« Ufw » : différence entre les versions
| (44 versions intermédiaires par le même utilisateur non affichées) | |||
| Ligne 2 : | Ligne 2 : | ||
[[Category:Logiciels]] | [[Category:Logiciels]] | ||
= Liens = | = Liens = | ||
* [https://help.ubuntu.com/community/UFW | * [https://help.ubuntu.com/community/UFW Help Ubuntu] | ||
* [https://wiki.archlinux.org/index.php/Uncomplicated_Firewall Archlinux] | |||
= | = [https://www.digitalocean.com/community/tutorials/ufw-essentials-common-firewall-rules-and-commands Configuration] = | ||
{{warn | Once a rule is matched the others will not be evaluated so you must put the specific rules first.}} | |||
ufw | |||
<kode lang='bash'> | <kode lang='bash'> | ||
# lister les règles | |||
# lister les | |||
ufw status verbose | ufw status verbose | ||
# lister les commandes qui ont permis d'ajouter des règles | |||
# lister les règles | |||
ufw show added | ufw show added | ||
# autoriser les connections tcp sur le port 53 | # autoriser les connections tcp sur le port 53 | ||
ufw allow 53/tcp comment 'DNS tcp | ufw allow 53/tcp comment 'DNS tcp 53' | ||
# autoriser une ip à accéder au port 22 en tcp quelle que soit la destination (any) | # autoriser une ip à accéder au port 22 en tcp quelle que soit la destination (any) | ||
| Ligne 68 : | Ligne 31 : | ||
# insérer une règle en position 1 | # insérer une règle en position 1 | ||
ufw insert 1 allow 53/tcp | ufw insert 1 allow 53/tcp | ||
# interdire les connections udp sur le port 53 | |||
ufw deny 53/udp | |||
# allow any protocol from inside 192.168.0.0/24 LAN | |||
ufw allow from 192.168.0.0/24 | |||
# allow incoming rate limited SSH traffic from anywhere | |||
ufw limit ssh | |||
</kode> | </kode> | ||
* [ | = Applications = | ||
<kode lang='bash'> | |||
# lister les configurations pour les applications (/etc/ufw/applications.d/*) | |||
ufw app list | |||
# appliquer la configuration de l'application [appname] | |||
ufw allow [appname] comment 'tcp xx' | |||
# only for packages from 192.168.0.0/24 | |||
ufw allow from 192.168.0.0/24 to any app [appname] | |||
# only for packages to 192.168.0.0/24 | |||
ufw allow to 192.168.0.0/24 app [appname] | |||
# ne plus appliquer la configuration de l'application [appname] | |||
ufw delete allow [appname] | |||
# update ufw after having modified the [appname] config file | |||
ufw app update [appname] | |||
# display the info on the [appname] config file | |||
ufw app info [appname] | |||
</kode> | |||
== Applications custom == | |||
<filebox fn='/etc/ufw/applications.d/dnsmasq' lang=ini collapsed> | |||
[DNS] | |||
title=DNS server | |||
description=DNS server | |||
ports=53 | |||
[DHCP] | |||
title=DHCP server | |||
description=DHCP server | |||
ports=67,68/udp | |||
</filebox> | |||
<filebox fn='/etc/ufw/applications.d/openvpn' lang=ini collapsed> | |||
<filebox fn='/etc/ufw/ | [VPN] | ||
title=VPN server | |||
description=VPN server | |||
ports=1194/udp | |||
</filebox> | |||
<filebox fn='/etc/ufw/applications.d/transmission' lang=ini collapsed> | |||
[Torrent] | |||
title=Torrent server | |||
description=Torrent server | |||
ports=9091/tcp|51413 | |||
</filebox> | |||
<filebox fn='/etc/ufw/applications.d/amule' lang=ini collapsed> | |||
[Amule] | |||
title=Amule server | |||
description=Amule server | |||
ports=4662,4711,4712/tcp|4665,4672/udp | |||
</filebox> | |||
<filebox fn='/etc/ufw/applications.d/minidlna' lang=ini collapsed> | |||
[DLNA] | |||
title=MiniDLNA | |||
description=DLNA media streaming server | |||
ports=8200/tcp|1900/udp | |||
</filebox> | |||
<filebox fn='/etc/ufw/applications.d/gogs' lang=ini collapsed> | |||
[GOGS] | |||
title=Gogs | |||
description=A painless self-hosted Git service | |||
ports=3000/tcp | |||
</filebox> | </filebox> | ||
= | = Démarrage / status = | ||
<kode lang=bash> | {{warn | Ne pas oublier d'ouvrir le port SSH avant de démarrer UFW.}} | ||
# | |||
<kode lang='bash'> | |||
# démarre/stoppe ufw et l'ajoute/le retire des programmes à lancer au démarrage | |||
ufw enable | |||
ufw disable | |||
# démarre ufw | |||
ufw reload | |||
# redémarrer le firewall | # redémarrer le firewall | ||
sudo service ufw restart | sudo service ufw restart | ||
sudo ufw reload | sudo ufw reload | ||
# lister les régles | |||
ufw status verbose | |||
</kode> | </kode> | ||
| Ligne 140 : | Ligne 144 : | ||
</kode> | </kode> | ||
= | = ipset = | ||
Add drop rules which match ipset sets | |||
<filebox fn=/ | <filebox fn='/etc/ufw/before.rules' lang='bash'> | ||
[ | # drop packets from [set-name] | ||
-I INPUT -m set --match-set [set-name] src -j DROP | |||
</filebox> | |||
Sets have to be created before ufw starts: force netfilter-persistent.service to start before ufw. | |||
<filebox fn='/lib/systemd/system/netfilter-persistent.service' lang='ini'> | |||
Before=network-pre.target shutdown.target ufw.service | |||
</filebox> | |||
= [https://ultramookie.com/2020/10/geoip-blocking-ubuntu-20.04/ Geo IP block] = | |||
<kode lang='bash'> | |||
ai geoip-database geoip-bin geoipupdate xtables-addons-common | |||
# | # test | ||
geoiplookup 58.22.14.217 | |||
GeoIP Country Edition: CN, China | |||
modprobe xt_geoip | |||
lsmod | grep ^xt_geoip | |||
iptables -m geoip -h | |||
</kode> | |||
# | |||
<filebox fn='/etc/ufw/before.rules' lang='bash'> | |||
# drops all traffic from RU and CN | |||
-A ufw-before-input -m geoip --src-cc RU,CN -j DROP | |||
</filebox> | </filebox> | ||
<kode lang=bash> | = Log = | ||
# | {{boxx|/var/log/ufw.log}} | ||
sudo | = Erreurs = | ||
<kode lang='bash'> | |||
# analyze blocked packages | |||
sudo tcpdump -p host 224.0.0.1 | |||
</kode> | </kode> | ||
= | == UFW ne se lance pas au démarrage == | ||
== [https://bugs.launchpad.net/ubuntu/+source/ufw/+bug/1726856 | === [https://bugs.launchpad.net/ubuntu/+source/ufw/+bug/1726856 Utiliser cron] === | ||
En l'absence de solution, {{boxx|cron}} peut lancer {{boxx|UFW}} après un reboot. | En l'absence de solution, {{boxx|cron}} peut lancer {{boxx|UFW}} après un reboot. | ||
<filebox fn='crontab' lang='bash'> | <filebox fn='crontab' lang='bash'> | ||
@reboot root ufw enable | @reboot root ufw enable | ||
</filebox> | |||
=== [https://askubuntu.com/questions/1040539/how-do-i-get-ufw-to-start-on-boot Modifier le service UFW] === | |||
<filebox fn='/lib/systemd/system/ufw.service' lang='bash'> | |||
#Before=network.target | |||
After=network-pre.target # doesn't work | |||
After=netfilter-persistent.service # doesn't work | |||
</filebox> | |||
== <nowiki>[UFW BLOCK]</nowiki> SRC=192.168.0.254 DST=224.0.0.1 PROTO=2 == | |||
<filebox fn='/etc/ufw/before.rules' lang=bash> | |||
# [UFW BLOCK] IN=eth0 OUT= MAC=XX:...:XX SRC=192.168.0.254 DST=224.0.0.1 LEN=32 TOS=0x00 PREC=0x80 TTL=1 ID=0 DF PROTO=2 | |||
# livebox.home > all-systems.mcast.net: igmp query v2 | |||
# drop multicast IGMP packages sent by the livebox | |||
-A ufw-before-input -i eth0 -s 192.168.0.254 -d 224.0.0.1 -p igmp -j DROP | |||
# ??? allow MULTICAST mDNS for service discovery ??? | |||
-A ufw-before-input -i eth0 -p udp -d 224.0.0.1 -s 192.168.0.254 --dport 5353 -j ACCEPT | |||
</filebox> | |||
== <nowiki>[UFW BLOCK]</nowiki> SRC=192.168.0.x DST=239.255.255.250 == | |||
<filebox fn='/etc/ufw/before.rules' lang=bash> | |||
# allow MULTICAST UPnP for service discovery | |||
-A ufw-before-input -p udp -d 239.255.255.250 --dport 1900 -j ACCEPT | |||
# IN=eth0 OUT= MAC= SRC=192.168.0.x DST=239.255.255.250 LEN=32 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2 | |||
-A ufw-before-input -i eth0 -p igmp -d 239.255.255.250 -s 192.168.0.x -j ACCEPT | |||
# allow Web Services Dynamic Discovery (port 3702 on IP multicast 239.255.255.250) | |||
# IN=eth0 OUT= MAC=XX:..:XX SRC=192.168.0.x DST=239.255.255.250 LEN=684 TOS=0x00 PREC=0x00 TTL=1 ID=22271 PROTO=UDP SPT=58421 DPT=3702 LEN=664 | |||
-A ufw-before-input -i eth0 -p udp -s 192.168.0.0/24 -d 239.255.255.250 --dport 3702 -j ACCEPT | |||
</filebox> | |||
== <nowiki>[UFW BLOCK]</nowiki> RST == | |||
<filebox fn='/etc/ufw/before.rules' lang=bash> | |||
# [UFW BLOCK] IN=eth0 OUT= PROTO=TCP RST | |||
-A ufw-before-input -i eth0 -p tcp --tcp-flags ALL RST -j DROP | |||
</filebox> | |||
== <nowiki>[UFW BLOCK]</nowiki> DPT=853 == | |||
Port 853 is used by DNS over TLS service. | |||
<filebox fn='/etc/ufw/before.rules' lang=bash> | |||
# [UFW BLOCK] IN=eth0 SRC=192.168.a.b DST=192.168.x.y PROTO=TCP DPT=853 | |||
-A ufw-before-input -i eth0 -d 192.168.x.y -p tcp --dport 853 -j DROP | |||
</filebox> | </filebox> | ||
Dernière version du 15 octobre 2023 à 20:12
Liens
Configuration
 |
Once a rule is matched the others will not be evaluated so you must put the specific rules first. |
|
# lister les règles
ufw status verbose
# lister les commandes qui ont permis d'ajouter des règles
ufw show added
# autoriser les connections tcp sur le port 53
ufw allow 53/tcp comment 'DNS tcp 53'
# autoriser une ip à accéder au port 22 en tcp quelle que soit la destination (any)
ufw allow from 192.168.0.1 to any port 22 proto tcp
# supprimer le règle qui autorise les connections tcp sur le port 53
ufw deny 53/tcp
# lister les régles avec leur numéro
ufw status numbered
# supprimer la règle numéro 2
ufw delete 2
# insérer une règle en position 1
ufw insert 1 allow 53/tcp
# interdire les connections udp sur le port 53
ufw deny 53/udp
# allow any protocol from inside 192.168.0.0/24 LAN
ufw allow from 192.168.0.0/24
# allow incoming rate limited SSH traffic from anywhere
ufw limit ssh
|
Applications
|
|
# lister les configurations pour les applications (/etc/ufw/applications.d/*)
ufw app list
# appliquer la configuration de l'application [appname]
ufw allow [appname] comment 'tcp xx'
# only for packages from 192.168.0.0/24
ufw allow from 192.168.0.0/24 to any app [appname]
# only for packages to 192.168.0.0/24
ufw allow to 192.168.0.0/24 app [appname]
# ne plus appliquer la configuration de l'application [appname]
ufw delete allow [appname]
# update ufw after having modified the [appname] config file
ufw app update [appname]
# display the info on the [appname] config file
ufw app info [appname]
|
Applications custom
| /etc/ufw/applications.d/dnsmasq |
[DNS]
title=DNS server
description=DNS server
ports=53
[DHCP]
title=DHCP server
description=DHCP server
ports=67,68/udp
|
| /etc/ufw/applications.d/openvpn |
[VPN]
title=VPN server
description=VPN server
ports=1194/udp
|
| /etc/ufw/applications.d/transmission |
[Torrent]
title=Torrent server
description=Torrent server
ports=9091/tcp|51413
|
| /etc/ufw/applications.d/amule |
[Amule]
title=Amule server
description=Amule server
ports=4662,4711,4712/tcp|4665,4672/udp
|
| /etc/ufw/applications.d/minidlna |
[DLNA]
title=MiniDLNA
description=DLNA media streaming server
ports=8200/tcp|1900/udp
|
| /etc/ufw/applications.d/gogs |
[GOGS]
title=Gogs
description=A painless self-hosted Git service
ports=3000/tcp
|
Démarrage / status
|
Ne pas oublier d'ouvrir le port SSH avant de démarrer UFW. |
|
|
# démarre/stoppe ufw et l'ajoute/le retire des programmes à lancer au démarrage
ufw enable
ufw disable
# démarre ufw
ufw reload
# redémarrer le firewall
sudo service ufw restart
sudo ufw reload
# lister les régles
ufw status verbose
|
Règles
| /etc/ufw/before.rules |
-A ufw-before-input -p 2 -d 224.0.0.1 -j ACCEPT |
| /etc/ufw/before6.rules |
# règle pour autoriser le multicast
-A ufw6-before-input -p icmpv6 --icmpv6-type 130 -s fe80::/10 -j ACCEPT
|
|
|
ufw deny from 0.0.0.0 |
ipset
Add drop rules which match ipset sets
| /etc/ufw/before.rules |
# drop packets from [set-name]
-I INPUT -m set --match-set [set-name] src -j DROP
|
Sets have to be created before ufw starts: force netfilter-persistent.service to start before ufw.
| /lib/systemd/system/netfilter-persistent.service |
Before=network-pre.target shutdown.target ufw.service
|
Geo IP block
|
|
ai geoip-database geoip-bin geoipupdate xtables-addons-common
# test
geoiplookup 58.22.14.217
GeoIP Country Edition: CN, China
modprobe xt_geoip
lsmod | grep ^xt_geoip
iptables -m geoip -h
|
| /etc/ufw/before.rules |
# drops all traffic from RU and CN
-A ufw-before-input -m geoip --src-cc RU,CN -j DROP
|
Log
/var/log/ufw.log
Erreurs
|
|
# analyze blocked packages
sudo tcpdump -p host 224.0.0.1
|
UFW ne se lance pas au démarrage
Utiliser cron
En l'absence de solution, cron peut lancer UFW après un reboot.
| crontab |
@reboot root ufw enable
|
Modifier le service UFW
| /lib/systemd/system/ufw.service |
#Before=network.target
After=network-pre.target # doesn't work
After=netfilter-persistent.service # doesn't work
|
[UFW BLOCK] SRC=192.168.0.254 DST=224.0.0.1 PROTO=2
| /etc/ufw/before.rules |
# [UFW BLOCK] IN=eth0 OUT= MAC=XX:...:XX SRC=192.168.0.254 DST=224.0.0.1 LEN=32 TOS=0x00 PREC=0x80 TTL=1 ID=0 DF PROTO=2
# livebox.home > all-systems.mcast.net: igmp query v2
# drop multicast IGMP packages sent by the livebox
-A ufw-before-input -i eth0 -s 192.168.0.254 -d 224.0.0.1 -p igmp -j DROP
# ??? allow MULTICAST mDNS for service discovery ???
-A ufw-before-input -i eth0 -p udp -d 224.0.0.1 -s 192.168.0.254 --dport 5353 -j ACCEPT
|
[UFW BLOCK] SRC=192.168.0.x DST=239.255.255.250
| /etc/ufw/before.rules |
# allow MULTICAST UPnP for service discovery
-A ufw-before-input -p udp -d 239.255.255.250 --dport 1900 -j ACCEPT
# IN=eth0 OUT= MAC= SRC=192.168.0.x DST=239.255.255.250 LEN=32 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2
-A ufw-before-input -i eth0 -p igmp -d 239.255.255.250 -s 192.168.0.x -j ACCEPT
# allow Web Services Dynamic Discovery (port 3702 on IP multicast 239.255.255.250)
# IN=eth0 OUT= MAC=XX:..:XX SRC=192.168.0.x DST=239.255.255.250 LEN=684 TOS=0x00 PREC=0x00 TTL=1 ID=22271 PROTO=UDP SPT=58421 DPT=3702 LEN=664
-A ufw-before-input -i eth0 -p udp -s 192.168.0.0/24 -d 239.255.255.250 --dport 3702 -j ACCEPT
|
[UFW BLOCK] RST
| /etc/ufw/before.rules |
# [UFW BLOCK] IN=eth0 OUT= PROTO=TCP RST
-A ufw-before-input -i eth0 -p tcp --tcp-flags ALL RST -j DROP
|
[UFW BLOCK] DPT=853
Port 853 is used by DNS over TLS service.
| /etc/ufw/before.rules |
# [UFW BLOCK] IN=eth0 SRC=192.168.a.b DST=192.168.x.y PROTO=TCP DPT=853
-A ufw-before-input -i eth0 -d 192.168.x.y -p tcp --dport 853 -j DROP
|