Uncomplicated firewall (ufw) is the default tool included on Ubuntu distributions used to secure all incoming, outgoing and internal network traffic, providing appropiate IPv4 and IPv6 rules based on iptables.

Its files and directories structure is showed then (I have used an Ubuntu Server 10.10 for the tests).

[email protected]:~# tree /etc/ufw/
/etc/ufw/
├── after6.rules
├── after.rules
├── applications.d
│ └── openssh-server
├── before6.rules
├── before.rules
├── sysctl.conf
└── ufw.conf

By default, the firewall is disabled. So as to enable it, you must run the following order. If you want to turn off the firewall, you must add the disable parameter.

[email protected]:~# ufw enable
[email protected]:~# ufw disable

[email protected]:~# ufw status verbose
Estado: activo
Acceso: on (low)
Por defecto: deny (Entrada), allow (Salida)

With the ‘status verbose’, we can see that the default policy is to deny for incoming traffic and to allow for outgoing traffic. We can also change these default policies:

[email protected]:~# ufw default allow|deny|reject incoming|outgoing

Now we are going to view several examples. For instance, to set up a rule in order to allow the incoming mail traffic (any of the three possibilities is valid – the service names are declared into the /etc/servicies file).

[email protected]:~# ufw allow 25

[email protected]:~# ufw allow 25/tcp

[email protected]:~# ufw allow smtp

To remove the rule:

[email protected]:~# ufw delete allow 25

To add a rule in a specific position (fourth in the following example):

[email protected]:~# ufw insert 4 allow 22

To define the protocol, the source and destination addresses in order to deny certain traffic:

[email protected]:~# ufw deny proto esp from 192.168.1.0/24 to any

With ufw you can also specify the log level (the traces will be dumped to the syslog file with low level by default).

[email protected]:~# ufw logging on|off|LEVEL

LEVEL can be off, low, medium, high and full.

Another interesting feature of ufw is the possibility to define applications. For example, I am going to create an application named ‘myapps’ with a series of services:

[email protected]:~# vim /etc/ufw/applications.d/myapps
[myapps-1]
title=My applications
description=my applications: Artifactory, Hudson, Sonar, Redmine, actiTIME, Daisy
ports=8081,8080,9000,3000,7000,8888/tcp

Then I have to update the firewall with that profile information.

[email protected]:~# ufw app update myapps-1

And finally, I can already set new rules using this application.

[email protected]:~# ufw allow from 10.0.0.0/8 to any app myapps-1

In order to list all applications or to show information about a certain profile, we can run the following commands:

[email protected]:~# ufw app list

[email protected]:~# ufw info myapps-1

Via http://redes-privadas-virtuales.blogspot.com/2011/01/ufw-uncomplicated-firewall.html

Related Posts with Thumbnails
 

Comments are closed.

Premium WordPress Themes