1
.TH "UFW FRAMEWORK" "8" "" "October 2011" "October 2011"
4
ufw\-framework \- using the ufw framework
7
\fBufw\fR provides both a command line interface and a framework for managing a
8
netfilter firewall. While the \fBufw\fR command provides an easy to use
9
interface for managing a firewall, the \fBufw\fR framework provides the
10
administrator methods to customize default behavior and add rules not
11
supported by the command line tool. In this way, \fBufw\fR can take full
12
advantage of Linux netfilter's power and flexibility.
16
The framework provides boot time initialization, rules files for adding custom
17
rules, a method for loading netfilter modules, configuration of kernel
18
parameters and configuration of IPv6. The framework consists of the following
21
#STATE_PREFIX#/ufw\-init
24
#CONFIG_PREFIX#/ufw/before.init
25
initialization customization script run before ufw is initialized
27
#CONFIG_PREFIX#/ufw/after.init
28
initialization customization script run after ufw is initialized
30
#CONFIG_PREFIX#/ufw/before[6].rules
31
rules file containing rules evaluated before UI added rules
33
#STATE_PREFIX#/user[6].rules
34
rules file containing UI added rules (managed with the \fBufw\fR command)
36
#CONFIG_PREFIX#/ufw/after[6].rules
37
rules file containing rules evaluated after UI added rules
39
#CONFIG_PREFIX#/default/ufw
40
high level configuration
42
#CONFIG_PREFIX#/ufw/sysctl.conf
43
kernel network tunables
45
#CONFIG_PREFIX#/ufw/ufw.conf
46
additional high level configuration
48
.SH "BOOT INITIALIZATION"
50
\fBufw\fR is started on boot with #STATE_PREFIX#/ufw\-init. This script is a
51
standard SysV style initscript used by the \fBufw\fR command and should not be
52
modified. The #CONFIG_PREFIX#/before.init and #CONFIG_PREFIX#/after.init
53
scripts may be used to perform any additional firewall configuration that is
54
not yet supported in ufw itself and if they exist and are executable, ufw\-init
55
will execute these scripts. ufw\-init supports the following arguments:
70
basic status of the firewall
73
same as stop, except does not check if the firewall is already loaded
76
flushes the built\-in chains, deletes all non\-built\-in chains and resets the
79
ufw\-init will call before.init and after.init with start, stop, status and
80
flush\-all, but typically, if used, these scripts need only implement start and
83
\fBufw\fR uses many user\-defined chains in addition to the built\-in iptables
84
chains. If MANAGE_BUILTINS in #CONFIG_PREFIX#/default/ufw is set to 'yes', on
85
stop and reload the built\-in chains are flushed. If it is set to 'no', on stop
86
and reload the \fBufw\fR secondary chains are removed and the \fBufw\fR primary
87
chains are flushed. In addition to flushing the \fBufw\fR specific chains, it
88
keeps the primary chains in the same order with respect to any other
89
user\-defined chains that may have been added. This allows for \fBufw\fR to
90
interoperate with other software that may manage their own firewall rules.
92
To ensure your firewall is loading on boot, you must integrate this script
93
into the boot process. Consult your distribution's documentation for the proper
94
way to modify your boot process if \fBufw\fR is not already integrated.
98
\fBufw\fR is in part a front\-end for \fBiptables\-restore\fR, with its rules
99
saved in #CONFIG_PREFIX#/ufw/before.rules, #CONFIG_PREFIX#/ufw/after.rules and
100
#STATE_PREFIX#/user.rules. Administrators can customize \fBbefore.rules\fR and
101
\fBafter.rules\fR as desired using the standard \fBiptables\-restore\fR syntax.
102
Rules are evaluated as follows: \fBbefore.rules\fR first, \fBuser.rules\fR
103
next, and \fBafter.rules\fR last. IPv6 rules are evaluated in the same way,
104
with the rules files named \fBbefore6.rules\fR, \fBuser6.rules\fR and
105
\fBafter6.rules\fR. Please note that \fBufw status\fR only shows rules added
106
with \fBufw\fR and not the rules found in the #CONFIG_PREFIX#/ufw rules files.
108
\fBImportant\fR: \fBufw\fR only uses the *filter table by default. You
109
may add any other tables such as *nat, *raw and *mangle as desired. For each
110
table a corresponding COMMIT statement is required.
112
After modifying any of these files, you must reload \fBufw\fR for the rules to
113
take effect. See the EXAMPLES section for common uses of these rules files.
117
Netfilter has many different connection tracking modules. These modules are
118
aware of the underlying protocol and allow the administrator to simplify his or
119
her rule sets. You can adjust which netfilter modules to load by adjusting
120
IPT_MODULES in #CONFIG_PREFIX#/default/ufw. Some popular modules to load are:
126
nf_conntrack_netbios_ns
131
.SH "KERNEL PARAMETERS"
133
\fBufw\fR will read in #CONFIG_PREFIX#/ufw/sysctl.conf on boot when enabled.
134
Please note that #CONFIG_PREFIX#/ufw/sysctl.conf overrides values in the
135
system systcl.conf (usually #CONFIG_PREFIX#/sysctl.conf). Administrators can
136
change the file used by modifying #CONFIG_PREFIX#/default/ufw.
140
IPv6 is enabled by default. When disabled, all incoming, outgoing and forwarded
141
packets are dropped, with the exception of traffic on the loopback interface.
142
To adjust this behavior, set IPV6 to 'yes' in #CONFIG_PREFIX#/default/ufw. See
143
the \fBufw\fR manual page for details.
147
As mentioned, \fBufw\fR loads its rules files into the kernel by using the
148
\fBiptables\-restore\fR and \fBip6tables\-restore\fR commands. Users wanting
149
to add rules to the \fBufw\fR rules files manually must be familiar with
150
these as well as the \fBiptables\fR and \fBip6tables\fR commands. Below are
151
some common examples of using the \fBufw\fR rules files. All examples assume
152
IPv4 only and that DEFAULT_FORWARD_POLICY in #CONFIG_PREFIX#/default/ufw is
157
To allow IP masquerading for computers from the 10.0.0.0/8 network on eth1 to
158
share the single IP address on eth0:
160
Edit #CONFIG_PREFIX#/ufw/sysctl.conf to have:
161
net.ipv4.ip_forward=1
163
Add to the end of #CONFIG_PREFIX#/ufw/before.rules, after the *filter section:
165
:POSTROUTING ACCEPT [0:0]
166
\-A POSTROUTING \-s 10.0.0.0/8 \-o eth0 \-j MASQUERADE
169
If your firewall is using IPv6 tunnels or 6to4 and is also doing NAT, then you should not usually masquerade protocol '41' (ipv6) packets. For example, instead of the above, #CONFIG_PREFIX#/ufw/before.rules can be adjusted to have:
171
:POSTROUTING ACCEPT [0:0]
172
\-A POSTROUTING \-s 10.0.0.0/8 \-\-protocol ! 41 \-o eth0 \-j MASQUERADE
175
Add the \fBufw route\fR to allow the traffic:
176
ufw route allow in on eth1 out on eth0 from 10.0.0.0/8
180
To forward tcp port 80 on eth0 to go to the webserver at 10.0.0.2:
182
Edit #CONFIG_PREFIX#/ufw/sysctl.conf to have:
183
net.ipv4.ip_forward=1
185
Add to the end of #CONFIG_PREFIX#/ufw/before.rules, after the *filter section:
187
:PREROUTING ACCEPT [0:0]
188
\-A PREROUTING \-p tcp \-i eth0 \-\-dport 80 \-j DNAT \\
189
\-\-to\-destination 10.0.0.2:80
192
Add the \fBufw route\fR rule to allow the traffic:
193
ufw route allow in on eth0 to 10.0.0.2 port 80 proto tcp
198
To block RFC1918 addresses going out of eth0:
200
Add the \fBufw route\fR rules to reject the traffic:
201
ufw route reject out on eth0 to 10.0.0.0/8
202
ufw route reject out on eth0 to 172.16.0.0/12
203
ufw route reject out on eth0 to 192.168.0.0/16
208
This example combines the other examples and demonstrates a simple routing
209
firewall. \fBWarning\fR: this setup is only an example to demonstrate
210
the functionality of the \fBufw\fR framework in a concise and simple manner
211
and should not be used in production without understanding what each part
212
does and does not do. Your firewall will undoubtedly want to be less open.
214
This router/firewall has two interfaces: eth0 (Internet facing) and eth1
215
(internal LAN). Internal clients have addresses on the 10.0.0.0/8 network
216
and should be able to connect to anywhere on the Internet. Connections
217
to port 80 from the Internet should be forwarded to 10.0.0.2. Access to
218
ssh port 22 from the administrative workstation (10.0.0.100) to this machine
219
should be allowed. Also make sure no internal traffic goes to the Internet.
221
Edit #CONFIG_PREFIX#/ufw/sysctl.conf to have:
222
net.ipv4.ip_forward=1
224
Add to the end of #CONFIG_PREFIX#/ufw/before.rules, after the *filter section:
226
:PREROUTING ACCEPT [0:0]
227
:POSTROUTING ACCEPT [0:0]
228
\-A PREROUTING \-p tcp \-i eth0 \-\-dport 80 \-j DNAT \\
229
\-\-to\-destination 10.0.0.2:80
230
\-A POSTROUTING \-s 10.0.0.0/8 \-o eth0 \-j MASQUERADE
233
Add the necessary \fBufw\fR rules:
234
ufw route reject out on eth0 to 10.0.0.0/8
235
ufw route reject out on eth0 to 172.16.0.0/12
236
ufw route reject out on eth0 to 192.168.0.0/16
237
ufw route allow in on eth1 out on eth0 from 10.0.0.0/8
238
ufw route allow in on eth0 to 10.0.0.2 port 80 proto tcp
239
ufw allow in on eth1 from 10.0.0.100 to any port 22 proto tcp
243
\fBufw\fR(8), \fBiptables\fR(8), \fBip6tables\fR(8), \fBiptables\-restore\fR(8), \fBip6tables\-restore\fR(8), \fBsysctl\fR(8), \fBsysctl.conf\fR(5)
247
ufw is Copyright 2008-2014, Canonical Ltd.
250
ufw and this manual page was originally written by Jamie Strandboge <jamie@canonical\&.com>