UFW (Uncomplicated FireWall)

From Indie IT Wiki
Revision as of 13:33, 7 May 2021 by imported>Plittlefield
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

UFW (Uncomplicated FireWall) is a default component of Ubuntu server.

http://manpages.ubuntu.com/manpages/raring/en/man8/ufw.8.html

Make sure you add your IP address to the SSH port before enabling or starting UFW!

ufw allow from 123.456.789.0 to any port 22 proto tcp

Enable

sudo ufw enable

Disable

sudo ufw disable

Show Rules

sudo ufw show added

List Rules

sudo ufw status numbered verbose

Block

Single IP Address

To block all network connections that originate from a specific IP address, 15.15.15.51 for example, run this command:

sudo ufw deny from 15.15.15.51

In this example, from 15.15.15.51 specifies a source IP address of "15.15.15.51". If you wish, a subnet, such as 15.15.15.0/24, may be specified here instead. The source IP address can be specified in any firewall rule, including an allow rule.

Connections to a Network Interface

To block connections from a specific IP address, e.g. 15.15.15.51, to a specific network interface, e.g. eth0, use this command:

sudo ufw deny in on eth0 from 15.15.15.51

Add A Rule

Single Port

sudo ufw allow from 192.168.0.0/24 to any port 10000 proto tcp
sudo ufw deny from 185.222.211.0/24 to any port 25 proto tcp

Multiple Ports

sudo ufw allow from 192.168.0.0/24 to any port 32410,32412,32413,32414 proto udp

Add A Rule Before Another Rule

Firewall rules are read in order of priority, top down in the UFW list, so if you add a 'deny' rule after a 'allow' rule it will be ignored and the IP address will get through.

So, you have to view your rules as a numbered list first, delete the line which is too low down, and re-insert it at the top of the list.

List...

sudo ufw status numbered

     To                         Action      From
     --                         ------      ----
[ 1] 25/tcp                     ALLOW IN    Anywhere                  
[ 2] 80/tcp                     ALLOW IN    Anywhere                  
[ 3] 443/tcp                    ALLOW IN    Anywhere                  
[ 4] 993/tcp                    ALLOW IN    Anywhere                  
[ 5] Anywhere                   DENY IN     185.222.211.0/24

Delete...

sudo ufw delete 5

Insert at the top...

sudo ufw insert 1 deny from 185.222.211.0/24

List...

     To                         Action      From
     --                         ------      ----
[ 1] Anywhere                   DENY IN     185.222.211.0/24          
[ 2] 25/tcp                     ALLOW IN    Anywhere                  
[ 3] 80/tcp                     ALLOW IN    Anywhere                  
[ 4] 443/tcp                    ALLOW IN    Anywhere                  
[ 5] 993/tcp                    ALLOW IN    Anywhere 

Thanks

Delete A Rule

sudo ufw status numbered verbose
sudo ufw delete #

    Deleting:
     allow from xxx.xxx.0.0/24 to any port xxxx proto xxx
    Proceed with operation (y|n)?

sudo ufw status numbered verbose

Add DHCP

ufw allow 67/udp

Add Samba

sudo ufw app info Samba

or

sudo ufw allow from 192.168.0.0/24 to any port 137 proto udp
sudo ufw allow from 192.168.0.0/24 to any port 138 proto udp
sudo ufw allow from 192.168.0.0/24 to any port 139 proto tcp
sudo ufw allow from 192.168.0.0/24 to any port 445 proto tcp

Copy Rules Between Computers

Rules are placed in...

Ubuntu 14.04

/lib/ufw/user.rules

Ubuntu 16.04

/etc/ufw/user.rules

...just copy the ### RULES ### section between computers, then on the new computer run...

sudo show added
sudo ufw disable
sudo ufw enable
sudo ufw status numbered

Thanks - http://serverfault.com/questions/475468/where-does-ufw-uncomplicated-firewall-save-command-line-rules-to

Allow traffic only from a domain with dynamic IP address

BASH Script

2 Network Cards

http://askubuntu.com/questions/304766/litle-question-about-ufw-command

http://serverfault.com/questions/270715/ubuntu-ufw-set-a-rule-on-a-per-interface-basis

Rate Limit

Set limits...

sudo ufw limit smtp
sudo ufw limit ssh/tcp
sudo ufw limit proto tcp from any port 80 to 10.10.10.0/24
sudo ufw limit from any to any port 0:29999,30006:65535

Check limits...

sudo ufw status verbose

The rate limit can by changed on the ufw rules file which can be found /lib/ufw/user.rules - by default there are no limits enabled for all ports, so you should add every port manualy or by editing user.rules file.

e.g.

SET LIMIT TO HTTP AND HTTPS FOR DDOS PROTECTION

Part 1...

sudo ufw limit 80/tcp
sudo ufw limit 443/tcp

Part 2...

sudo nano /etc/ufw/before.rules

...

# End Required Lines
section

# CUSTOM UFW
:ufw-http - [0:0]
:ufw-http-logdrop - [0:0]
# END CUSTOM

...

### Start HTTP ###
# Enter rule
-A ufw-before-input -p tcp --dport 80 -j ufw-http
-A ufw-before-input -p tcp --dport 443 -j ufw-http
# Limit connections per Class C
-A ufw-http -p tcp --syn -m connlimit --connlimit-above 50 --connlimit-mask 24 -j ufw-http-logdrop
# Limit connections per IP
-A ufw-http -m state --state NEW -m recent --name conn_per_ip --set
-A ufw-http -m state --state NEW -m recent --name conn_per_ip --update --seconds 10 --hitcount 45 -j ufw-http-logdrop
# Limit packets per IP
-A ufw-http -m recent --name pack_per_ip --set
-A ufw-http -m recent --name pack_per_ip --update --seconds 1 --hitcount 45 -j ufw-http-logdrop
# Finally accept
-A ufw-http -j ACCEPT
# Log
-A ufw-http-logdrop -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW HTTP DROP] "
-A ufw-http-logdrop -j DROP
### END HTTP ###

...

COMMIT

Rate Limiting with UFW

Setting Limits with UFW