mirror of
https://github.com/The-Art-of-Hacking/h4cker.git
synced 2024-12-22 14:05:03 -05:00
227 lines
5.8 KiB
Markdown
227 lines
5.8 KiB
Markdown
# UFW: Uncomplicated Firewall — Cheat Sheet
|
||
|
||
## Installation
|
||
If you are using Ubuntu then UFW will be installed by default. If you are using Debian or a derivative, then you can install UFW by entering the following
|
||
```
|
||
root@host:~# apt-get install ufw
|
||
```
|
||
|
||
UFW is not available in CentOS, and although you can install it from source, that is outside the scope of this tutorial.
|
||
|
||
## Checking status
|
||
When you check the status, UFW will either tell you that it is inactive,
|
||
|
||
```
|
||
root@host:~# ufw status
|
||
Status: inactive
|
||
```
|
||
or it will tell you it is active and list the firewall rules.
|
||
```
|
||
root@host:~# ufw status
|
||
Status: active
|
||
To Action From
|
||
-- ------ ----
|
||
22/tcp ALLOW Anywhere
|
||
22/tcp (v6) ALLOW Anywhere (v6)
|
||
```
|
||
|
||
Rules can also be numbered, which is particularly useful when you wish to delete one.
|
||
|
||
```
|
||
root@host:~# ufw status numbered
|
||
Status: active
|
||
To Action From -- ------ ----
|
||
[ 1] WWW Full ALLOW IN Anywhere
|
||
[ 2] WWW Full (v6) ALLOW IN Anywhere (v6)
|
||
|
||
```
|
||
|
||
Not that if you have no rules enables, you will just be told it is active
|
||
|
||
```
|
||
root@host:~# ufw status
|
||
Status: active
|
||
```
|
||
|
||
## Enable and disable
|
||
Enabling and disabling are from the following commands. Warning; if you are working on a remote system, allow the SSH rule before you enable UFW or you risk losing your shell access.
|
||
|
||
```
|
||
root@host:~# ufw enable
|
||
Firewall is active and enabled on system startup
|
||
root@host:~# ufw disable
|
||
Firewall stopped and disabled on system startup
|
||
```
|
||
|
||
## Deleting rules
|
||
The easiest way to delete a rule is to delete it by number, but you can also delete it by definition.
|
||
|
||
```
|
||
root@host:~# ufw status numbered
|
||
Status: active
|
||
To Action From -- ------ ----
|
||
[ 1] 22/tcp ALLOW IN Anywhere
|
||
[ 2] 22/tcp (v6) ALLOW IN Anywhere (v6)
|
||
```
|
||
Note that as there are 2 rules (ipv4 and ipv6) for every pre-defined service, delete will only remove the rule for one protocol.
|
||
|
||
```
|
||
root@host:~# ufw delete 2
|
||
Deleting:
|
||
allow 22/tcp
|
||
Proceed with operation (y|n)? y
|
||
Rule deleted (v6)
|
||
```
|
||
|
||
## Logging
|
||
Logging is on by default, but can rapidly fill your log files with noise. Enable and disable thusly
|
||
|
||
```
|
||
root@host:~# ufw logging on
|
||
Logging enabled
|
||
root@host:~# ufw logging off
|
||
Logging disabled
|
||
|
||
```
|
||
You can also change the logging levels if necessary, but low is the default.
|
||
|
||
```
|
||
root@host:~# ufw logging medium
|
||
Logging enabled
|
||
Pre-defined rules
|
||
```
|
||
|
||
One of the strengths for sysadmins who may only infrequently change firewall rules is the set of pre-defined rules that UFW ships with. These obviously assume that you are running services on default ports and will NOT work if you have tried to obfuscate by assigning non-default ports. They also assume you will be allowing ALL traffic to these port (see later for how to restrict traffic sources and destinations.
|
||
```
|
||
root@host:~# ufw app list
|
||
Available applications:
|
||
AIM
|
||
Bonjour
|
||
CIFS
|
||
CUPS
|
||
DNS
|
||
Deluge
|
||
IMAP
|
||
IMAPS
|
||
IPP
|
||
KTorrent
|
||
Kerberos Admin
|
||
Kerberos Full
|
||
Kerberos KDC
|
||
Kerberos Password
|
||
LDAP
|
||
LDAPS
|
||
LPD
|
||
MSN
|
||
MSN SSL
|
||
Mail submission
|
||
NFS
|
||
POP3
|
||
POP3S
|
||
PeopleNearby
|
||
SMTP
|
||
SSH
|
||
Socks
|
||
Telnet
|
||
Transmission
|
||
Transparent Proxy
|
||
VNC
|
||
WWW
|
||
WWW Cache
|
||
WWW Full
|
||
WWW Secure
|
||
XMPP
|
||
Yahoo
|
||
qBittorrent
|
||
svnserve
|
||
```
|
||
|
||
You can see a full list of these and their definitions in /etc/ufw/applications.d.
|
||
|
||
## SSH
|
||
If you are running a remote server, you almost certainly want this rule enabled.
|
||
|
||
```
|
||
root@host:~# ufw allow ssh
|
||
Rule added
|
||
Rule added (v6)
|
||
root@host:~# ufw status
|
||
Status: active
|
||
To Action From
|
||
-- ------ ----
|
||
22/tcp ALLOW Anywhere
|
||
22/tcp (v6) ALLOW Anywhere (v6)
|
||
http(s)
|
||
|
||
```
|
||
|
||
You can enable both port 80 (http) and 443 (https) in one go with the following command, but there are options to only enable one
|
||
|
||
```
|
||
root@host:~# ufw allow www\ full
|
||
Rules updated
|
||
Rules updated (v6)
|
||
root@host:~# ufw status
|
||
[sudo] password for simon:
|
||
Status: active
|
||
To Action From
|
||
-- ------ ----
|
||
WWW Full ALLOW Anywhere
|
||
WWW Full (v6) ALLOW Anywhere (v6)
|
||
|
||
```
|
||
|
||
## More complex usage
|
||
Port and protocol
|
||
|
||
```
|
||
root@host:~# ufw allow 45/tcp
|
||
Rule added
|
||
Rule added (v6)
|
||
```
|
||
|
||
### Source and Destination
|
||
Allow only from an IP
|
||
|
||
```
|
||
root@host:~# ufw allow from 192.168.1.1 port 62
|
||
Rule added
|
||
root@host:~# ufw status
|
||
Status: active
|
||
To Action From
|
||
-- ------ ----
|
||
Anywhere ALLOW 192.168.1.1 62
|
||
|
||
```
|
||
|
||
Allow only to a certain local interface
|
||
```
|
||
root@host:~# ufw allow to 127.0.0.2 port 62
|
||
Rule added
|
||
root@host:~# ufw status
|
||
Status: active
|
||
To Action From
|
||
-- ------ ----
|
||
127.0.0.2 62 ALLOW Anywhere
|
||
|
||
```
|
||
|
||
### Protocol only
|
||
|
||
If you have followed my ipsec tutorial, you will need the firewall ports open to establish the key exchange – this is one of the few protolcols which do not require a port number.
|
||
```
|
||
root@host:~# ufw allow to 127.0.0.3 proto esp
|
||
Rule added
|
||
|
||
root@host:~# ufw allow to 127.0.0.3 proto ah
|
||
Rule added
|
||
root@host:~# ufw status
|
||
Status: active
|
||
To Action From
|
||
-- ------ ----
|
||
127.0.0.3/esp ALLOW Anywhere
|
||
127.0.0.3/ah ALLOW Anywhere
|
||
```
|
||
|
||
Note that you need a destination in this instance.
|