Ufw
De Banane Atomic
Aller à la navigationAller à la recherche
Liens
Configuration
Once a rule is matched the others will not be evaluated so you must put the specific rules first. |
# lister les règles ufw status verbose # lister les commandes qui ont permis d'ajouter des règles ufw show added # autoriser les connections tcp sur le port 53 ufw allow 53/tcp comment 'DNS tcp 53' # autoriser une ip à accéder au port 22 en tcp quelle que soit la destination (any) ufw allow from 192.168.0.1 to any port 22 proto tcp # supprimer le règle qui autorise les connections tcp sur le port 53 ufw deny 53/tcp # lister les régles avec leur numéro ufw status numbered # supprimer la règle numéro 2 ufw delete 2 # insérer une règle en position 1 ufw insert 1 allow 53/tcp # interdire les connections udp sur le port 53 ufw deny 53/udp # allow any protocol from inside 192.168.0.0/24 LAN ufw allow from 192.168.0.0/24 # allow incoming rate limited SSH traffic from anywhere ufw limit ssh |
Applications
# lister les configurations pour les applications (/etc/ufw/applications.d/*) ufw app list # appliquer la configuration de l'application [appname] ufw allow [appname] comment 'tcp xx' # only for packages from 192.168.0.0/24 ufw allow from 192.168.0.0/24 to any app [appname] # only for packages to 192.168.0.0/24 ufw allow to 192.168.0.0/24 app [appname] # ne plus appliquer la configuration de l'application [appname] ufw delete allow [appname] # update ufw after having modified the [appname] config file ufw app update [appname] # display the info on the [appname] config file ufw app info [appname] |
Applications custom
/etc/ufw/applications.d/dnsmasq |
[DNS] title=DNS server description=DNS server ports=53 [DHCP] title=DHCP server description=DHCP server ports=67,68/udp |
/etc/ufw/applications.d/openvpn |
[VPN] title=VPN server description=VPN server ports=1194/udp |
/etc/ufw/applications.d/transmission |
[Torrent] title=Torrent server description=Torrent server ports=9091/tcp|51413 |
/etc/ufw/applications.d/amule |
[Amule] title=Amule server description=Amule server ports=4662,4711,4712/tcp|4665,4672/udp |
/etc/ufw/applications.d/minidlna |
[DLNA] title=MiniDLNA description=DLNA media streaming server ports=8200/tcp|1900/udp |
/etc/ufw/applications.d/gogs |
[GOGS] title=Gogs description=A painless self-hosted Git service ports=3000/tcp |
Démarrage / status
Ne pas oublier d'ouvrir le port SSH avant de démarrer UFW. |
# démarre/stoppe ufw et l'ajoute/le retire des programmes à lancer au démarrage ufw enable ufw disable # démarre ufw ufw reload # redémarrer le firewall sudo service ufw restart sudo ufw reload # lister les régles ufw status verbose |
Règles
/etc/ufw/before.rules |
-A ufw-before-input -p 2 -d 224.0.0.1 -j ACCEPT |
/etc/ufw/before6.rules |
# règle pour autoriser le multicast -A ufw6-before-input -p icmpv6 --icmpv6-type 130 -s fe80::/10 -j ACCEPT |
ufw deny from 0.0.0.0 |
ipset
Add drop rules which match ipset sets
/etc/ufw/before.rules |
# drop packets from [set-name] -I INPUT -m set --match-set [set-name] src -j DROP |
Sets have to be created before ufw starts: force netfilter-persistent.service to start before ufw.
/lib/systemd/system/netfilter-persistent.service |
Before=network-pre.target shutdown.target ufw.service |
Geo IP block
ai geoip-database geoip-bin geoipupdate xtables-addons-common # test geoiplookup 58.22.14.217 GeoIP Country Edition: CN, China modprobe xt_geoip lsmod | grep ^xt_geoip iptables -m geoip -h |
/etc/ufw/before.rules |
# drops all traffic from RU and CN -A ufw-before-input -m geoip --src-cc RU,CN -j DROP |
Log
/var/log/ufw.log
Erreurs
# analyze blocked packages sudo tcpdump -p host 224.0.0.1 |
UFW ne se lance pas au démarrage
Utiliser cron
En l'absence de solution, cron peut lancer UFW après un reboot.
crontab |
@reboot root ufw enable |
Modifier le service UFW
/lib/systemd/system/ufw.service |
#Before=network.target After=network-pre.target # doesn't work After=netfilter-persistent.service # doesn't work |
[UFW BLOCK] SRC=192.168.0.254 DST=224.0.0.1 PROTO=2
/etc/ufw/before.rules |
# [UFW BLOCK] IN=eth0 OUT= MAC=XX:...:XX SRC=192.168.0.254 DST=224.0.0.1 LEN=32 TOS=0x00 PREC=0x80 TTL=1 ID=0 DF PROTO=2 # livebox.home > all-systems.mcast.net: igmp query v2 # drop multicast IGMP packages sent by the livebox -A ufw-before-input -i eth0 -s 192.168.0.254 -d 224.0.0.1 -p igmp -j DROP # ??? allow MULTICAST mDNS for service discovery ??? -A ufw-before-input -i eth0 -p udp -d 224.0.0.1 -s 192.168.0.254 --dport 5353 -j ACCEPT |
[UFW BLOCK] SRC=192.168.0.x DST=239.255.255.250
/etc/ufw/before.rules |
# allow MULTICAST UPnP for service discovery -A ufw-before-input -p udp -d 239.255.255.250 --dport 1900 -j ACCEPT # IN=eth0 OUT= MAC= SRC=192.168.0.x DST=239.255.255.250 LEN=32 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2 -A ufw-before-input -i eth0 -p igmp -d 239.255.255.250 -s 192.168.0.x -j ACCEPT # allow Web Services Dynamic Discovery (port 3702 on IP multicast 239.255.255.250) # IN=eth0 OUT= MAC=XX:..:XX SRC=192.168.0.x DST=239.255.255.250 LEN=684 TOS=0x00 PREC=0x00 TTL=1 ID=22271 PROTO=UDP SPT=58421 DPT=3702 LEN=664 -A ufw-before-input -i eth0 -p udp -s 192.168.0.0/24 -d 239.255.255.250 --dport 3702 -j ACCEPT |
[UFW BLOCK] RST
/etc/ufw/before.rules |
# [UFW BLOCK] IN=eth0 OUT= PROTO=TCP RST -A ufw-before-input -i eth0 -p tcp --tcp-flags ALL RST -j DROP |
[UFW BLOCK] DPT=853
Port 853 is used by DNS over TLS service.
/etc/ufw/before.rules |
# [UFW BLOCK] IN=eth0 SRC=192.168.a.b DST=192.168.x.y PROTO=TCP DPT=853 -A ufw-before-input -i eth0 -d 192.168.x.y -p tcp --dport 853 -j DROP |