« Ufw » : différence entre les versions

De Banane Atomic
Aller à la navigationAller à la recherche
Aucun résumé des modifications
 
(43 versions intermédiaires par le même utilisateur non affichées)
Ligne 2 : Ligne 2 :
[[Category:Logiciels]]
[[Category:Logiciels]]
= Liens =
= Liens =
* [https://help.ubuntu.com/community/UFW UFW]
* [https://help.ubuntu.com/community/UFW Help Ubuntu]
* [https://wiki.archlinux.org/index.php/Uncomplicated_Firewall Archlinux]


= Configuration =
= [https://www.digitalocean.com/community/tutorials/ufw-essentials-common-firewall-rules-and-commands Configuration] =
{{warn | Once a rule is matched the others will not be evaluated so you must put the specific rules first.}}
<kode lang='bash'>
<kode lang='bash'>
# lister les règles
ufw status verbose
# lister les commandes qui ont permis d'ajouter des règles
ufw show added
# autoriser les connections tcp sur le port 53
ufw allow 53/tcp comment 'DNS tcp 53'
# autoriser une ip à accéder au port 22 en tcp quelle que soit la destination (any)
ufw allow from 192.168.0.1 to any port 22 proto tcp
# supprimer le règle qui autorise les connections tcp sur le port 53
ufw deny 53/tcp
# lister les régles avec leur numéro
ufw status numbered
# supprimer la règle numéro 2
ufw delete 2
# insérer une règle en position 1
ufw insert 1 allow 53/tcp
# interdire les connections udp sur le port 53
ufw deny 53/udp
# allow any protocol from inside 192.168.0.0/24 LAN
# allow any protocol from inside 192.168.0.0/24 LAN
ufw allow from 192.168.0.0/24
ufw allow from 192.168.0.0/24
Ligne 17 : Ligne 46 :
ufw app list
ufw app list


# appliquer la configuration d'une application
# appliquer la configuration de l'application [appname]
ufw allow MyApp comment 'tcp xx'
ufw allow [appname] comment 'tcp xx'
# only for packages from 192.168.0.0/24
ufw allow from 192.168.0.0/24 to any app [appname]
# only for packages to 192.168.0.0/24
ufw allow to 192.168.0.0/24 app [appname]
 
# ne plus appliquer la configuration de l'application [appname]
ufw delete allow [appname]
 
# update ufw after having modified the [appname] config file
ufw app update [appname]


# ne plus appliquer la configuration d'une application
# display the info on the [appname] config file
ufw delete allow MyApp
ufw app info [appname]
</kode>
</kode>


== Créer des applications ==
== Applications custom ==
<filebox fn='/etc/ufw/applications.d/dnsmasq' collapsed>
<filebox fn='/etc/ufw/applications.d/dnsmasq' lang=ini collapsed>
[DNS]
[DNS]
title=DNS server
title=DNS server
Ligne 37 : Ligne 76 :
</filebox>
</filebox>


<filebox fn='/etc/ufw/applications.d/openvpn' collapsed>
<filebox fn='/etc/ufw/applications.d/openvpn' lang=ini collapsed>
[VPN]
[VPN]
title=VPN server
title=VPN server
Ligne 44 : Ligne 83 :
</filebox>
</filebox>


<filebox fn='/etc/ufw/applications.d/transmission' collapsed>
<filebox fn='/etc/ufw/applications.d/transmission' lang=ini collapsed>
[Torrent]
[Torrent]
title=Torrent server
title=Torrent server
description=Torrent server
description=Torrent server
ports=9091,51413/tcp
ports=9091/tcp|51413
</filebox>
</filebox>


<filebox fn='/etc/ufw/applications.d/amule' collapsed>
<filebox fn='/etc/ufw/applications.d/amule' lang=ini collapsed>
[Amule]
[Amule]
title=Amule server
title=Amule server
description=Amule server
description=Amule server
ports=4662,4711,4712/tcp|4665,4672/udp
ports=4662,4711,4712/tcp|4665,4672/udp
</filebox>
<filebox fn='/etc/ufw/applications.d/minidlna' lang=ini collapsed>
[DLNA]
title=MiniDLNA
description=DLNA media streaming server
ports=8200/tcp|1900/udp
</filebox>
<filebox fn='/etc/ufw/applications.d/gogs' lang=ini collapsed>
[GOGS]
title=Gogs
description=A painless self-hosted Git service
ports=3000/tcp
</filebox>
</filebox>


= Démarrage / status =
= Démarrage / status =
{{warn | Ne pas oublier d'ouvrir le port SSH avant de démarrer UFW.}}
<kode lang='bash'>
<kode lang='bash'>
# démarre/stoppe ufw et l'ajoute/le retire des programmes à lancer au démarrage
# démarre/stoppe ufw et l'ajoute/le retire des programmes à lancer au démarrage
Ligne 66 : Ligne 121 :
# démarre ufw
# démarre ufw
ufw reload
ufw reload
# redémarrer le firewall
sudo service ufw restart
sudo ufw reload


# lister les régles
# lister les régles
Ligne 71 : Ligne 130 :
</kode>
</kode>


== [https://askubuntu.com/questions/1040539/how-do-i-get-ufw-to-start-on-boot ufw doesn't start at startup] ==
= Règles =
<filebox fn='/lib/systemd/system/ufw.service' lang='bash'>
<filebox fn=/etc/ufw/before.rules lang=bash>
#Before=network.target
-A ufw-before-input -p 2 -d 224.0.0.1 -j ACCEPT
After=network-pre.target  # doesn't work
</filebox>
After=netfilter-persistent.service  # doesn't work
 
<filebox fn=/etc/ufw/before6.rules lang=bash>
# règle pour autoriser le multicast
-A ufw6-before-input -p icmpv6 --icmpv6-type 130 -s fe80::/10 -j ACCEPT
</filebox>
</filebox>


= Manipulation =
<kode lang=bash>
<kode lang='bash'>
ufw deny from 0.0.0.0
# lister les règles ajoutées
</kode>
ufw show added


# autoriser les connections tcp sur le port 53
= ipset =
ufw allow 53/tcp comment 'DNS tcp port 53'
Add drop rules which match ipset sets
# interdire les connections udp sur le port 53
<filebox fn='/etc/ufw/before.rules' lang='bash'>
ufw deny 53/udp
# drop packets from [set-name]
-I INPUT -m set --match-set [set-name] src -j DROP
</filebox>


# autoriser une ip à accéder au port 22 en tcp quelle que soit la destination (any)
Sets have to be created before ufw starts: force netfilter-persistent.service to start before ufw.
ufw allow from 192.168.0.1 to any port 22 proto tcp
<filebox fn='/lib/systemd/system/netfilter-persistent.service' lang='ini'>
Before=network-pre.target shutdown.target ufw.service
</filebox>


# supprimer le règle qui autorise les connections tcp sur le port 53
= [https://ultramookie.com/2020/10/geoip-blocking-ubuntu-20.04/ Geo IP block] =
ufw deny 53/tcp
<kode lang='bash'>
ai geoip-database geoip-bin geoipupdate xtables-addons-common


# lister les régles avec leur numéro
# test
ufw status numbered
geoiplookup 58.22.14.217           
GeoIP Country Edition: CN, China


# supprimer la règle numéro 2
modprobe xt_geoip
ufw delete 2
lsmod | grep ^xt_geoip


# insérer une règle en position 1
iptables -m geoip -h
ufw insert 1 allow 53/tcp
</kode>
</kode>
{{warn | Once a rule is matched the others will not be evaluated so you must put the specific rules first.}}
* [https://www.digitalocean.com/community/tutorials/ufw-essentials-common-firewall-rules-and-commands UFW Essentials: Common Firewall Rules and Commands]
* [https://wiki.archlinux.org/index.php/Uncomplicated_Firewall archlinux]


= default rules =
<filebox fn='/etc/ufw/before.rules' lang='bash'>
<filebox fn='/etc/ufw/user.rules' collapsed>
# drops all traffic from RU and CN
*filter
-A ufw-before-input -m geoip --src-cc RU,CN -j DROP
:ufw-user-input - [0:0]
:ufw-user-output - [0:0]
:ufw-user-forward - [0:0]
:ufw-before-logging-input - [0:0]
:ufw-before-logging-output - [0:0]
:ufw-before-logging-forward - [0:0]
:ufw-user-logging-input - [0:0]
:ufw-user-logging-output - [0:0]
:ufw-user-logging-forward - [0:0]
:ufw-after-logging-input - [0:0]
:ufw-after-logging-output - [0:0]
:ufw-after-logging-forward - [0:0]
:ufw-logging-deny - [0:0]
:ufw-logging-allow - [0:0]
:ufw-user-limit - [0:0]
:ufw-user-limit-accept - [0:0]
### RULES ###
 
### tuple ### allow tcp 22 0.0.0.0/0 any 0.0.0.0/0 in
-A ufw-user-input -p tcp --dport 22 -j ACCEPT
 
### END RULES ###
 
### LOGGING ###
-A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10
-A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10
-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10
-A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10
-A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10
### END LOGGING ###
 
### RATE LIMITING ###
-A ufw-user-limit -m limit --limit 3/minute -j LOG --log-prefix "[UFW LIMIT BLOCK] "
-A ufw-user-limit -j REJECT
-A ufw-user-limit-accept -j ACCEPT
### END RATE LIMITING ###
COMMIT
</filebox>
</filebox>


= Commandes =
= Log =
<kode lang=bash>
{{boxx|/var/log/ufw.log}}
# liste des règles
sudo ufw status verbose


# redémarrer le firewall
= Erreurs =
sudo service ufw restart
<kode lang='bash'>
sudo ufw reload
# analyze blocked packages
sudo tcpdump -p host 224.0.0.1
</kode>
</kode>


= Règles =
== UFW ne se lance pas au démarrage ==
<filebox fn=/etc/ufw/before.rules lang=bash>
=== [https://bugs.launchpad.net/ubuntu/+source/ufw/+bug/1726856 Utiliser cron] ===
-A ufw-before-input -p 2 -d 224.0.0.1 -j ACCEPT
En l'absence de solution, {{boxx|cron}} peut lancer {{boxx|UFW}} après un reboot.
<filebox fn='crontab' lang='bash'>
@reboot root ufw enable
</filebox>
</filebox>


<filebox fn=/etc/ufw/before6.rules lang=bash>
=== [https://askubuntu.com/questions/1040539/how-do-i-get-ufw-to-start-on-boot Modifier le service UFW] ===
# règle pour autoriser le multicast
<filebox fn='/lib/systemd/system/ufw.service' lang='bash'>
-A ufw6-before-input -p icmpv6 --icmpv6-type 130 -s fe80::/10 -j ACCEPT
#Before=network.target
After=network-pre.target  # doesn't work
After=netfilter-persistent.service  # doesn't work
</filebox>
</filebox>


<kode lang=bash>
== <nowiki>[UFW BLOCK]</nowiki> SRC=192.168.0.254 DST=224.0.0.1 PROTO=2 ==
ufw deny from 0.0.0.0
<filebox fn='/etc/ufw/before.rules' lang=bash>
</kode>
# [UFW BLOCK] IN=eth0 OUT= MAC=XX:...:XX SRC=192.168.0.254 DST=224.0.0.1 LEN=32 TOS=0x00 PREC=0x80 TTL=1 ID=0 DF PROTO=2
# livebox.home > all-systems.mcast.net: igmp query v2
 
# drop multicast IGMP packages sent by the livebox
-A ufw-before-input -i eth0 -s 192.168.0.254 -d 224.0.0.1 -p igmp -j DROP


= Log =
# ??? allow MULTICAST mDNS for service discovery ???
== Multicast ==
-A ufw-before-input -i eth0 -p udp -d 224.0.0.1 -s 192.168.0.254 --dport 5353 -j ACCEPT
<filebox fn=/var/log/ufw.log lang=bash>
</filebox>
[UFW BLOCK] IN=eth0 OUT= MAC=01:00:5e:00:00:01:e8:b7:48:bb:29:94:08:00
                        SRC=0.0.0.0
                        DST=224.0.0.1
    LEN=32 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2


# depuis le serveur lui-même
== <nowiki>[UFW BLOCK]</nowiki> SRC=192.168.0.x DST=239.255.255.250 ==
SRC=0.0.0.0
<filebox fn='/etc/ufw/before.rules' lang=bash>
# NDP (neighbor discovery protocol) uses 224.0.0.1 to send a packet in multicast
# allow MULTICAST UPnP for service discovery
# 224.0.0.0/8 adresses multicast
-A ufw-before-input -p udp -d 239.255.255.250 --dport 1900 -j ACCEPT
DST=224.0.0.1


[UFW BLOCK] IN=eth0 OUT= MAC=33:33:00:00:00:01:00:30:18:54:28:2a:86:dd
# IN=eth0 OUT= MAC= SRC=192.168.0.x DST=239.255.255.250 LEN=32 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2
                        SRC=fe80:0000:0000:0000:0230:18ff:fe54:282a
-A ufw-before-input -i eth0 -p igmp -d 239.255.255.250 -s 192.168.0.x -j ACCEPT
                        DST=ff02:0000:0000:0000:0000:0000:0000:0001
    LEN=72 TC=0 HOPLIMIT=1 FLOWLBL=0 PROTO=ICMPv6 TYPE=130 CODE=0  


# depuis le serveur lui-même (ipv6 du serveur)
# allow Web Services Dynamic Discovery (port 3702 on IP multicast 239.255.255.250)
SRC=fe80:0000:0000:0000:0230:18ff:fe54:282a
# IN=eth0 OUT= MAC=XX:..:XX SRC=192.168.0.x DST=239.255.255.250 LEN=684 TOS=0x00 PREC=0x00 TTL=1 ID=22271 PROTO=UDP SPT=58421 DPT=3702 LEN=664
# NDP (neighbor discovery protocol) uses ff02::1 to send a packet in multicast
-A ufw-before-input -i eth0 -p udp -s 192.168.0.0/24 -d 239.255.255.250 --dport 3702 -j ACCEPT
DST=ff02:0000:0000:0000:0000:0000:0000:0001
</filebox>
</filebox>


<kode lang=bash>
== <nowiki>[UFW BLOCK]</nowiki> RST ==
# ufw ne log plus s'il trouve une règle qui correspond
<filebox fn='/etc/ufw/before.rules' lang=bash>
# il suffit donc d'autoriser ou d'interdire ces flux
# [UFW BLOCK] IN=eth0 OUT= PROTO=TCP RST
sudo ufw deny from 0.0.0.0 to 224.0.0.1
-A ufw-before-input -i eth0 -p tcp --tcp-flags ALL RST -j DROP
sudo ufw deny from fe80::0230:18ff:fe54:282a to ff02::1
</filebox>
</kode>


= Erreurs =
== <nowiki>[UFW BLOCK]</nowiki> DPT=853 ==
== [https://bugs.launchpad.net/ubuntu/+source/ufw/+bug/1726856 UFW ne se lance pas au démarrage] ==
Port 853 is used by DNS over TLS service.
En l'absence de solution, {{boxx|cron}} peut lancer {{boxx|UFW}} après un reboot.
<filebox fn='/etc/ufw/before.rules' lang=bash>
<filebox fn='crontab' lang='bash'>
# [UFW BLOCK] IN=eth0 SRC=192.168.a.b DST=192.168.x.y PROTO=TCP DPT=853
@reboot root ufw enable
-A ufw-before-input -i eth0 -d 192.168.x.y -p tcp --dport 853 -j DROP
</filebox>
</filebox>

Dernière version du 15 octobre 2023 à 20:12

Liens

Configuration

Once a rule is matched the others will not be evaluated so you must put the specific rules first.
Bash.svg
# lister les règles
ufw status verbose

# lister les commandes qui ont permis d'ajouter des règles
ufw show added

# autoriser les connections tcp sur le port 53
ufw allow 53/tcp comment 'DNS tcp 53'

# autoriser une ip à accéder au port 22 en tcp quelle que soit la destination (any)
ufw allow from 192.168.0.1 to any port 22 proto tcp

# supprimer le règle qui autorise les connections tcp sur le port 53
ufw deny 53/tcp

# lister les régles avec leur numéro
ufw status numbered

# supprimer la règle numéro 2
ufw delete 2

# insérer une règle en position 1
ufw insert 1 allow 53/tcp

# interdire les connections udp sur le port 53
ufw deny 53/udp

# allow any protocol from inside 192.168.0.0/24 LAN
ufw allow from 192.168.0.0/24
# allow incoming rate limited SSH traffic from anywhere
ufw limit ssh

Applications

Bash.svg
# lister les configurations pour les applications (/etc/ufw/applications.d/*)
ufw app list

# appliquer la configuration de l'application [appname]
ufw allow [appname] comment 'tcp xx'
# only for packages from 192.168.0.0/24
ufw allow from 192.168.0.0/24 to any app [appname]
# only for packages to 192.168.0.0/24
ufw allow to 192.168.0.0/24 app [appname]

# ne plus appliquer la configuration de l'application [appname]
ufw delete allow [appname]

# update ufw after having modified the [appname] config file
ufw app update [appname]

# display the info on the [appname] config file
ufw app info [appname]

Applications custom

/etc/ufw/applications.d/dnsmasq
[DNS]
title=DNS server
description=DNS server
ports=53

[DHCP]
title=DHCP server
description=DHCP server
ports=67,68/udp
/etc/ufw/applications.d/openvpn
[VPN]
title=VPN server
description=VPN server
ports=1194/udp
/etc/ufw/applications.d/transmission
[Torrent]
title=Torrent server
description=Torrent server
ports=9091/tcp|51413
/etc/ufw/applications.d/amule
[Amule]
title=Amule server
description=Amule server
ports=4662,4711,4712/tcp|4665,4672/udp
/etc/ufw/applications.d/minidlna
[DLNA]
title=MiniDLNA
description=DLNA media streaming server
ports=8200/tcp|1900/udp
/etc/ufw/applications.d/gogs
[GOGS]
title=Gogs
description=A painless self-hosted Git service
ports=3000/tcp

Démarrage / status

Ne pas oublier d'ouvrir le port SSH avant de démarrer UFW.
Bash.svg
# démarre/stoppe ufw et l'ajoute/le retire des programmes à lancer au démarrage
ufw enable
ufw disable

# démarre ufw
ufw reload

# redémarrer le firewall
sudo service ufw restart
sudo ufw reload

# lister les régles
ufw status verbose

Règles

/etc/ufw/before.rules
-A ufw-before-input -p 2 -d 224.0.0.1 -j ACCEPT
/etc/ufw/before6.rules
# règle pour autoriser le multicast
-A ufw6-before-input -p icmpv6 --icmpv6-type 130 -s fe80::/10 -j ACCEPT
Bash.svg
ufw deny from 0.0.0.0

ipset

Add drop rules which match ipset sets

/etc/ufw/before.rules
# drop packets from [set-name]
-I INPUT -m set --match-set [set-name] src -j DROP

Sets have to be created before ufw starts: force netfilter-persistent.service to start before ufw.

/lib/systemd/system/netfilter-persistent.service
Before=network-pre.target shutdown.target ufw.service

Geo IP block

Bash.svg
ai geoip-database geoip-bin geoipupdate xtables-addons-common

# test
geoiplookup 58.22.14.217            
GeoIP Country Edition: CN, China

modprobe xt_geoip
lsmod | grep ^xt_geoip

iptables -m geoip -h
/etc/ufw/before.rules
# drops all traffic from RU and CN 
-A ufw-before-input -m geoip --src-cc RU,CN -j DROP

Log

/var/log/ufw.log

Erreurs

Bash.svg
# analyze blocked packages
sudo tcpdump -p host 224.0.0.1

UFW ne se lance pas au démarrage

Utiliser cron

En l'absence de solution, cron peut lancer UFW après un reboot.

crontab
@reboot root ufw enable

Modifier le service UFW

/lib/systemd/system/ufw.service
#Before=network.target
After=network-pre.target  # doesn't work
After=netfilter-persistent.service  # doesn't work

[UFW BLOCK] SRC=192.168.0.254 DST=224.0.0.1 PROTO=2

/etc/ufw/before.rules
# [UFW BLOCK] IN=eth0 OUT= MAC=XX:...:XX SRC=192.168.0.254 DST=224.0.0.1 LEN=32 TOS=0x00 PREC=0x80 TTL=1 ID=0 DF PROTO=2
# livebox.home > all-systems.mcast.net: igmp query v2

# drop multicast IGMP packages sent by the livebox
-A ufw-before-input -i eth0 -s 192.168.0.254 -d 224.0.0.1 -p igmp -j DROP

# ??? allow MULTICAST mDNS for service discovery ???
-A ufw-before-input -i eth0 -p udp -d 224.0.0.1 -s 192.168.0.254 --dport 5353 -j ACCEPT

[UFW BLOCK] SRC=192.168.0.x DST=239.255.255.250

/etc/ufw/before.rules
# allow MULTICAST UPnP for service discovery
-A ufw-before-input -p udp -d 239.255.255.250 --dport 1900 -j ACCEPT

# IN=eth0 OUT= MAC= SRC=192.168.0.x DST=239.255.255.250 LEN=32 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2
-A ufw-before-input -i eth0 -p igmp -d 239.255.255.250 -s 192.168.0.x -j ACCEPT

# allow Web Services Dynamic Discovery (port 3702 on IP multicast 239.255.255.250)
# IN=eth0 OUT= MAC=XX:..:XX SRC=192.168.0.x DST=239.255.255.250 LEN=684 TOS=0x00 PREC=0x00 TTL=1 ID=22271 PROTO=UDP SPT=58421 DPT=3702 LEN=664
-A ufw-before-input -i eth0 -p udp -s 192.168.0.0/24 -d 239.255.255.250 --dport 3702 -j ACCEPT

[UFW BLOCK] RST

/etc/ufw/before.rules
# [UFW BLOCK] IN=eth0 OUT= PROTO=TCP RST
-A ufw-before-input -i eth0 -p tcp --tcp-flags ALL RST -j DROP

[UFW BLOCK] DPT=853

Port 853 is used by DNS over TLS service.

/etc/ufw/before.rules
# [UFW BLOCK] IN=eth0 SRC=192.168.a.b DST=192.168.x.y PROTO=TCP DPT=853
-A ufw-before-input -i eth0 -d 192.168.x.y -p tcp --dport 853 -j DROP