no means only IPv6 on loopback
# accepted). You will need to 'disable' and then 'enable' the firewall for
# the changes to take affect.
IPV6=no

/etc/ufw/sysctl.conf

# Uncomment this to turn off ipv6 autoconfiguration
net/ipv6/conf/default/autoconf=0
net/ipv6/conf/all/autoconf=0


Setup Rules

Adding a rule

# ufw allow log-all from 192.168.2.0/24 to any app OpenSSH 
Rule added
# ufw status verbose
Status: active
Logging: on (low)
Default: reject (incoming), allow (outgoing), disabled (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
22/tcp (OpenSSH)           ALLOW IN    192.168.2.0/24 (log-all)

Inserting before

# ufw insert 1 allow log-all from 192.168.1.0/24 to any app OpenSSH 
Rule inserted
# ufw status verbose
Status: active
Logging: on (low)
Default: reject (incoming), allow (outgoing), disabled (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
22/tcp (OpenSSH)           ALLOW IN    192.168.1.0/24 (log-all)
22/tcp (OpenSSH)           ALLOW IN    192.168.2.0/24 (log-all)

# ufw status numbered
Status: active

     To                         Action      From
     --                         ------      ----
[ 1] OpenSSH                    ALLOW IN    192.168.1.0/24 (log-all)
[ 2] OpenSSH                    ALLOW IN    192.168.2.0/24 (log-all)

Own applications

nrpe

/etc/ufw/applications.d/nrpe

[NRPE]
title=Nagios NRPE
description=Nagios Remote Plugin Executor
ports=5666/tcp

MySQL

/etc/ufw/applications.d/mysql

[MySQL]
title=MySQL Server (MySQL, MYSQL)
description=Old and rusty SQL server
ports=3306/tcp

Exim

/etc/ufw/applications.d/exim

[Exim SMTP]
title=Mail Server (Exim, SMTP)
description=Small, but very powerful and efficient mail server
ports=25/tcp

[Exim SMTP Virusscanned]
title=Mail Server (Exim, SMTP Virusscanned)
description=Small, but very powerful and efficient mail server
ports=26/tcp

[Exim SMTPS]
title=Mail Server (Exim, SMTPS)
description=Small, but very powerful and efficient mail server
ports=465/tcp

[Exim SMTP Message Submission]
title=Mail Server (Exim, Message Submission)
description=Small, but very powerful and efficient mail server
ports=587/tcp

Get a list of rules to set from Exim's configuration:

# exim -bP local_interfaces | awk '
BEGIN{
  ports[25]="Exim SMTP";
  ports[26]="Exim SMTP Virusscanned"
  ports[465]="Exim SMTPS";
  ports[587]="Exim SMTP Message Submission";
  from="any"; #                                <----- Look if it fits what you want
}
{
  gsub(/^.*= /,"");
  split($0,services,/ : /);
  for(service in services){
    split(services[service],part,/\./);
    ip=part[1]"."part[2]"."part[3]"."part[4];
    port=part[5];
    printf "ufw allow log from %s to %s app \"%s\"\n",from,ip,ports[port];
  }
}'
ufw allow log from any to 192.168.5.103 app "Exim SMTP"
ufw allow log from any to 192.168.5.103 app "Exim SMTP Virusscanned"
ufw allow log from any to 192.168.5.103 app "Exim SMTPS"

Inspect your application profile

# ufw app info MySQL
Profile: MySQL
Title: MySQL Server (MySQL, MYSQL)
Description: Old and rusty SQL server

Port:
  3306/tcp