msgbartop
MAC OS X, Linux, Windows and other IT Tips and Tricks
msgbarbottom

17 Oct 15 Example of using UFW firewall in Debian/Ubuntu

Introduction:
I just started to use the firewall UFW which is a terminal commands based firewall. The tool seemed a bit difficult to understand at first but with a bit of trying and errors I finally got something working. So here is what I did.

I install the UFW firewall:
apt-get install ufw

Assumption:
I want the following conditions:
List of ports to allow from internal LAN (192.168.100.0/24): ALL
List of ports to allow from localhost (127.0.0.0/16) : ALL
List of ports to allow towards Internet : ALL
List of ports to allow access from Internet:
ssh: 22
FTP: 21, 20, 20000-20099(used by pure-ftp)
80
443
Gerrit: 2222

Result: except for the above ports, all the other ports should be blocked from Internet.

UFW commands to configure above firewall:

ufw allow from 192.168.100.0/24
ufw allow from 127.0.0.0/16
ufw allow from any to any port 22
ufw allow from any to any port 21
ufw allow 20000:20099/tcp
ufw allow from any to any port 80
ufw allow from any to any port 443
ufw allow from any to any port 2222

Note: Above there are no rules for letting all packets from applications to Internet. The reason is that the default behavior of this firewall is that it lets all applications send anything to Internet.
It can be verified after the UFW firewall is enabled by issuing the following command:
iptables -L -n -v | grep 'Chain OUTPUT'
Result:
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
Setting the default policies
This is quite self explanatory.
ufw default deny incoming
ufw default allow outgoing

The firewall is not yet active yet!
WARNING: In case you are configuring this firewall via SSH connection, make sure the following command has been included in the above ones. If this not the case, as soon as you activate the firewall you will be locked out of the server and will not have any SSH access. Bad news 🙁
ufw allow from any to any port 22
To check the added rules before we enable the firewall:
ufw show added
Now we activate the firewall with the command:
ufw enable
We look at the UFW configuration by issuing the command:
ufw status numbered
You should get the following result:
Status: active
.
To Action From
-- ------ ----
[ 1] Anywhere ALLOW IN 192.168.100.0/24
[ 2] Anywhere ALLOW IN 127.0.0.0/16
[ 3] 22 ALLOW IN Anywhere
[ 4] 21 ALLOW IN Anywhere
[ 5] 20000:20099/tcp ALLOW IN Anywhere
[ 6] 80 ALLOW IN Anywhere
[ 7] 443 ALLOW IN Anywhere
[ 8] 2222 ALLOW IN Anywhere
[ 9] 22 ALLOW IN Anywhere (v6)
[10] 21 ALLOW IN Anywhere (v6)
[11] 20000:20099/tcp ALLOW IN Anywhere (v6)
[12] 80 ALLOW IN Anywhere (v6)
[13] 443 ALLOW IN Anywhere (v6)
[14] 2222 ALLOW IN Anywhere (v6)

If you need to restart over again then run the following:
ufw disable
ufw reset

If you need to delete some rules, for example the rules about the port 2222:(rule 8 and 14), we delete the rules by using it’s rule number starting by the last one to delete in the list. The logic is that if you start with the first one the rule numbers will be shifted after the first deletion and the last one to delete will not be the rule 14 but rule 13 etc.
Example:
ufw delete 14
ufw delete 8

If you need to insert a rule above an existing one, you use the rule number which should become after the new one. For example if we want to add the rule of denying the port 20005 from Internet.
Note. Here it doesn’t make sense(not practical) but just as an example. I would insert the new ‘deny’ rule before the rule 11. Here is the command:
ufw insert 11 deny 20005
Lets have a look at the result:
ufw status numbered
Result:
Status: active
.
To Action From
-- ------ ----
[ 1] Anywhere ALLOW IN 192.168.100.0/24
[ 2] Anywhere ALLOW IN 127.0.0.0/16
[ 3] 22 ALLOW IN Anywhere
[ 4] 21 ALLOW IN Anywhere
[ 5] 20005 DENY IN Anywhere
[ 6] 20000:20099/tcp ALLOW IN Anywhere
[ 7] 80 ALLOW IN Anywhere
[ 8] 443 ALLOW IN Anywhere
[ 9] 2222 ALLOW IN Anywhere
[10] 22 ALLOW IN Anywhere (v6)
[11] 21 ALLOW IN Anywhere (v6)
[12] 20005 DENY IN Anywhere (v6)
[13] 20000:20099/tcp ALLOW IN Anywhere (v6)
[14] 80 ALLOW IN Anywhere (v6)
[15] 443 ALLOW IN Anywhere (v6)
[16] 2222 ALLOW IN Anywhere (v6)

As you can see UFW was smart enough to insert the rule for IPv4 and IPv6 in the proper positions.

Note for rebooting:
Whenever the UFW firewall is ‘enabled’ and a reboot occurs, all the rules which are already saved in: /lib/ufw/user.rules
/lib/ufw/user6.rules

OR in:
/etc/ufw/user.rules
/etc/ufw/user6.rules

will be reactivated at reboot.
WARNING: Do not try to change these above files because some watchdog is making sure it is not changed and will automatically revert to the pre-edited version. ;-(. Use the UFW command to make any changes in the firewall.

Using UFW on Xen DOM0:
I have had some problems with using UFW on XEN DOM0 because as a default behavior UFW blocks the forwarding of packets to the DOMUs.
To remedy to that edit the file /etc/default/ufw and change the following settings to ACCEPT:
DEFAULT_FORWARD_POLICY="ACCEPT"
This would protect DOM0 only and forward all other traffic to DOMUs, leaving each DOMU to protect themsleves.
Then restart UFW as follows:
ufw disable
ufw enable

For more info on the subject I recommend the following link:
//www.digitalocean.com/community/tutorials/how-to-setup-a-firewall-with-ufw-on-an-ubuntu-and-debian-cloud-server

Logging

Logging of UFW is standard done into /var/log/syslog. To disable this logging do the following:
– Edit the file: /etc/rsyslog.d/20-ufw.conf(see content below), delete the ‘#’ starting the last line, and run the following commands to update the changes to the firewall:
ufw disable
ufw enable

Content of /etc/rsyslog.d/20-ufw.conf:
# Log kernel generated UFW log messages to file
:msg,contains,"[UFW " /var/log/ufw.log
#
# Uncomment the following to stop logging anything that matches the last rule.
# Doing this will stop logging kernel generated UFW log messages to the file
# normally containing kern.* messages (eg, /var/log/kern.log)
#& ~

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: