Ufw

De Banane Atomic
Version datée du 15 octobre 2023 à 20:12 par Nicolas (discussion | contributions) (→‎Applications custom)
(diff) ← Version précédente | Voir la version actuelle (diff) | Version suivante → (diff)
Aller à la navigationAller à la recherche

Liens

Configuration

Once a rule is matched the others will not be evaluated so you must put the specific rules first.
Bash.svg
# lister les règles
ufw status verbose

# lister les commandes qui ont permis d'ajouter des règles
ufw show added

# autoriser les connections tcp sur le port 53
ufw allow 53/tcp comment 'DNS tcp 53'

# autoriser une ip à accéder au port 22 en tcp quelle que soit la destination (any)
ufw allow from 192.168.0.1 to any port 22 proto tcp

# supprimer le règle qui autorise les connections tcp sur le port 53
ufw deny 53/tcp

# lister les régles avec leur numéro
ufw status numbered

# supprimer la règle numéro 2
ufw delete 2

# insérer une règle en position 1
ufw insert 1 allow 53/tcp

# interdire les connections udp sur le port 53
ufw deny 53/udp

# allow any protocol from inside 192.168.0.0/24 LAN
ufw allow from 192.168.0.0/24
# allow incoming rate limited SSH traffic from anywhere
ufw limit ssh

Applications

Bash.svg
# lister les configurations pour les applications (/etc/ufw/applications.d/*)
ufw app list

# appliquer la configuration de l'application [appname]
ufw allow [appname] comment 'tcp xx'
# only for packages from 192.168.0.0/24
ufw allow from 192.168.0.0/24 to any app [appname]
# only for packages to 192.168.0.0/24
ufw allow to 192.168.0.0/24 app [appname]

# ne plus appliquer la configuration de l'application [appname]
ufw delete allow [appname]

# update ufw after having modified the [appname] config file
ufw app update [appname]

# display the info on the [appname] config file
ufw app info [appname]

Applications custom

/etc/ufw/applications.d/dnsmasq
[DNS]
title=DNS server
description=DNS server
ports=53

[DHCP]
title=DHCP server
description=DHCP server
ports=67,68/udp
/etc/ufw/applications.d/openvpn
[VPN]
title=VPN server
description=VPN server
ports=1194/udp
/etc/ufw/applications.d/transmission
[Torrent]
title=Torrent server
description=Torrent server
ports=9091/tcp|51413
/etc/ufw/applications.d/amule
[Amule]
title=Amule server
description=Amule server
ports=4662,4711,4712/tcp|4665,4672/udp
/etc/ufw/applications.d/minidlna
[DLNA]
title=MiniDLNA
description=DLNA media streaming server
ports=8200/tcp|1900/udp
/etc/ufw/applications.d/gogs
[GOGS]
title=Gogs
description=A painless self-hosted Git service
ports=3000/tcp

Démarrage / status

Ne pas oublier d'ouvrir le port SSH avant de démarrer UFW.
Bash.svg
# démarre/stoppe ufw et l'ajoute/le retire des programmes à lancer au démarrage
ufw enable
ufw disable

# démarre ufw
ufw reload

# redémarrer le firewall
sudo service ufw restart
sudo ufw reload

# lister les régles
ufw status verbose

Règles

/etc/ufw/before.rules
-A ufw-before-input -p 2 -d 224.0.0.1 -j ACCEPT
/etc/ufw/before6.rules
# règle pour autoriser le multicast
-A ufw6-before-input -p icmpv6 --icmpv6-type 130 -s fe80::/10 -j ACCEPT
Bash.svg
ufw deny from 0.0.0.0

ipset

Add drop rules which match ipset sets

/etc/ufw/before.rules
# drop packets from [set-name]
-I INPUT -m set --match-set [set-name] src -j DROP

Sets have to be created before ufw starts: force netfilter-persistent.service to start before ufw.

/lib/systemd/system/netfilter-persistent.service
Before=network-pre.target shutdown.target ufw.service

Geo IP block

Bash.svg
ai geoip-database geoip-bin geoipupdate xtables-addons-common

# test
geoiplookup 58.22.14.217            
GeoIP Country Edition: CN, China

modprobe xt_geoip
lsmod | grep ^xt_geoip

iptables -m geoip -h
/etc/ufw/before.rules
# drops all traffic from RU and CN 
-A ufw-before-input -m geoip --src-cc RU,CN -j DROP

Log

/var/log/ufw.log

Erreurs

Bash.svg
# analyze blocked packages
sudo tcpdump -p host 224.0.0.1

UFW ne se lance pas au démarrage

Utiliser cron

En l'absence de solution, cron peut lancer UFW après un reboot.

crontab
@reboot root ufw enable

Modifier le service UFW

/lib/systemd/system/ufw.service
#Before=network.target
After=network-pre.target  # doesn't work
After=netfilter-persistent.service  # doesn't work

[UFW BLOCK] SRC=192.168.0.254 DST=224.0.0.1 PROTO=2

/etc/ufw/before.rules
# [UFW BLOCK] IN=eth0 OUT= MAC=XX:...:XX SRC=192.168.0.254 DST=224.0.0.1 LEN=32 TOS=0x00 PREC=0x80 TTL=1 ID=0 DF PROTO=2
# livebox.home > all-systems.mcast.net: igmp query v2

# drop multicast IGMP packages sent by the livebox
-A ufw-before-input -i eth0 -s 192.168.0.254 -d 224.0.0.1 -p igmp -j DROP

# ??? allow MULTICAST mDNS for service discovery ???
-A ufw-before-input -i eth0 -p udp -d 224.0.0.1 -s 192.168.0.254 --dport 5353 -j ACCEPT

[UFW BLOCK] SRC=192.168.0.x DST=239.255.255.250

/etc/ufw/before.rules
# allow MULTICAST UPnP for service discovery
-A ufw-before-input -p udp -d 239.255.255.250 --dport 1900 -j ACCEPT

# IN=eth0 OUT= MAC= SRC=192.168.0.x DST=239.255.255.250 LEN=32 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2
-A ufw-before-input -i eth0 -p igmp -d 239.255.255.250 -s 192.168.0.x -j ACCEPT

# allow Web Services Dynamic Discovery (port 3702 on IP multicast 239.255.255.250)
# IN=eth0 OUT= MAC=XX:..:XX SRC=192.168.0.x DST=239.255.255.250 LEN=684 TOS=0x00 PREC=0x00 TTL=1 ID=22271 PROTO=UDP SPT=58421 DPT=3702 LEN=664
-A ufw-before-input -i eth0 -p udp -s 192.168.0.0/24 -d 239.255.255.250 --dport 3702 -j ACCEPT

[UFW BLOCK] RST

/etc/ufw/before.rules
# [UFW BLOCK] IN=eth0 OUT= PROTO=TCP RST
-A ufw-before-input -i eth0 -p tcp --tcp-flags ALL RST -j DROP

[UFW BLOCK] DPT=853

Port 853 is used by DNS over TLS service.

/etc/ufw/before.rules
# [UFW BLOCK] IN=eth0 SRC=192.168.a.b DST=192.168.x.y PROTO=TCP DPT=853
-A ufw-before-input -i eth0 -d 192.168.x.y -p tcp --dport 853 -j DROP