Ufw: Difference between revisions
(→Exim) |
m (Text replacement - "</source" to "</syntaxhighlight") |
||
| Line 7: | Line 7: | ||
# the changes to take affect. | # the changes to take affect. | ||
IPV6=no | IPV6=no | ||
</ | </syntaxhighlight> | ||
/etc/ufw/sysctl.conf | /etc/ufw/sysctl.conf | ||
| Line 14: | Line 14: | ||
net/ipv6/conf/default/autoconf=0 | net/ipv6/conf/default/autoconf=0 | ||
net/ipv6/conf/all/autoconf=0 | net/ipv6/conf/all/autoconf=0 | ||
</ | </syntaxhighlight> | ||
| Line 31: | Line 31: | ||
-- ------ ---- | -- ------ ---- | ||
22/tcp (OpenSSH) ALLOW IN 192.168.2.0/24 (log-all) | 22/tcp (OpenSSH) ALLOW IN 192.168.2.0/24 (log-all) | ||
</ | </syntaxhighlight> | ||
===Inserting before=== | ===Inserting before=== | ||
| Line 55: | Line 55: | ||
[ 1] OpenSSH ALLOW IN 192.168.1.0/24 (log-all) | [ 1] OpenSSH ALLOW IN 192.168.1.0/24 (log-all) | ||
[ 2] OpenSSH ALLOW IN 192.168.2.0/24 (log-all) | [ 2] OpenSSH ALLOW IN 192.168.2.0/24 (log-all) | ||
</ | </syntaxhighlight> | ||
==Own applications== | ==Own applications== | ||
| Line 65: | Line 65: | ||
description=Nagios Remote Plugin Executor | description=Nagios Remote Plugin Executor | ||
ports=5666/tcp | ports=5666/tcp | ||
</ | </syntaxhighlight> | ||
===MySQL=== | ===MySQL=== | ||
| Line 74: | Line 74: | ||
description=Old and rusty SQL server | description=Old and rusty SQL server | ||
ports=3306/tcp | ports=3306/tcp | ||
</ | </syntaxhighlight> | ||
===Exim=== | ===Exim=== | ||
| Line 98: | Line 98: | ||
description=Small, but very powerful and efficient mail server | description=Small, but very powerful and efficient mail server | ||
ports=587/tcp | ports=587/tcp | ||
</ | </syntaxhighlight> | ||
Get a list of rules to set from Exim's configuration: | Get a list of rules to set from Exim's configuration: | ||
| Line 123: | Line 123: | ||
ufw allow log from any to 192.168.5.103 app "Exim SMTP Virusscanned" | ufw allow log from any to 192.168.5.103 app "Exim SMTP Virusscanned" | ||
ufw allow log from any to 192.168.5.103 app "Exim SMTPS" | ufw allow log from any to 192.168.5.103 app "Exim SMTPS" | ||
</ | </syntaxhighlight> | ||
==Inspect your application profile== | ==Inspect your application profile== | ||
| Line 134: | Line 134: | ||
Port: | Port: | ||
3306/tcp | 3306/tcp | ||
</ | </syntaxhighlight> | ||
Revision as of 15:29, 25 November 2021
Disable IPv6
/etc/default/ufw <source lang=bash>
- Set to yes to apply rules to support IPv6 (no means only IPv6 on loopback
- accepted). You will need to 'disable' and then 'enable' the firewall for
- the changes to take affect.
IPV6=no </syntaxhighlight>
/etc/ufw/sysctl.conf <source lang=bash>
- Uncomment this to turn off ipv6 autoconfiguration
net/ipv6/conf/default/autoconf=0 net/ipv6/conf/all/autoconf=0 </syntaxhighlight>
Setup Rules
Adding a rule
<source lang=bash>
- ufw allow log-all from 192.168.2.0/24 to any app OpenSSH
Rule added
- ufw status verbose
Status: active Logging: on (low) Default: reject (incoming), allow (outgoing), disabled (routed) New profiles: skip
To Action From -- ------ ---- 22/tcp (OpenSSH) ALLOW IN 192.168.2.0/24 (log-all) </syntaxhighlight>
Inserting before
<source lang=bash>
- ufw insert 1 allow log-all from 192.168.1.0/24 to any app OpenSSH
Rule inserted
- ufw status verbose
Status: active Logging: on (low) Default: reject (incoming), allow (outgoing), disabled (routed) New profiles: skip
To Action From -- ------ ---- 22/tcp (OpenSSH) ALLOW IN 192.168.1.0/24 (log-all) 22/tcp (OpenSSH) ALLOW IN 192.168.2.0/24 (log-all)
- ufw status numbered
Status: active
To Action From
-- ------ ----
[ 1] OpenSSH ALLOW IN 192.168.1.0/24 (log-all) [ 2] OpenSSH ALLOW IN 192.168.2.0/24 (log-all) </syntaxhighlight>
Own applications
nrpe
/etc/ufw/applications.d/nrpe <source lang=bash> [NRPE] title=Nagios NRPE description=Nagios Remote Plugin Executor ports=5666/tcp </syntaxhighlight>
MySQL
/etc/ufw/applications.d/mysql <source lang=bash> [MySQL] title=MySQL Server (MySQL, MYSQL) description=Old and rusty SQL server ports=3306/tcp </syntaxhighlight>
Exim
/etc/ufw/applications.d/exim <source lang=bash> [Exim SMTP] title=Mail Server (Exim, SMTP) description=Small, but very powerful and efficient mail server ports=25/tcp
[Exim SMTP Virusscanned] title=Mail Server (Exim, SMTP Virusscanned) description=Small, but very powerful and efficient mail server ports=26/tcp
[Exim SMTPS] title=Mail Server (Exim, SMTPS) description=Small, but very powerful and efficient mail server ports=465/tcp
[Exim SMTP Message Submission] title=Mail Server (Exim, Message Submission) description=Small, but very powerful and efficient mail server ports=587/tcp </syntaxhighlight>
Get a list of rules to set from Exim's configuration: <source lang=awk>
- exim -bP local_interfaces | awk '
BEGIN{
ports[25]="Exim SMTP"; ports[26]="Exim SMTP Virusscanned" ports[465]="Exim SMTPS"; ports[587]="Exim SMTP Message Submission"; from="any"; # <----- Look if it fits what you want
} {
gsub(/^.*= /,"");
split($0,services,/ : /);
for(service in services){
split(services[service],part,/\./);
ip=part[1]"."part[2]"."part[3]"."part[4];
port=part[5];
printf "ufw allow log from %s to %s app \"%s\"\n",from,ip,ports[port];
}
}' ufw allow log from any to 192.168.5.103 app "Exim SMTP" ufw allow log from any to 192.168.5.103 app "Exim SMTP Virusscanned" ufw allow log from any to 192.168.5.103 app "Exim SMTPS" </syntaxhighlight>
Inspect your application profile
<source lang=bash>
- ufw app info MySQL
Profile: MySQL Title: MySQL Server (MySQL, MYSQL) Description: Old and rusty SQL server
Port:
3306/tcp
</syntaxhighlight>
