Ufw: Difference between revisions

From Lolly's Wiki
Jump to navigationJump to search
m (Text replacement - "</source" to "</syntaxhighlight")
m (Text replacement - "<source " to "<syntaxhighlight ")
Line 2: Line 2:
==Disable IPv6==
==Disable IPv6==
/etc/default/ufw
/etc/default/ufw
<source lang=bash>
<syntaxhighlight lang=bash>
# Set to yes to apply rules to support IPv6 (no means only IPv6 on loopback
# Set to yes to apply rules to support IPv6 (no means only IPv6 on loopback
# accepted). You will need to 'disable' and then 'enable' the firewall for
# accepted). You will need to 'disable' and then 'enable' the firewall for
Line 10: Line 10:


/etc/ufw/sysctl.conf
/etc/ufw/sysctl.conf
<source lang=bash>
<syntaxhighlight lang=bash>
# Uncomment this to turn off ipv6 autoconfiguration
# Uncomment this to turn off ipv6 autoconfiguration
net/ipv6/conf/default/autoconf=0
net/ipv6/conf/default/autoconf=0
Line 19: Line 19:
==Setup Rules==
==Setup Rules==
===Adding a rule===
===Adding a rule===
<source lang=bash>
<syntaxhighlight lang=bash>
# ufw allow log-all from 192.168.2.0/24 to any app OpenSSH  
# ufw allow log-all from 192.168.2.0/24 to any app OpenSSH  
Rule added
Rule added
Line 34: Line 34:


===Inserting before===
===Inserting before===
<source lang=bash>
<syntaxhighlight lang=bash>
# ufw insert 1 allow log-all from 192.168.1.0/24 to any app OpenSSH  
# ufw insert 1 allow log-all from 192.168.1.0/24 to any app OpenSSH  
Rule inserted
Rule inserted
Line 60: Line 60:
===nrpe===
===nrpe===
/etc/ufw/applications.d/nrpe  
/etc/ufw/applications.d/nrpe  
<source lang=bash>
<syntaxhighlight lang=bash>
[NRPE]
[NRPE]
title=Nagios NRPE
title=Nagios NRPE
Line 69: Line 69:
===MySQL===
===MySQL===
/etc/ufw/applications.d/mysql  
/etc/ufw/applications.d/mysql  
<source lang=bash>
<syntaxhighlight lang=bash>
[MySQL]
[MySQL]
title=MySQL Server (MySQL, MYSQL)
title=MySQL Server (MySQL, MYSQL)
Line 78: Line 78:
===Exim===
===Exim===
/etc/ufw/applications.d/exim  
/etc/ufw/applications.d/exim  
<source lang=bash>
<syntaxhighlight lang=bash>
[Exim SMTP]
[Exim SMTP]
title=Mail Server (Exim, SMTP)
title=Mail Server (Exim, SMTP)
Line 101: Line 101:


Get a list of rules to set from Exim's configuration:
Get a list of rules to set from Exim's configuration:
<source lang=awk>
<syntaxhighlight lang=awk>
# exim -bP local_interfaces | awk '
# exim -bP local_interfaces | awk '
BEGIN{
BEGIN{
Line 126: Line 126:


==Inspect your application profile==
==Inspect your application profile==
<source lang=bash>
<syntaxhighlight lang=bash>
# ufw app info MySQL
# ufw app info MySQL
Profile: MySQL
Profile: MySQL

Revision as of 16:52, 25 November 2021

Kategorie:Linux

Disable IPv6

/etc/default/ufw

# Set to yes to apply rules to support IPv6 (no means only IPv6 on loopback
# accepted). You will need to 'disable' and then 'enable' the firewall for
# the changes to take affect.
IPV6=no

/etc/ufw/sysctl.conf

# Uncomment this to turn off ipv6 autoconfiguration
net/ipv6/conf/default/autoconf=0
net/ipv6/conf/all/autoconf=0


Setup Rules

Adding a rule

# ufw allow log-all from 192.168.2.0/24 to any app OpenSSH 
Rule added
# ufw status verbose
Status: active
Logging: on (low)
Default: reject (incoming), allow (outgoing), disabled (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
22/tcp (OpenSSH)           ALLOW IN    192.168.2.0/24 (log-all)

Inserting before

# ufw insert 1 allow log-all from 192.168.1.0/24 to any app OpenSSH 
Rule inserted
# ufw status verbose
Status: active
Logging: on (low)
Default: reject (incoming), allow (outgoing), disabled (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
22/tcp (OpenSSH)           ALLOW IN    192.168.1.0/24 (log-all)
22/tcp (OpenSSH)           ALLOW IN    192.168.2.0/24 (log-all)

# ufw status numbered
Status: active

     To                         Action      From
     --                         ------      ----
[ 1] OpenSSH                    ALLOW IN    192.168.1.0/24 (log-all)
[ 2] OpenSSH                    ALLOW IN    192.168.2.0/24 (log-all)

Own applications

nrpe

/etc/ufw/applications.d/nrpe

[NRPE]
title=Nagios NRPE
description=Nagios Remote Plugin Executor
ports=5666/tcp

MySQL

/etc/ufw/applications.d/mysql

[MySQL]
title=MySQL Server (MySQL, MYSQL)
description=Old and rusty SQL server
ports=3306/tcp

Exim

/etc/ufw/applications.d/exim

[Exim SMTP]
title=Mail Server (Exim, SMTP)
description=Small, but very powerful and efficient mail server
ports=25/tcp

[Exim SMTP Virusscanned]
title=Mail Server (Exim, SMTP Virusscanned)
description=Small, but very powerful and efficient mail server
ports=26/tcp

[Exim SMTPS]
title=Mail Server (Exim, SMTPS)
description=Small, but very powerful and efficient mail server
ports=465/tcp

[Exim SMTP Message Submission]
title=Mail Server (Exim, Message Submission)
description=Small, but very powerful and efficient mail server
ports=587/tcp

Get a list of rules to set from Exim's configuration:

# exim -bP local_interfaces | awk '
BEGIN{
  ports[25]="Exim SMTP";
  ports[26]="Exim SMTP Virusscanned"
  ports[465]="Exim SMTPS";
  ports[587]="Exim SMTP Message Submission";
  from="any"; #                                <----- Look if it fits what you want
}
{
  gsub(/^.*= /,"");
  split($0,services,/ : /);
  for(service in services){
    split(services[service],part,/\./);
    ip=part[1]"."part[2]"."part[3]"."part[4];
    port=part[5];
    printf "ufw allow log from %s to %s app \"%s\"\n",from,ip,ports[port];
  }
}'
ufw allow log from any to 192.168.5.103 app "Exim SMTP"
ufw allow log from any to 192.168.5.103 app "Exim SMTP Virusscanned"
ufw allow log from any to 192.168.5.103 app "Exim SMTPS"

Inspect your application profile

# ufw app info MySQL
Profile: MySQL
Title: MySQL Server (MySQL, MYSQL)
Description: Old and rusty SQL server

Port:
  3306/tcp