Uncomplicated Firewall
From KevinWiki
(Difference between revisions)
(New page: Category: Network == Installation == <pre> $ sudo apt-get install ufw </pre> <pre> Reading package lists... Done Building dependency tree Reading state information... Done The followin...) |
|||
| Line 2: | Line 2: | ||
== Installation == | == Installation == | ||
<pre> | <pre> | ||
| - | $ sudo apt-get install ufw | + | $ sudo apt-get install ufw |
</pre> | </pre> | ||
<pre> | <pre> | ||
| Line 42: | Line 42: | ||
===Check the status=== | ===Check the status=== | ||
<pre> | <pre> | ||
| - | $ sudo ufw status | + | $ sudo ufw status |
| - | + | Status: inactive | |
</pre> | </pre> | ||
| Line 49: | Line 49: | ||
===Start the firewall=== | ===Start the firewall=== | ||
<pre> | <pre> | ||
| - | $ sudo ufw enable | + | $ sudo ufw enable |
| - | Firewall | + | Command may disrupt existing ssh connections. Proceed with operation (y|n)? y |
| + | Firewall is active and enabled on system startup | ||
</pre> | </pre> | ||
-Check the status | -Check the status | ||
<pre> | <pre> | ||
| - | $ sudo ufw status | + | $ sudo ufw status |
| - | + | Status: active | |
</pre> | </pre> | ||
| Line 62: | Line 63: | ||
===Set default action to deny all the accesses=== | ===Set default action to deny all the accesses=== | ||
<pre> | <pre> | ||
| - | $ sudo ufw default deny | + | $ sudo ufw default deny |
Default policy changed to 'deny' | Default policy changed to 'deny' | ||
(be sure to update your rules accordingly) | (be sure to update your rules accordingly) | ||
| Line 70: | Line 71: | ||
===Allow access to port 22 from the specific IP through tcp protocol.=== | ===Allow access to port 22 from the specific IP through tcp protocol.=== | ||
<pre> | <pre> | ||
| - | $ sudo ufw allow proto tcp from <your ip> to any port <ssh port (e.g. 22)> | + | $ sudo ufw allow proto tcp from <your ip> to any port <ssh port (e.g. 22)> |
</pre> | </pre> | ||
<pre> | <pre> | ||
| - | $ sudo ufw allow proto tcp from 192.168.0.1 to any port 22 | + | $ sudo ufw allow proto tcp from 192.168.0.1 to any port 22 |
Rule added | Rule added | ||
</pre> | </pre> | ||
<pre> | <pre> | ||
| - | $ sudo ufw status | + | $ sudo ufw status |
| - | + | Status: active | |
To Action From | To Action From | ||
| Line 91: | Line 92: | ||
-Allow access to port 80 (web) from anywhere | -Allow access to port 80 (web) from anywhere | ||
<pre> | <pre> | ||
| - | $ sudo ufw allow 80/tcp | + | $ sudo ufw allow 80/tcp |
Rule added | Rule added | ||
</pre> | </pre> | ||
| Line 97: | Line 98: | ||
-Allow access to port 443 (ssl) from anywhere | -Allow access to port 443 (ssl) from anywhere | ||
<pre> | <pre> | ||
| - | $ sudo ufw allow 443/tcp | + | $ sudo ufw allow 443/tcp |
Rule added | Rule added | ||
</pre> | </pre> | ||
<pre> | <pre> | ||
| - | $ sudo ufw status | + | $ sudo ufw status |
| - | + | Status: active | |
To Action From | To Action From | ||
| Line 116: | Line 117: | ||
-Allowing access to port 22 from your IP and allowing access to port 80 (web) and 443 (ssl) from anywhere. | -Allowing access to port 22 from your IP and allowing access to port 80 (web) and 443 (ssl) from anywhere. | ||
<pre> | <pre> | ||
| - | $ sudo ufw enable | + | $ sudo ufw enable |
Firewall started and enabled on system startup | Firewall started and enabled on system startup | ||
</pre> | </pre> | ||
<pre> | <pre> | ||
| - | $ sudo ufw default deny | + | $ sudo ufw default deny |
Default policy changed to 'deny' | Default policy changed to 'deny' | ||
(be sure to update your rules accordingly) | (be sure to update your rules accordingly) | ||
</pre> | </pre> | ||
<pre> | <pre> | ||
| - | $ sudo ufw allow proto tcp from 192.168.0.1 to any port 22 | + | $ sudo ufw allow proto tcp from 192.168.0.1 to any port 22 |
Rule added | Rule added | ||
</pre> | </pre> | ||
<pre> | <pre> | ||
| - | $ sudo ufw allow 80/tcp | + | $ sudo ufw allow 80/tcp |
Rule added | Rule added | ||
</pre> | </pre> | ||
<pre> | <pre> | ||
| - | $ sudo ufw allow 443/tcp | + | $ sudo ufw allow 443/tcp |
Rule added | Rule added | ||
</pre> | </pre> | ||
<pre> | <pre> | ||
| - | $ sudo ufw status | + | $ sudo ufw status |
| - | + | Status: active | |
To Action From | To Action From | ||
| Line 153: | Line 154: | ||
-Allowing access to port 22 from all IPs of 192.168.0.x except 192.168.0.5 and 192.168.0.10 | -Allowing access to port 22 from all IPs of 192.168.0.x except 192.168.0.5 and 192.168.0.10 | ||
<pre> | <pre> | ||
| - | $ sudo ufw deny from 192.168.0.5 to any port 22 | + | $ sudo ufw deny from 192.168.0.5 to any port 22 |
| - | $ sudo ufw deny from 192.168.0.10 to any port 22 | + | $ sudo ufw deny from 192.168.0.10 to any port 22 |
| - | $ sudo ufw allow from 192.168.0.0/24 to any port 22 | + | $ sudo ufw allow from 192.168.0.0/24 to any port 22 |
</pre> | </pre> | ||
<pre> | <pre> | ||
| - | $ sudo ufw status | + | $ sudo ufw status |
| - | + | Status: active | |
To Action From | To Action From | ||
| Line 176: | Line 177: | ||
===Delete Rule=== | ===Delete Rule=== | ||
-To delete the rule <code>allow 8080/tcp</code> | -To delete the rule <code>allow 8080/tcp</code> | ||
| - | $ sudo ufw status | + | $ sudo ufw status |
| - | + | Status: active | |
To Action From | To Action From | ||
| Line 187: | Line 188: | ||
<pre> | <pre> | ||
| - | $ sudo ufw delete allow 8080/tcp | + | $ sudo ufw delete allow 8080/tcp |
</pre> | </pre> | ||
-Result | -Result | ||
<pre> | <pre> | ||
| - | $ sudo ufw status | + | $ sudo ufw status |
| - | + | Status: active | |
To Action From | To Action From | ||
Revision as of 11:42, 9 March 2010
Installation
$ sudo apt-get install ufw
Reading package lists... Done Building dependency tree Reading state information... Done The following extra packages will be installed: ucf The following NEW packages will be installed: ucf ufw 0 upgraded, 2 newly installed, 0 to remove and 0 not upgraded. Need to get 84.7kB of archives. After this operation, 463kB of additional disk space will be used. Do you want to continue [Y/n]? y Get:1 http://us.archive.ubuntu.com hardy/main ucf 3.005 [61.6kB] Get:2 http://us.archive.ubuntu.com hardy-updates/main ufw 0.16.2.3 [23.1kB] Fetched 84.7kB in 1s (77.8kB/s) Preconfiguring packages ... Selecting previously deselected package ucf. (Reading database ... 12638 files and directories currently installed.) Unpacking ucf (from .../apt/archives/ucf_3.005_all.deb) ... Moving old data out of the way Selecting previously deselected package ufw. Unpacking ufw (from .../archives/ufw_0.16.2.3_all.deb) ... Setting up ucf (3.005) ... Setting up ufw (0.16.2.3) ... Creating config file /etc/ufw/before.rules with new version Creating config file /etc/ufw/before6.rules with new version Creating config file /etc/ufw/after.rules with new version Creating config file /etc/ufw/after6.rules with new version
How to Use UFW
Check the status
$ sudo ufw status Status: inactive
Start the firewall
$ sudo ufw enable Command may disrupt existing ssh connections. Proceed with operation (y|n)? y Firewall is active and enabled on system startup
-Check the status
$ sudo ufw status Status: active
Set default action to deny all the accesses
$ sudo ufw default deny Default policy changed to 'deny' (be sure to update your rules accordingly)
Allow access to port 22 from the specific IP through tcp protocol.
$ sudo ufw allow proto tcp from <your ip> to any port <ssh port (e.g. 22)>
$ sudo ufw allow proto tcp from 192.168.0.1 to any port 22 Rule added
$ sudo ufw status Status: active To Action From -- ------ ---- 22:tcp ALLOW 192.168.0.1
Allow access for Web
-Allow access to port 80 (web) from anywhere
$ sudo ufw allow 80/tcp Rule added
-Allow access to port 443 (ssl) from anywhere
$ sudo ufw allow 443/tcp Rule added
$ sudo ufw status Status: active To Action From -- ------ ---- 80:tcp ALLOW Anywhere 443:tcp ALLOW Anywhere
Allow access to port 22 from the specific IP and web access from anywhere
-Allowing access to port 22 from your IP and allowing access to port 80 (web) and 443 (ssl) from anywhere.
$ sudo ufw enable Firewall started and enabled on system startup
$ sudo ufw default deny Default policy changed to 'deny' (be sure to update your rules accordingly)
$ sudo ufw allow proto tcp from 192.168.0.1 to any port 22 Rule added
$ sudo ufw allow 80/tcp Rule added
$ sudo ufw allow 443/tcp Rule added
$ sudo ufw status Status: active To Action From -- ------ ---- 22:tcp ALLOW 192.168.0.1 80:tcp ALLOW Anywhere 443:tcp ALLOW Anywhere
Allow access to port 22 from a range of IP addresses except some
-Allowing access to port 22 from all IPs of 192.168.0.x except 192.168.0.5 and 192.168.0.10
$ sudo ufw deny from 192.168.0.5 to any port 22 $ sudo ufw deny from 192.168.0.10 to any port 22 $ sudo ufw allow from 192.168.0.0/24 to any port 22
$ sudo ufw status Status: active To Action From -- ------ ---- 22:tcp DENY 192.168.0.5 22:udp DENY 192.168.0.5 22:tcp DENY 192.168.0.10 22:udp DENY 192.168.0.10 22:tcp ALLOW 192.168.0.0/24 22:udp ALLOW 192.168.0.0/24
Delete Rule
-To delete the rule allow 8080/tcp
$ sudo ufw status
Status: active
To Action From
-- ------ ----
22:tcp ALLOW 60.242.195.70
80:tcp ALLOW Anywhere
443:tcp ALLOW Anywhere
8080:tcp ALLOW Anywhere
$ sudo ufw delete allow 8080/tcp
-Result
$ sudo ufw status Status: active To Action From -- ------ ---- 22:tcp ALLOW 192.168.0.1 80:tcp ALLOW Anywhere 443:tcp ALLOW Anywhere
