Ufw: Difference between revisions
From Lolly's Wiki
Jump to navigationJump to search
m (Text replacement - "[[Kategorie:" to "[[Category:") |
|||
| (6 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
[[ | [[Category:Linux]] | ||
== | ==Disable IPv6== | ||
/etc/default/ufw | /etc/default/ufw | ||
< | <syntaxhighlight lang=bash> | ||
# Set to yes to apply rules to support IPv6 (no means only IPv6 on loopback | # Set to yes to apply rules to support IPv6 (no means only IPv6 on loopback | ||
# accepted). You will need to 'disable' and then 'enable' the firewall for | # accepted). You will need to 'disable' and then 'enable' the firewall for | ||
# the changes to take affect. | # the changes to take affect. | ||
IPV6=no | IPV6=no | ||
</ | </syntaxhighlight> | ||
/etc/ufw/sysctl.conf | /etc/ufw/sysctl.conf | ||
< | <syntaxhighlight lang=bash> | ||
# Uncomment this to turn off ipv6 autoconfiguration | # Uncomment this to turn off ipv6 autoconfiguration | ||
net/ipv6/conf/default/autoconf=0 | net/ipv6/conf/default/autoconf=0 | ||
net/ipv6/conf/all/autoconf=0 | net/ipv6/conf/all/autoconf=0 | ||
</ | </syntaxhighlight> | ||
==Setup Rules== | ==Setup Rules== | ||
===Adding a rule=== | ===Adding a rule=== | ||
< | <syntaxhighlight lang=bash> | ||
# ufw allow log-all from 192.168.2.0/24 to any app OpenSSH | # ufw allow log-all from 192.168.2.0/24 to any app OpenSSH | ||
Rule added | Rule added | ||
| Line 31: | Line 31: | ||
-- ------ ---- | -- ------ ---- | ||
22/tcp (OpenSSH) ALLOW IN 192.168.2.0/24 (log-all) | 22/tcp (OpenSSH) ALLOW IN 192.168.2.0/24 (log-all) | ||
</ | </syntaxhighlight> | ||
===Inserting before=== | ===Inserting before=== | ||
< | <syntaxhighlight lang=bash> | ||
# ufw insert 1 allow log-all from 192.168.1.0/24 to any app OpenSSH | # ufw insert 1 allow log-all from 192.168.1.0/24 to any app OpenSSH | ||
Rule inserted | Rule inserted | ||
| Line 55: | Line 55: | ||
[ 1] OpenSSH ALLOW IN 192.168.1.0/24 (log-all) | [ 1] OpenSSH ALLOW IN 192.168.1.0/24 (log-all) | ||
[ 2] OpenSSH ALLOW IN 192.168.2.0/24 (log-all) | [ 2] OpenSSH ALLOW IN 192.168.2.0/24 (log-all) | ||
</ | </syntaxhighlight> | ||
==Own applications== | ==Own applications== | ||
===nrpe=== | |||
/etc/ufw/applications.d/nrpe | /etc/ufw/applications.d/nrpe | ||
< | <syntaxhighlight lang=bash> | ||
[NRPE] | [NRPE] | ||
title=Nagios NRPE | title=Nagios NRPE | ||
description=Nagios Remote Plugin Executor | description=Nagios Remote Plugin Executor | ||
ports=5666/tcp | ports=5666/tcp | ||
</ | </syntaxhighlight> | ||
===MySQL=== | |||
/etc/ufw/applications.d/mysql | /etc/ufw/applications.d/mysql | ||
< | <syntaxhighlight lang=bash> | ||
[MySQL] | [MySQL] | ||
title=MySQL Server (MySQL, MYSQL) | title=MySQL Server (MySQL, MYSQL) | ||
description=Old and rusty SQL server | description=Old and rusty SQL server | ||
ports=3306/tcp | ports=3306/tcp | ||
</ | </syntaxhighlight> | ||
===Exim=== | |||
< | /etc/ufw/applications.d/exim | ||
<syntaxhighlight lang=bash> | |||
[Exim SMTP] | |||
title=Mail Server (Exim, SMTP) | |||
description=Small, but very powerful and efficient mail server | |||
ports=25/tcp | |||
[Exim SMTP Virusscanned] | |||
title=Mail Server (Exim, SMTP Virusscanned) | |||
description=Small, but very powerful and efficient mail server | |||
ports=26/tcp | |||
[Exim SMTPS] | |||
title=Mail Server (Exim, SMTPS) | |||
description=Small, but very powerful and efficient mail server | |||
ports=465/tcp | |||
[Exim SMTP Message Submission] | |||
title=Mail Server (Exim, Message Submission) | |||
description=Small, but very powerful and efficient mail server | |||
ports=587/tcp | |||
</syntaxhighlight> | |||
Get a list of rules to set from Exim's configuration: | |||
<syntaxhighlight lang=awk> | |||
# exim -bP local_interfaces | awk ' | |||
BEGIN{ | |||
ports[25]="Exim SMTP"; | |||
ports[26]="Exim SMTP Virusscanned" | |||
ports[465]="Exim SMTPS"; | |||
ports[587]="Exim SMTP Message Submission"; | |||
from="any"; # <----- Look if it fits what you want | |||
} | |||
{ | |||
gsub(/^.*= /,""); | |||
split($0,services,/ : /); | |||
for(service in services){ | |||
split(services[service],part,/\./); | |||
ip=part[1]"."part[2]"."part[3]"."part[4]; | |||
port=part[5]; | |||
printf "ufw allow log from %s to %s app \"%s\"\n",from,ip,ports[port]; | |||
} | |||
}' | |||
ufw allow log from any to 192.168.5.103 app "Exim SMTP" | |||
ufw allow log from any to 192.168.5.103 app "Exim SMTP Virusscanned" | |||
ufw allow log from any to 192.168.5.103 app "Exim SMTPS" | |||
</syntaxhighlight> | |||
==Inspect your application profile== | |||
<syntaxhighlight lang=bash> | |||
# ufw app info MySQL | # ufw app info MySQL | ||
Profile: MySQL | Profile: MySQL | ||
| Line 83: | Line 134: | ||
Port: | Port: | ||
3306/tcp | 3306/tcp | ||
</ | </syntaxhighlight> | ||
Latest revision as of 04:41, 26 November 2021
Disable IPv6
/etc/default/ufw
# Set to yes to apply rules to support IPv6 (no means only IPv6 on loopback
# accepted). You will need to 'disable' and then 'enable' the firewall for
# the changes to take affect.
IPV6=no
/etc/ufw/sysctl.conf
# Uncomment this to turn off ipv6 autoconfiguration
net/ipv6/conf/default/autoconf=0
net/ipv6/conf/all/autoconf=0
Setup Rules
Adding a rule
# ufw allow log-all from 192.168.2.0/24 to any app OpenSSH
Rule added
# ufw status verbose
Status: active
Logging: on (low)
Default: reject (incoming), allow (outgoing), disabled (routed)
New profiles: skip
To Action From
-- ------ ----
22/tcp (OpenSSH) ALLOW IN 192.168.2.0/24 (log-all)
Inserting before
# ufw insert 1 allow log-all from 192.168.1.0/24 to any app OpenSSH
Rule inserted
# ufw status verbose
Status: active
Logging: on (low)
Default: reject (incoming), allow (outgoing), disabled (routed)
New profiles: skip
To Action From
-- ------ ----
22/tcp (OpenSSH) ALLOW IN 192.168.1.0/24 (log-all)
22/tcp (OpenSSH) ALLOW IN 192.168.2.0/24 (log-all)
# ufw status numbered
Status: active
To Action From
-- ------ ----
[ 1] OpenSSH ALLOW IN 192.168.1.0/24 (log-all)
[ 2] OpenSSH ALLOW IN 192.168.2.0/24 (log-all)
Own applications
nrpe
/etc/ufw/applications.d/nrpe
[NRPE]
title=Nagios NRPE
description=Nagios Remote Plugin Executor
ports=5666/tcp
MySQL
/etc/ufw/applications.d/mysql
[MySQL]
title=MySQL Server (MySQL, MYSQL)
description=Old and rusty SQL server
ports=3306/tcp
Exim
/etc/ufw/applications.d/exim
[Exim SMTP]
title=Mail Server (Exim, SMTP)
description=Small, but very powerful and efficient mail server
ports=25/tcp
[Exim SMTP Virusscanned]
title=Mail Server (Exim, SMTP Virusscanned)
description=Small, but very powerful and efficient mail server
ports=26/tcp
[Exim SMTPS]
title=Mail Server (Exim, SMTPS)
description=Small, but very powerful and efficient mail server
ports=465/tcp
[Exim SMTP Message Submission]
title=Mail Server (Exim, Message Submission)
description=Small, but very powerful and efficient mail server
ports=587/tcp
Get a list of rules to set from Exim's configuration:
# exim -bP local_interfaces | awk '
BEGIN{
ports[25]="Exim SMTP";
ports[26]="Exim SMTP Virusscanned"
ports[465]="Exim SMTPS";
ports[587]="Exim SMTP Message Submission";
from="any"; # <----- Look if it fits what you want
}
{
gsub(/^.*= /,"");
split($0,services,/ : /);
for(service in services){
split(services[service],part,/\./);
ip=part[1]"."part[2]"."part[3]"."part[4];
port=part[5];
printf "ufw allow log from %s to %s app \"%s\"\n",from,ip,ports[port];
}
}'
ufw allow log from any to 192.168.5.103 app "Exim SMTP"
ufw allow log from any to 192.168.5.103 app "Exim SMTP Virusscanned"
ufw allow log from any to 192.168.5.103 app "Exim SMTPS"
Inspect your application profile
# ufw app info MySQL
Profile: MySQL
Title: MySQL Server (MySQL, MYSQL)
Description: Old and rusty SQL server
Port:
3306/tcp
