nicoorfi
6/14/2019 - 11:46 AM

Firewall

Debian / UbuntuPermalink

Install UFW

sudo apt-get install ufw

Use UFW to Manage Firewall RulesPermalink Set Default RulesPermalink Most systems will need a only a small number of ports open for incoming connections, and all remaining ports closed. To start with an easy basis of rules, the ufw default command can be used to set the default response to incoming and outgoing connections. To deny all incoming and allow all outgoing connections, run:

sudo ufw default allow outgoing

sudo ufw default deny incoming

The ufw default command also allows for the use of the reject parameter.

Caution

Configuring a default reject or deny rule can lock you out of your Linode unless explicit allow rules are in place. Ensure that you have configured allow rules for SSH and other critical services as per the section below before applying default deny or reject rules. Add RulesPermalink Rules can be added in two ways: By denoting the port number or by using the service name.

For example, to allow both incoming and outgoing connections on port 22 for SSH, you can run:

sudo ufw allow ssh

You can also run:

sudo ufw allow 22

Similarly, to deny traffic on a certain port (in this example, 111) you would only have to run:

sudo ufw deny 111 To farther fine-tune your rules, you can also allow packets based on TCP or UDP. The following will allow TCP packets on port 80:

sudo ufw allow 80/tcp sudo ufw allow http/tcp Whereas this will allow UDP packets on 1725:

sudo ufw allow 1725/udp Advanced RulesPermalink Along with allowing or denying based solely on port, UFW also allows you to allow/block by IP addresses, subnets, and a IP address/subnet/port combinations.

To allow connections from an IP address:

sudo ufw allow from 123.45.67.89 To allow connections from a specific subnet:

sudo ufw allow from 123.45.67.89/24 To allow a specific IP address/port combination:

sudo ufw allow from 123.45.67.89 to any port 22 proto tcp proto tcp can be removed or switched to proto udp depending upon your needs, and all instances of allow can be changed to deny as needed.

Remove RulesPermalink To remove a rule, add delete before the rule implementation. If you no longer wished to allow HTTP traffic, you could run:

sudo ufw delete allow 80 Deleting also allows the use of service names.

Edit UFW’s Configuration FilesPermalink Although simple rules can be added through the command line, there may be a time when more advanced or specific rules need to be added or removed. Prior to running the rules input through the terminal, UFW will run a file, before.rules, that allows loopback, ping, and DHCP. To add to alter these rules edit the /etc/ufw/before.rules file. A before6.rules file is also located in the same directory for IPv6.

An after.rule and an after6.rule file also exists to add any rules that would need to be added after UFW runs your command-line-added rules.

An additional configuration file is located at /etc/default/ufw. From here IPv6 can be disabled or enabled, default rules can be set, and UFW can be set to manage built-in firewall chains.

UFW StatusPermalink You can check the status of UFW at any time with the command: sudo ufw status. This will show a list of all rules, and whether or not UFW is active:

Status: active

To                         Action      From
--                         ------      ----
22                         ALLOW       Anywhere
80/tcp                     ALLOW       Anywhere
443                        ALLOW       Anywhere
22 (v6)                    ALLOW       Anywhere (v6)
80/tcp (v6)                ALLOW       Anywhere (v6)
443 (v6)                   ALLOW       Anywhere (v6)

Enable the FirewallPermalink With your chosen rules in place, your initial run of ufw status will probably output Status: inactive. To enable UFW and enforce your firewall rules:

sudo ufw enable Similarly, to disable UFW’s rules:

sudo ufw disable