Of Stack

Brief introduction of firewall ufw in Linux

  • 2021-07-26 09:13:54
  • OfStack

Let's look at the Linux ufw (Simple Firewall), which provides you with some insights and commands for changing the firewall.

ufw (Simple Firewall Uncomplicated FireWall) Really simplifies iptables, which has become the default firewall on systems such as Ubuntu and Debian since its inception in the last few years. And ufw Unexpectedly simple, this is a boon for new administrators, who might otherwise need to spend a lot of time learning about firewall management.

ufw There are also GUI clients (for example, gufw), but ufw Commands are usually executed on the command line. This article introduces one of the ways to use ufw And studied how it works.

First, take a quick look at ufw The way to configure is to view its configuration file- /etc/default/ufw . Use the following command to view its configuration, using grep to suppress the display of blank lines and comments (lines beginning with #). 


$ grep -v '^#\|^$' /etc/default/ufw
IPV6=yes
DEFAULT_INPUT_POLICY="DROP"
DEFAULT_OUTPUT_POLICY="ACCEPT"
DEFAULT_FORWARD_POLICY="DROP"
DEFAULT_APPLICATION_POLICY="SKIP"
MANAGE_BUILTINS=no
IPT_SYSCTL=/etc/ufw/sysctl.conf
IPT_MODULES="nf_conntrack_ftp nf_nat_ftp nf_conntrack_netbios_ns"

As you can see, the default policy is to discard input but allow output. Other rules that allow you to accept specific connections need to be configured separately.

ufw The basic syntax of the command is as follows, but this summary does not mean that you only need to type ufw It will do, but a quick prompt telling you which parameters you need.

ufw [--dry-run] [options] [rule syntax]

--The dry-run option means ufw The command you specified will not be run, but the result will be displayed to you if executed. But it will show the whole rule set if it changes, so you have to be prepared to have many lines of output.

To check ufw Run the following command. Note that even this command needs to use the sudo Or root Account. 


$ sudo ufw status
Status: active
To    Action From
--    ------ ----
22    ALLOW 192.168.0.0/24
9090   ALLOW Anywhere
9090 (v6)   ALLOW Anywhere (v6)

Otherwise, you will see the following:

$ ufw status

ERROR: You need to be root to run this script
Adding the verbose option will provide 1 additional detail: 


$ sudo ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip
To    Action From
--    ------ ----
22    ALLOW IN 192.168.0.0/24
9090   ALLOW IN Anywhere
9090 (v6)   ALLOW IN Anywhere (v6)

You can easily allow and deny connections by port number using the following command: 


$ sudo ufw allow 80  <==  Allow  http  Visit 
$ sudo ufw deny 25  <==  Reject  smtp  Visit

You can view /etc/services File to find the connection between the port number and the service name. 


$ grep 80/ /etc/services
http  80/tcp  www  # WorldWideWeb HTTP
socks  1080/tcp   # socks proxy server
socks  1080/udp
http-alt 8080/tcp webcache # WWW caching service
http-alt 8080/udp
amanda  10080/tcp   # amanda backup services
amanda  10080/udp
canna  5680/tcp   # cannaserver

Alternatively, you can use the name of the service directly in the command. 


$ sudo ufw allow http
Rule added
Rule added (v6)
$ sudo ufw allow https
Rule added
Rule added (v6)

After making the changes, you should check the status again to see if it is effective: 


$ sudo ufw status
Status: active
To    Action From
--    ------ ----
22    ALLOW 192.168.0.0/24
9090   ALLOW Anywhere
80/tcp   ALLOW Anywhere  <==
443/tcp   ALLOW Anywhere  <==
9090 (v6)   ALLOW Anywhere (v6)
80/tcp (v6)  ALLOW Anywhere (v6) <==
443/tcp (v6)  ALLOW Anywhere (v6) <==

The rules that ufw follows are stored in the /etc/ufw In the directory. Note that you need root user access to view these files, each of which contains a large number of rules. 


$ ls -ltr /etc/ufw
total 48
-rw-r--r-- 1 root root 1391 Aug 15 2017 sysctl.conf
-rw-r----- 1 root root 1004 Aug 17 2017 after.rules
-rw-r----- 1 root root 915 Aug 17 2017 after6.rules
-rw-r----- 1 root root 1130 Jan 5 2018 before.init
-rw-r----- 1 root root 1126 Jan 5 2018 after.init
-rw-r----- 1 root root 2537 Mar 25 2019 before.rules
-rw-r----- 1 root root 6700 Mar 25 2019 before6.rules
drwxr-xr-x 3 root root 4096 Nov 12 08:21 applications.d
-rw-r--r-- 1 root root 313 Mar 18 17:30 ufw.conf
-rw-r----- 1 root root 1711 Mar 19 10:42 user.rules
-rw-r----- 1 root root 1530 Mar 19 10:42 user6.rules

The previous changes in this article add Port 80 for http access and Port 443 for https access, in the user.rules And user6.rules The file looks like this: 


# grep " 80 " user*.rules
user6.rules:### tuple ### allow tcp 80 ::/0 any ::/0 in
user6.rules:-A ufw6-user-input -p tcp --dport 80 -j ACCEPT
user.rules:### tuple ### allow tcp 80 0.0.0.0/0 any 0.0.0.0/0 in
user.rules:-A ufw-user-input -p tcp --dport 80 -j ACCEPT
You have new mail in /var/mail/root
# grep 443 user*.rules
user6.rules:### tuple ### allow tcp 443 ::/0 any ::/0 in
user6.rules:-A ufw6-user-input -p tcp --dport 443 -j ACCEPT
user.rules:### tuple ### allow tcp 443 0.0.0.0/0 any 0.0.0.0/0 in
user.rules:-A ufw-user-input -p tcp --dport 443 -j ACCEPT

Use ufw You can also easily block connections from 1 IP address using the following command:

$ sudo ufw deny from 208.176.0.50

Rule added

The status command displays the changes: 


$ sudo ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip
To    Action From
--    ------ ----
22    ALLOW IN 192.168.0.0/24
9090   ALLOW IN Anywhere
80/tcp   ALLOW IN Anywhere
443/tcp   ALLOW IN Anywhere
Anywhere   DENY IN 208.176.0.50  <== new
9090 (v6)   ALLOW IN Anywhere (v6)
80/tcp (v6)  ALLOW IN Anywhere (v6)
443/tcp (v6)  ALLOW IN Anywhere (v6)

In a word, ufw is not only easy to configure, but also easy to understand.

Summarize

Related articles: