Difference between revisions of "Uncomplicated Firewall"

From ArchWiki
Jump to: navigation, search
(Installation: link to articles rather than explaining Arch basics like rc.conf and pacman here)
(Installation)
Line 5: Line 5:
 
{{Package Official|ufw}} can be installed from [community]. If you don't already have iptables installed, it will be pulled in as a dependency.
 
{{Package Official|ufw}} can be installed from [community]. If you don't already have iptables installed, it will be pulled in as a dependency.
  
You need to include ufw in your [[Rc.conf#Daemons|daemons array in rc.conf]]. Do not include the iptables daemon because it simply loads an iptables ruleset from /etc/iptables/.
+
You need to include ufw in your [[Rc.conf#Daemons|daemons array in rc.conf]], ideally before bringing up your network interfaces. Do not include the iptables daemon because it simply loads an iptables ruleset from /etc/iptables/.
  
 
==Basic Configuration==
 
==Basic Configuration==

Revision as of 03:05, 22 July 2011

Uncomplicated firewall (ufw) is a simple frontend for iptables and is available in [community]. The next two sections are simply high-level explanations and examples. Users are encouraged to consult the Ubuntu Firewall Help page for additional details.

Installation

Template:Package Official can be installed from [community]. If you don't already have iptables installed, it will be pulled in as a dependency.

You need to include ufw in your daemons array in rc.conf, ideally before bringing up your network interfaces. Do not include the iptables daemon because it simply loads an iptables ruleset from /etc/iptables/.

Basic Configuration

A very simplistic configuration which will deny all by default, allow any protocol from inside a 192.168.0.1-192.168.0.255 LAN, and allow incoming Deluge and SSH traffic from anywhere:

# ufw default deny
# ufw allow from 192.168.0.0/24
# ufw allow Deluge
# ufw allow SSH

The next line is only need once the first time you install the package. From there on out, either put ufw in your daemons array in rc.conf or control it via the standard rc.d script (i.e. rc.d start ufw):

# ufw enable

Finally, query the rules being applied via the status command:

# ufw status
Status: active

To                         Action      From
--                         ------      ----
Anywhere                   ALLOW       192.168.0.0/24
Deluge                     ALLOW       Anywhere
SSH                        ALLOW       Anywhere

Adding Other Applications

The PKG comes with some defaults based on the default ports of many common daemons and programs. Inspect the options by looking in the /etc/ufw/applications.d directory or by listing them in the program itself:

# ufw app list

If users are running any of the applications on a non-standard port, it is recommended to simply make Template:Filename containing the needed data using the defaults as a guide.

Warning: If users modify any of the PKG provided rule sets, these will be overwritten the first time the ufw package is updated. This is why custom app definitions need to reside in a non-PKG file as recommended above!

Example, deluge with custom tcp ports that range from 20202-20205:

[Deluge-my]
title=Deluge
description=Deluge BitTorrent client
ports=20202:20205/tcp

Should you require to define both tcp and udp ports for the same application, simply separate them with a pipe as shown: this app opens tcp ports 10000-10002 and udp port 10003

ports=10000:10002/tcp|10003/udp

One can also use a comma to define ports if a range is not desired. This example opens tcp ports 10000-10002 (inclusive) and udp ports 10003 and 10009

 ports=10000:10002/tcp|10003,10009/udp

Deleting Applications

Drawing on the Deluge/Deluge-my example above, the following will remove the standard Deluge rules and replace them with the Deluge-my rules from the above example:

# ufw delete allow Deluge
# ufw allow Deluge-my

Query the result via the status command:

# ufw status
Status: active

To                         Action      From
--                         ------      ----
Anywhere                   ALLOW       192.168.0.0/24
SSH                        ALLOW       Anywhere
Deluge-my                  ALLOW       Anywhere

Rate Limiting with ufw

ufw has the ability to deny connections from an IP address that has attempted to initiate 6 or more connections in the last 30 seconds. Users should consider using this option for services such as sshd.

Using the above basic configuration, to enable rate limiting we would simply replace the allow parameter with the limit parameter. The new rule will then replace the previous.

# ufw limit ssh
Rule updated
# ufw status
Status: active

To                         Action      From
--                         ------      ----
Anywhere                   ALLOW       192.168.0.0/24
SSH                        LIMIT       Anywhere
Deluge-my                  ALLOW       Anywhere