UFW: Difference between revisions
From Freephile Wiki
m added Category:Firewall using HotCat |
m Text replacement - "<(\/?)source" to "<$1syntaxhighlight" |
||
| Line 9: | Line 9: | ||
== Recipes == | == Recipes == | ||
Take the output from querying the rules on a server named <code>it</code> and apply to whatever other host you need | Take the output from querying the rules on a server named <code>it</code> and apply to whatever other host you need | ||
< | <syntaxhighlight lang="bash"> | ||
ssh it sudo cat /etc/firestarter/inbound/allow-from | /usr/bin/awk '{ print "sudo ufw allow from " $1 " to any app Apache # add rule for " $2 }' | /bin/sed s/,// | ssh it sudo cat /etc/firestarter/inbound/allow-from | /usr/bin/awk '{ print "sudo ufw allow from " $1 " to any app Apache # add rule for " $2 }' | /bin/sed s/,// | ||
</ | </syntaxhighlight> | ||
== Gotcha == | == Gotcha == | ||
| Line 20: | Line 20: | ||
Check against the IPs which are present in actual iptables: | Check against the IPs which are present in actual iptables: | ||
< | <syntaxhighlight lang="bash"> | ||
iptables-save | grep ACCEPT | awk '{print $4}' | grep ^[[:digit:]] | sort -un | iptables-save | grep ACCEPT | awk '{print $4}' | grep ^[[:digit:]] | sort -un | ||
</ | </syntaxhighlight> | ||
== Sample Usage == | == Sample Usage == | ||
< | <syntaxhighlight lang="bash"> | ||
# show the status | # show the status | ||
ufw status | ufw status | ||
| Line 43: | Line 43: | ||
ufw limit ssh/tcp | ufw limit ssh/tcp | ||
# automatically limit the number of ssh attempts from a certain host over a period of time | # automatically limit the number of ssh attempts from a certain host over a period of time | ||
</ | </syntaxhighlight> | ||
== Reference and HOWTO == | == Reference and HOWTO == | ||
Latest revision as of 13:22, 24 February 2025
Definition
The "uncomplicated" firewall or UFW is an interface to iptables in Ubuntu.
Implementations
For machines with a GUI you can use firestarter. For headless servers, we use ufw as front-ends to iptables
If you think firewalls are uncomplicated, either you have never administered one, or you have been doing it for a long time. UFW is ONLY a front-end to iptables
Recipes
Take the output from querying the rules on a server named it and apply to whatever other host you need
ssh it sudo cat /etc/firestarter/inbound/allow-from | /usr/bin/awk '{ print "sudo ufw allow from " $1 " to any app Apache # add rule for " $2 }' | /bin/sed s/,//Gotcha
Save your firewall rules when manipulating iptables directly or you will lose them upon reboot!!!
Because Firestarter (and ufw) are just front-ends to iptables, parsing their respective rulesets will not necessarily give you the full picture of what iptables is configured to do.
Check against the IPs which are present in actual iptables:
iptables-save | grep ACCEPT | awk '{print $4}' | grep ^[[:digit:]] | sort -unSample Usage
# show the status
ufw status
# take a closer look (adds protocol info)
ufw status verbose
# rules can be complicated to delete because you need the exact syntax of the 'create' rule
# add ability to connect to the Postgres server
ufw allow from 192.168.1.12 to any port 5432
ufw --dry-run delete allow from 192.168.1.12 to any port 8080
# if a dry run returns a list of rules, then it was "successful". No output or an error message indicates failure
# deleting a bunch of "allow" rules on port 8080
ufw status verbose |grep 8080 |sed 's/8080/ufw delete/'|sed 's/IN/from/'|sed 's/$/ to any port 8080/'|sh
ufw limit ssh/tcp
# automatically limit the number of ssh attempts from a certain host over a period of time
