1
by Jamie Strandboge
* new upstream version: |
1 |
UFW
|
2 |
---
|
|
3 |
https://wiki.ubuntu.com/UbuntuFirewall |
|
4 |
||
6
by Jamie Strandboge
* new upstream version: |
5 |
|
1
by Jamie Strandboge
* new upstream version: |
6 |
What's in a name?
|
7 |
-----------------
|
|
30.1.1
by Jamie Strandboge
Import upstream version 0.25 |
8 |
What does it mean? It has come to mean 'Uncomplicated Firewall', but you |
9 |
can change it to something more suitable if you want. If you like it, you might |
|
10 |
pick 'Universal Firewall', or 'Ultimate Firewall'. If you are not a fan, |
|
11 |
perhaps 'Unbearable Firewall'. Have fun! |
|
1
by Jamie Strandboge
* new upstream version: |
12 |
|
13 |
||
30.1.2
by Jamie Strandboge
Import upstream version 0.26 |
14 |
Requirements
|
15 |
------------
|
|
30.1.14
by Jamie Strandboge
Import upstream version 0.32 |
16 |
python 2.6-2.7, 3.1-3.2 (known to work with 2.6.2+, 2.7.0+, 3.1.2, 3.2+)* |
17 |
iptables 1.4** |
|
30.1.8
by Jamie Strandboge
Import upstream version 0.29.3 |
18 |
gettext |
30.1.9
by Jamie Strandboge
Import upstream version 0.30pre1 |
19 |
/proc filesystem support |
0.2.1
by Jamie Strandboge
Import upstream version 0.28 |
20 |
Linux kernel configured with the following modules (not exhaustive): |
21 |
addrtype |
|
22 |
comment |
|
23 |
hl (IPv6) |
|
24 |
limit |
|
25 |
multiport |
|
26 |
recent |
|
27 |
state |
|
30.1.2
by Jamie Strandboge
Import upstream version 0.26 |
28 |
|
30.1.14
by Jamie Strandboge
Import upstream version 0.32 |
29 |
* python2.5 is no longer supported
|
30 |
** Systems with iptables below 1.4 will not have IPv6 application rule support. |
|
31 |
ufw will give a warning when users try to use this functionality, but ufw |
|
32 |
will otherwise work fine. ufw is known to work with iptables 1.3.8 in this |
|
33 |
degraded mode. |
|
30.1.2
by Jamie Strandboge
Import upstream version 0.26 |
34 |
|
30.1.6
by Jamie Strandboge
Import upstream version 0.29 |
35 |
ufw has been widely tested on Linux 2.6.24 and higher kernels. You may also |
36 |
use the check-requirements script in the tests/ directory to see if your |
|
37 |
system has all the required iptables/netfilter functionality. |
|
30.1.2
by Jamie Strandboge
Import upstream version 0.26 |
38 |
|
39 |
||
1
by Jamie Strandboge
* new upstream version: |
40 |
Install
|
41 |
-------
|
|
19
by Jamie Strandboge
* bump version |
42 |
Users can install with: |
43 |
# python ./setup.py install |
|
44 |
$ python ./setup.py install --home=PREFIX |
|
45 |
||
30.1.9
by Jamie Strandboge
Import upstream version 0.30pre1 |
46 |
The interpreter used for setup.py is the one used for ufw. So if your system |
30.1.14
by Jamie Strandboge
Import upstream version 0.32 |
47 |
python is 2.6, but you have python2.7 available, use something like: |
48 |
$ python2.7 ./setup.py install --home=PREFIX |
|
19
by Jamie Strandboge
* bump version |
49 |
|
50 |
Distributions which install to a build directory for packaging can install |
|
51 |
with: |
|
52 |
$ python ./setup.py install --root=PREFIX |
|
1
by Jamie Strandboge
* new upstream version: |
53 |
|
54 |
Eg: |
|
30.1.9
by Jamie Strandboge
Import upstream version 0.30pre1 |
55 |
$ python ./setup.py install --root=/tmp/ufw |
1
by Jamie Strandboge
* new upstream version: |
56 |
|
0.1.1
by Jamie Strandboge
Import upstream version 0.27.1 |
57 |
When installing ufw from source, you will also need to integrate it into your |
58 |
boot process for the firewall to start when you restart your system. Depending |
|
59 |
on your needs, this can be as simple as adding the following to a startup |
|
60 |
script (eg rc.local for systems that use it): |
|
61 |
||
30.1.9
by Jamie Strandboge
Import upstream version 0.30pre1 |
62 |
# /lib/ufw/ufw-init start |
0.1.1
by Jamie Strandboge
Import upstream version 0.27.1 |
63 |
|
64 |
For systems that use SysV initscripts, an example script is provided in |
|
0.1.6
by Jamie Strandboge
* use upstart instead of sysv initscript on Ubuntu (LP: #431804) |
65 |
doc/initscript.example. See doc/upstart.example for an Upstart example. Consult |
66 |
your distribution's documentation for the proper way to modify your boot |
|
67 |
process. |
|
0.1.1
by Jamie Strandboge
Import upstream version 0.27.1 |
68 |
|
1
by Jamie Strandboge
* new upstream version: |
69 |
|
70 |
Basic Layout
|
|
71 |
------------
|
|
72 |
/usr/sbin/ufw is the UI for people (have different backends) |
|
73 |
/etc/defaults/ufw high level configuration |
|
8
by Jamie Strandboge
* new upstream version: |
74 |
/etc/ufw/before[6].rules rules evaluated before UI added rules |
75 |
/etc/ufw/after[6].rules rules evaluated after UI added rules |
|
0.2.1
by Jamie Strandboge
Import upstream version 0.28 |
76 |
/lib/ufw/user[6].rules UI added rules (not to be modified) |
1
by Jamie Strandboge
* new upstream version: |
77 |
/etc/ufw/sysctl.conf kernel network tunables |
0.2.1
by Jamie Strandboge
Import upstream version 0.28 |
78 |
/lib/ufw/ufw-init start script |
1
by Jamie Strandboge
* new upstream version: |
79 |
|
80 |
||
81 |
Usage
|
|
82 |
-----
|
|
6
by Jamie Strandboge
* new upstream version: |
83 |
ufw enable|disable turn firewall on and off (including at boot) |
1
by Jamie Strandboge
* new upstream version: |
84 |
ufw default allow|deny updates default policy |
6
by Jamie Strandboge
* new upstream version: |
85 |
ufw logging on|off updates backend logging (*.rules) |
86 |
ufw status displays firewall status (user.rules only) |
|
19
by Jamie Strandboge
* bump version |
87 |
ufw allow|deny|limit RULE add RULE to firewall |
1
by Jamie Strandboge
* new upstream version: |
88 |
|
18
by Jamie Strandboge
* implement status in initscript |
89 |
See 'man ufw' and also Ubuntu's tutorial at: |
90 |
http://doc.ubuntu.com/ubuntu/serverguide/C/firewall.html |
|
91 |
||
6
by Jamie Strandboge
* new upstream version: |
92 |
|
93 |
Chains
|
|
94 |
------
|
|
30.1.6
by Jamie Strandboge
Import upstream version 0.29 |
95 |
ufw uses several chains to allow ease of use and flexibility. Control flow |
96 |
through the various chains is (essentially) as follows: |
|
6
by Jamie Strandboge
* new upstream version: |
97 |
|
30.1.3
by Jamie Strandboge
Import upstream version 0.27~r416 |
98 |
INPUT -> |
99 |
ufw-before-logging-input -> |
|
30.1.8
by Jamie Strandboge
Import upstream version 0.29.3 |
100 |
ufw-before-input -> |
101 |
ufw-user-input -> |
|
102 |
ufw-user-logging-input (rule specific) -> |
|
103 |
ufw-after-input -> |
|
104 |
ufw-after-logging-input -> |
|
105 |
ufw-reject-input -> return to INPUT |
|
30.1.3
by Jamie Strandboge
Import upstream version 0.27~r416 |
106 |
|
107 |
OUTPUT -> |
|
108 |
ufw-before-logging-output -> |
|
30.1.8
by Jamie Strandboge
Import upstream version 0.29.3 |
109 |
ufw-before-output -> |
110 |
ufw-user-output -> |
|
111 |
ufw-user-logging-output (rule specific) -> |
|
112 |
ufw-after-output -> |
|
113 |
ufw-after-logging-output -> |
|
114 |
ufw-reject-output -> return to OUTPUT |
|
30.1.3
by Jamie Strandboge
Import upstream version 0.27~r416 |
115 |
|
116 |
FORWARD -> |
|
117 |
ufw-before-logging-forward -> |
|
30.1.8
by Jamie Strandboge
Import upstream version 0.29.3 |
118 |
ufw-before-forward -> |
119 |
ufw-user-forward -> |
|
120 |
ufw-user-logging-forward (not used) -> |
|
121 |
ufw-after-forward -> |
|
122 |
ufw-after-logging-forward -> |
|
123 |
ufw-reject-forward -> return to FORWARD |
|
6
by Jamie Strandboge
* new upstream version: |
124 |
|
125 |
The 'before' chains are setup in 'before.rules', the 'after' chains in |
|
126 |
'after.rules' and the 'user' chains are maintained by ufw. If an administrator |
|
127 |
wants to add rules manually, the rules should be added to 'before.rules' and |
|
30.1.2
by Jamie Strandboge
Import upstream version 0.26 |
128 |
'after.rules'. The 'reject' chains are used for when the default policy is |
129 |
set to REJECT (because iptables does not support REJECT as a target at this |
|
130 |
time). Keep in mind, when using REJECT as default policy, ufw may end up |
|
131 |
rejecting rules that are added outside of ufw and after ufw is started. |
|
6
by Jamie Strandboge
* new upstream version: |
132 |
|
133 |
There is some default configuration in both 'before.rules' and 'after.rules', |
|
134 |
and this configuration is not displayed with 'ufw status' (but can always |
|
135 |
be viewed with 'iptables -L -n' or 'iptables -L [chain] -n'. See the iptables |
|
30.1.8
by Jamie Strandboge
Import upstream version 0.29.3 |
136 |
man page for details. There are also 3 chains (for both IPv4 and IPv6) that |
137 |
can be used to immediately go to POLICY, which are mostly useful to avoid |
|
138 |
logging (these chains are used in the default ufw after*.rules configuration to |
|
139 |
avoid logging noisy services by default): |
|
140 |
ufw-skip-to-policy-input |
|
141 |
ufw-skip-to-policy-output |
|
142 |
ufw-skip-to-policy-forward |
|
8
by Jamie Strandboge
* new upstream version: |
143 |
|
30.1.2
by Jamie Strandboge
Import upstream version 0.26 |
144 |
The primary chains are ufw-before-*, ufw-after-* and ufw-reject-*. The
|
145 |
treatment of iptables' built-in chains can be controlled with the |
|
146 |
MANAGE_BUILTINS configuration option (in /etc/default/ufw). By default this is |
|
147 |
set to 'no', which means that other than adding the primary chains, the |
|
148 |
built-in chains will remain untouched. This also means that these primary |
|
149 |
chains will stay in the table, even after disabling ufw. This is to make sure |
|
150 |
that the primary chains don't move around other non-ufw rules and chains. To |
|
151 |
completely flush the built-in chains with this configuration, you can use: |
|
30.1.3
by Jamie Strandboge
Import upstream version 0.27~r416 |
152 |
|
0.2.1
by Jamie Strandboge
Import upstream version 0.28 |
153 |
# /lib/ufw/ufw-init flush-all |
30.1.2
by Jamie Strandboge
Import upstream version 0.26 |
154 |
|
155 |
Alternately, ufw may also take full control of the firewall by setting |
|
156 |
MANAGE_BUILTINS=yes in /etc/defaults/ufw. This will flush all the built-in |
|
157 |
rules and delete the non-built-in rules on start, stop and reload. |
|
158 |
||
8
by Jamie Strandboge
* new upstream version: |
159 |
|
26
by Jamie Strandboge
* show protocol in status when no ports are specified (LP: #263308) |
160 |
Advanced Configuration
|
161 |
----------------------
|
|
162 |
ufw can be thought of two parts, the ufw command-line program and the ufw |
|
30.1.2
by Jamie Strandboge
Import upstream version 0.26 |
163 |
framework. The ufw command is intentionally kept as simple as possible, so |
164 |
users can do common tasks more easily. The framework (ie the bootscripts, setup |
|
165 |
of the chains (see above), sysctl configuration, etc) is very flexible, and |
|
166 |
since ufw is simply a frontend for iptables, anything that can be done with |
|
167 |
iptables can be done within the ufw framework. |
|
26
by Jamie Strandboge
* show protocol in status when no ports are specified (LP: #263308) |
168 |
|
169 |
As an example, to perform port redirection, users can add to the top of |
|
170 |
/etc/ufw/before.rules, before the '*filter' section: |
|
171 |
*nat |
|
172 |
:PREROUTING ACCEPT [0:0] |
|
173 |
# redirect all incoming requests to tcp port 80 to tcp port 22 |
|
174 |
-A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 22 |
|
175 |
COMMIT |
|
176 |
||
177 |
then run: |
|
178 |
# ufw disable |
|
179 |
# ufw enable |
|
180 |
# ufw allow 80/tcp (required only if ufw blocks requests to this port) |
|
181 |
||
182 |
||
183 |
To add NAT masquerading to the above, change the nat table that was just added |
|
184 |
to something like: |
|
185 |
*nat |
|
186 |
:PREROUTING ACCEPT [0:0] |
|
187 |
:POSTROUTING ACCEPT [0:0] |
|
188 |
-A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 22 |
|
189 |
# Forward traffic from eth1 through eth0. |
|
190 |
-A POSTROUTING -s 192.168.0.0/24 -o eth0 -j MASQUERADE |
|
191 |
COMMIT |
|
192 |
||
193 |
then adjust /etc/default/ufw to have: |
|
194 |
DEFAULT_FORWARD_POLICY="ACCEPT" |
|
195 |
||
196 |
and /etc/ufw/sysctl.conf to have: |
|
197 |
net.ipv4.ip_forward=1 |
|
198 |
||
199 |
then run: |
|
200 |
# ufw disable |
|
201 |
# ufw enable |
|
202 |
||
203 |
||
204 |
It's important to remember that ufw will only flush the chains and tables it |
|
205 |
manages, so if if you need to flush the nat table to restart anew, please do: |
|
206 |
# iptables -F -t nat |
|
207 |
||
208 |
Similarly, to see what rules are in the nat table's chains, use: |
|
209 |
# iptables -L -n -t nat |
|
210 |
||
211 |
See 'man iptables' for details. |
|
212 |
||
213 |
||
30.1.11
by Jamie Strandboge
Import upstream version 0.30.1 |
214 |
Default ruleset
|
215 |
---------------
|
|
216 |
Enabling ufw creates a ruleset that is intended to protect the host while |
|
217 |
allowing some common traffic such as DHCP, ping and mDNS. These defaults are |
|
218 |
setup in the before*.rules and after*.rules files (see 'man iptables' for
|
|
219 |
terminology): |
|
220 |
- Default DROP on INPUT
|
|
221 |
- Default DROP on FORWARD
|
|
222 |
- Default ACCEPT on OUTPUT
|
|
223 |
- ACCEPT all on lo
|
|
224 |
- DROP packets with RH0 headers
|
|
225 |
- ACCEPT all RELATED and ESTABLISHED on INPUT and OUTPUT
|
|
226 |
- DROP INVALID packets (packets not associated with a known connection)
|
|
227 |
- ACCEPT certain icmp packets:
|
|
228 |
- destination-unreachable, source-quench, time-exceeded, parameter-problem,
|
|
229 |
and echo-request for IPv4 |
|
230 |
- neighbor-solicitation, neighbor-advertisement, router-solicitation,
|
|
231 |
destination-unreachable, packet-too-big, time-exceeded, parameter-problem, |
|
0.1.16
by Jamie Strandboge
* debian/control: make lintian clean: |
232 |
and echo-request |
30.1.11
by Jamie Strandboge
Import upstream version 0.30.1 |
233 |
- ACCEPT mDNS (zeroconf/bonjour/avahi 224.0.0.251 for IPv4 and ff02::fb for
|
0.1.16
by Jamie Strandboge
* debian/control: make lintian clean: |
234 |
IPv6) for service discovery |
235 |
- ACCEPT UPnP (239.255.255.250 for IPv4 and ff02::f for IPv6) for service
|
|
236 |
discovery |
|
30.1.11
by Jamie Strandboge
Import upstream version 0.30.1 |
237 |
- ACCEPT ping replies from IPv6 link-local (ffe8::/10) addresses
|
238 |
- DROP non-local, broadcast and multicast traffic
|
|
239 |
- ACCEPT DHCP client traffic
|
|
240 |
- Silently DROP SMB/CIFS traffic
|
|
241 |
- Silently DROP DHCP traffic not associated with host's use of DHCP client
|
|
242 |
- Silently DROP BROADCAST (IPv4) traffic
|
|
243 |
- Log all blocked packets not matching the default policy with rate limiting
|
|
244 |
||
245 |
If you are using a packaged version of ufw supplied by your distribution, the |
|
246 |
default ruleset may be different. |
|
247 |
||
248 |
||
8
by Jamie Strandboge
* new upstream version: |
249 |
Remote Management
|
250 |
-----------------
|
|
0.2.1
by Jamie Strandboge
Import upstream version 0.28 |
251 |
On /lib/ufw/ufw-init start and 'ufw enable' the chains are flushed, so |
30.1.1
by Jamie Strandboge
Import upstream version 0.25 |
252 |
ssh may drop. This is needed so ufw is in a consistent state. Once the ufw is |
253 |
'enabled' it will insert rules into the existing chains, and therefore not |
|
254 |
flush the chains (but will when modifying a rule or changing the default |
|
255 |
policy). |
|
8
by Jamie Strandboge
* new upstream version: |
256 |
|
257 |
You can insert rules before enabling the firewall however, so it is often |
|
258 |
a good idea to to: |
|
30.1.9
by Jamie Strandboge
Import upstream version 0.30pre1 |
259 |
# ufw allow proto tcp from any to any port 22 |
260 |
# ufw enable |
|
8
by Jamie Strandboge
* new upstream version: |
261 |
|
262 |
In this case, the chains are still flushed, but the ssh port will be open |
|
263 |
after enabling the firewall. |
|
6
by Jamie Strandboge
* new upstream version: |
264 |
|
265 |
||
266 |
IPV6
|
|
267 |
----
|
|
0.1.16
by Jamie Strandboge
* debian/control: make lintian clean: |
268 |
ufw has full support for IPv6, and it is enabled by default. To disable, modify |
8
by Jamie Strandboge
* new upstream version: |
269 |
/etc/default/ufw (or wherever this is installed) to have: |
270 |
||
0.1.16
by Jamie Strandboge
* debian/control: make lintian clean: |
271 |
IPV6=no |
8
by Jamie Strandboge
* new upstream version: |
272 |
|
273 |
Then do: |
|
274 |
# ufw disable |
|
275 |
# ufw enable |
|
6
by Jamie Strandboge
* new upstream version: |
276 |
|
277 |
||
23
by Jamie Strandboge
* add 'verbose' option to status command |
278 |
Application Integration
|
279 |
-----------------------
|
|
280 |
ufw has support for application integration. This allows for administrators |
|
281 |
and developers to put profiles in /etc/ufw/applications.d and have users use |
|
282 |
these profiles in their rules. Profiles use the .INI syntax, and examples |
|
283 |
can be found in the examples/ directory. See 'man ufw' for details. |
|
284 |
||
285 |
||
19
by Jamie Strandboge
* bump version |
286 |
Upgrading
|
287 |
---------
|
|
20
by Jamie Strandboge
* src/ufw: don't modify the chains when --dry-run is specified. Fixes |
288 |
If upgrading from 0.17 or below to 0.18, new chains to support the 'limit' |
289 |
command will be added automatically. |
|
19
by Jamie Strandboge
* bump version |
290 |
|
291 |
||
30.1.1
by Jamie Strandboge
Import upstream version 0.25 |
292 |
Distributions
|
293 |
-------------
|
|
0.2.1
by Jamie Strandboge
Import upstream version 0.28 |
294 |
While it certainly ok to use /lib/ufw/ufw-init as the initscript for |
30.1.1
by Jamie Strandboge
Import upstream version 0.25 |
295 |
ufw, this script is meant to be used by ufw itself, and therefore not |
296 |
particularly user friendly. See doc/initscript.example for a simple |
|
297 |
implementation that can be adapted to your distribution. |
|
298 |
||
30.1.9
by Jamie Strandboge
Import upstream version 0.30pre1 |
299 |
Simple rules for rsyslog support can be found in doc/rsyslog.example. |
300 |
||
30.1.1
by Jamie Strandboge
Import upstream version 0.25 |
301 |
|
1
by Jamie Strandboge
* new upstream version: |
302 |
Testing
|
303 |
-------
|
|
304 |
$ mkdir -p /tmp/ufw/usr /tmp/ufw/etc |
|
19
by Jamie Strandboge
* bump version |
305 |
$ python ./setup.py install --home=/tmp/ufw |
1
by Jamie Strandboge
* new upstream version: |
306 |
|
19
by Jamie Strandboge
* bump version |
307 |
The edit /tmp/ufw/lib/python/ufw/backend.py to have (since it's installed in |
308 |
/tmp): |
|
309 |
self.do_checks = False |
|
1
by Jamie Strandboge
* new upstream version: |
310 |
|
311 |
Now do: |
|
312 |
$ /tmp/ufw/usr/sbin/ufw help |
|
313 |
||
314 |
Here is a command to do it all at once: |
|
19
by Jamie Strandboge
* bump version |
315 |
$ rm -rf /tmp/ufw && mkdir -p /tmp/ufw/usr /tmp/ufw/etc && python ./setup.py install --home=/tmp/ufw && sed -i 's/self.do_checks = True/self.do_checks = False/' /tmp/ufw/lib/python/ufw/backend.py |
316 |
||
317 |
Then test with: |
|
318 |
$ PYTHONPATH=$PYTHONPATH:/tmp/ufw/lib/python /tmp/ufw/usr/sbin/ufw ... |
|
319 |
||
320 |
$ sudo sh -c "PYTHONPATH=$PYTHONPATH:/tmp/ufw/lib/python /tmp/ufw/usr/sbin/ufw ..." |
|
1
by Jamie Strandboge
* new upstream version: |
321 |
|
322 |
Can also just run from the source directory: |
|
323 |
$ ./run_tests.sh -s |
|
324 |
||
30.1.15
by Jamie Strandboge
Import upstream version 0.33 |
325 |
You may also specify an interpreter for the tests. Eg: |
326 |
$ ./run_tests.sh -s -i /usr/local/bin/python2.7 |
|
327 |
||
30.1.2
by Jamie Strandboge
Import upstream version 0.26 |
328 |
Or for the root tests (these are iptables version dependent, will modify your |
329 |
existing firewall and insert kernel modules, so they require root privileges |
|
330 |
and aren't run by default): |
|
30.1.9
by Jamie Strandboge
Import upstream version 0.30pre1 |
331 |
# ./run_tests.sh -s root |
332 |
||
30.1.15
by Jamie Strandboge
Import upstream version 0.33 |
333 |
Finally, ufw's behavior may differ based on available kernel features. The |
334 |
root_kern tests assume all kernel features supported by check-requirements |
|
335 |
are enabled. They behave just like the root tests. |
|
30.1.14
by Jamie Strandboge
Import upstream version 0.32 |
336 |
|
337 |
||
338 |
Copyright 2008-2012 Canonical Ltd. |