8.5 KiB
Linux firewall basics with ufw
We take a look at ufw - the uncomplicated firewall - on Linux, providing some insights and commands for making changes. Vertigo3D / Getty Images
The ufw (uncomplicated firewall) represents a serious simplification to iptables and, in the years that it’s been available, has become the default firewall on systems such as Ubuntu and Debian. And, yes, ufw is surprisingly uncomplicated – a boon for newer admins who might otherwise have to invest a lot of time to get up to speed on firewall management.
GUIs are available for ufw (like gufw), but ufw commands are generally issued on the command line. This post examines some commands for using ufw and looks into how it works.
First, one quick way to see how ufw is configured is to look at its configuration file – /etc/default/ufw. In the command below, we display the settings, using grep to suppress the display of both blank lines and comments (line starting with #).
RELATED: Linux hardening: a 15-step checklist for a secure Linux server
$ grep -v '^#\|^$' /etc/default/ufw
IPV6=yes
DEFAULT_INPUT_POLICY="DROP"
DEFAULT_OUTPUT_POLICY="ACCEPT"
DEFAULT_FORWARD_POLICY="DROP"
DEFAULT_APPLICATION_POLICY="SKIP"
MANAGE_BUILTINS=no
IPT_SYSCTL=/etc/ufw/sysctl.conf
IPT_MODULES="nf_conntrack_ftp nf_nat_ftp nf_conntrack_netbios_ns"
As you can see, the default policy is to drop input and allow output. Additional rules that allow the connections that you specifically want to be accept are configured separately.
The basic syntax for ufw commands might look like thee below, though this synopsis is not meant to imply that typing only “ufw” will get you further than a quick error telling you that arguments are required.
ufw [--dry-run] [options] [rule syntax]
The --dry-run option means that ufw won’t run the command you specify, but will show you the results that you would see if it did. It will, however, display the entire set of rules as they would exist if the change were made, so be prepared for more than a few lines of output.
To check the status of ufw, run a command like the following. Note that even this command requires use of sudo or use of the root account.
$ sudo ufw status
Status: active
To Action From
-- ------ ----
22 ALLOW 192.168.0.0/24
9090 ALLOW Anywhere
9090 (v6) ALLOW Anywhere (v6)
Otherwise, you will see something like this:
$ ufw status
ERROR: You need to be root to run this script
Adding "verbose" provides a few additional details:
$ sudo ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip
To Action From
-- ------ ----
22 ALLOW IN 192.168.0.0/24
9090 ALLOW IN Anywhere
9090 (v6) ALLOW IN Anywhere (v6)
You can easily allow and deny connections by port number with commands like these:
$ sudo ufw allow 80 <== allow http access
$ sudo ufw deny 25 <== deny smtp access
You can check out the /etc/services file to find the connections between port numbers and service names.
$ grep 80/ /etc/services
http 80/tcp www # WorldWideWeb HTTP
socks 1080/tcp # socks proxy server
socks 1080/udp
http-alt 8080/tcp webcache # WWW caching service
http-alt 8080/udp
amanda 10080/tcp # amanda backup services
amanda 10080/udp
canna 5680/tcp # cannaserver
Alternately, you can use service names like in these commands.
$ sudo ufw allow http
Rule added
Rule added (v6)
$ sudo ufw allow https
Rule added
Rule added (v6)
After making changes, you should check the status again to see that those changes have been made:
$ sudo ufw status
Status: active
To Action From
-- ------ ----
22 ALLOW 192.168.0.0/24
9090 ALLOW Anywhere
80/tcp ALLOW Anywhere <==
443/tcp ALLOW Anywhere <==
9090 (v6) ALLOW Anywhere (v6)
80/tcp (v6) ALLOW Anywhere (v6) <==
443/tcp (v6) ALLOW Anywhere (v6) <==
The rules that ufw follows are stored in the /etc/ufw directory. Note that you need root access to view these files and that each contains a large number of rules.
$ ls -ltr /etc/ufw
total 48
-rw-r--r-- 1 root root 1391 Aug 15 2017 sysctl.conf
-rw-r----- 1 root root 1004 Aug 17 2017 after.rules
-rw-r----- 1 root root 915 Aug 17 2017 after6.rules
-rw-r----- 1 root root 1130 Jan 5 2018 before.init
-rw-r----- 1 root root 1126 Jan 5 2018 after.init
-rw-r----- 1 root root 2537 Mar 25 2019 before.rules
-rw-r----- 1 root root 6700 Mar 25 2019 before6.rules
drwxr-xr-x 3 root root 4096 Nov 12 08:21 applications.d
-rw-r--r-- 1 root root 313 Mar 18 17:30 ufw.conf
-rw-r----- 1 root root 1711 Mar 19 10:42 user.rules
-rw-r----- 1 root root 1530 Mar 19 10:42 user6.rules
The changes made earlier in this post (the addition of port 80 for http access and 443 for https (encrypted http) access will look like this in the user.rules and user6.rules files:
# grep " 80 " user*.rules
user6.rules:### tuple ### allow tcp 80 ::/0 any ::/0 in
user6.rules:-A ufw6-user-input -p tcp --dport 80 -j ACCEPT
user.rules:### tuple ### allow tcp 80 0.0.0.0/0 any 0.0.0.0/0 in
user.rules:-A ufw-user-input -p tcp --dport 80 -j ACCEPT
You have new mail in /var/mail/root
# grep 443 user*.rules
user6.rules:### tuple ### allow tcp 443 ::/0 any ::/0 in
user6.rules:-A ufw6-user-input -p tcp --dport 443 -j ACCEPT
user.rules:### tuple ### allow tcp 443 0.0.0.0/0 any 0.0.0.0/0 in
user.rules:-A ufw-user-input -p tcp --dport 443 -j ACCEPT
With ufw, you can also easily block connections from a system using a command like this:
$ sudo ufw deny from 208.176.0.50
Rule added
The status command will show the change:
$ sudo ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip
To Action From
-- ------ ----
22 ALLOW IN 192.168.0.0/24
9090 ALLOW IN Anywhere
80/tcp ALLOW IN Anywhere
443/tcp ALLOW IN Anywhere
Anywhere DENY IN 208.176.0.50 <== new
9090 (v6) ALLOW IN Anywhere (v6)
80/tcp (v6) ALLOW IN Anywhere (v6)
443/tcp (v6) ALLOW IN Anywhere (v6)
All in all, ufw is both easy to configure and easy to understand.
Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
via: https://www.networkworld.com/article/3533551/linux-firewall-basics-with-ufw.html
作者:Sandra Henry-Stocker 选题:lujun9972 译者:译者ID 校对:校对者ID