/munetakaJupyterHub/Computer/2024/Firewall/03-ufw

§2024-09-30

Introduction by digitalocean

UFW, or Uncomplicated Firewall, is an interface to iptables that is geared towards simplifying the process of configuring a firewall. While iptables is a solid and flexible tool, it can be difficult for beginners to learn how to use it to properly configure a firewall. If you’re looking to get started securing your network, and you’re not sure which tool to use, UFW may be the right choice for you.

This tutorial will show you how to set up a firewall with UFW on Ubuntu v18.04 and above.

試作機器： mail.yushei.net, n2Odroid+, running ubuntu Jammy, 22.04

¶Step 1 — Making Sure IPv6 is Enable

$ sudo cp  -v /etc/default/ufw /etc/default/ufw.backup

/etc/default/ufw

# /etc/default/ufw
#

# Set to yes to apply rules to support IPv6 (no means only IPv6 on loopback
# accepted). You will need to 'disable' and then 'enable' the firewall for
# the changes to take affect.
IPV6=yes     <----

# Set the default input policy to ACCEPT, DROP, or REJECT. Please note that if
# you change this you will most likely want to adjust your rules.
DEFAULT_INPUT_POLICY="DROP"

# Set the default output policy to ACCEPT, DROP, or REJECT. Please note that if
# you change this you will most likely want to adjust your rules.
DEFAULT_OUTPUT_POLICY="ACCEPT"

# Set the default forward policy to ACCEPT, DROP or REJECT.  Please note that
# if you change this you will most likely want to adjust your rules
DEFAULT_FORWARD_POLICY="DROP"

# Set the default application policy to ACCEPT, DROP, REJECT or SKIP. Please
# note that setting this to ACCEPT may be a security risk. See 'man ufw' for
# details
DEFAULT_APPLICATION_POLICY="SKIP"

# By default, ufw only touches its own chains. Set this to 'yes' to have ufw
# manage the built-in chains too. Warning: setting this to 'yes' will break
# non-ufw managed firewall rules
MANAGE_BUILTINS=no

#
# IPT backend
#
# only enable if using iptables backend
IPT_SYSCTL=/etc/ufw/sysctl.conf

# Extra connection tracking modules to load. IPT_MODULES should typically be
# empty for new installations and modules added only as needed. See
# 'CONNECTION HELPERS' from 'man ufw-framework' for details. Complete list can
# be found in net/netfilter/Kconfig of your kernel source. Some common modules:
# nf_conntrack_irc, nf_nat_irc: DCC (Direct Client to Client) support
# nf_conntrack_netbios_ns: NetBIOS (samba) client support
# nf_conntrack_pptp, nf_nat_pptp: PPTP over stateful firewall/NAT
# nf_conntrack_ftp, nf_nat_ftp: active FTP support
# nf_conntrack_tftp, nf_nat_tftp: TFTP support (server side)
# nf_conntrack_sane: sane support
IPT_MODULES=""

¶Key Parameters

DEFAULT_INPUT_POLICY: This defines the default action for incoming connections.
- DROP: This means any incoming connection not explicitly allowed by a rule will be dropped.
- ACCEPT: This means any incoming connection will be accepted unless there's a rule blocking it.
- SKIP: This can indicate that the chain should skip to the next rule if a match isn’t found. However, this is less commonly used in UFW configuration.
DEFAULT_OUTPUT_POLICY: This sets the default action for outgoing connections. Typically, this is set to ACCEPT to allow all outbound traffic unless explicitly restricted.
DEFAULT_FORWARD_POLICY: This controls the behavior of forwarded packets, generally set to DROP for security reasons unless you are specifically routing traffic.

¶Step 2 — Setting Up Default Policies

the rules defined in /etc/default/ufw set the default policies for UFW and will take effect when you enable UFW.

$ sudo ufw status verbose
[sudo] password for alexlai: 
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
22/tcp                     DENY IN     Anywhere                  
80/tcp                     ALLOW IN    Anywhere                  
443/tcp                    ALLOW IN    Anywhere                  
25/tcp                     ALLOW IN    Anywhere                  
587/tcp                    ALLOW IN    Anywhere                  
993/tcp                    ALLOW IN    Anywhere                  
995/tcp                    ALLOW IN    Anywhere                  
4443                       ALLOW IN    Anywhere    <-- 4443 both tcp/udp              
43443/tcp                  ALLOW IN    Anywhere                  
1765                       ALLOW IN    Anywhere                  
22                         DENY IN     Anywhere   <-- below are IP6               
22/tcp (v6)                DENY IN     Anywhere (v6)             
80/tcp (v6)                ALLOW IN    Anywhere (v6)             
443/tcp (v6)               ALLOW IN    Anywhere (v6)             
25/tcp (v6)                ALLOW IN    Anywhere (v6)             
587/tcp (v6)               ALLOW IN    Anywhere (v6)             
993/tcp (v6)               ALLOW IN    Anywhere (v6)             
995/tcp (v6)               ALLOW IN    Anywhere (v6)             
4443 (v6)                  ALLOW IN    Anywhere (v6)             
43443/tcp (v6)             ALLOW IN    Anywhere (v6)             
1765 (v6)                  ALLOW IN    Anywhere (v6)             
22 (v6)                    DENY IN     Anywhere (v6)

To overide:

sudo ufw default deny incoming sudo ufw default allow outgoing

When UFW is enabled, it follows this general order:
- Default Configuration: It starts with the settings in /etc/default/ufw, which define default policies (allow or deny) for incoming and outgoing traffic.
- Application Profiles: It then processes the application profiles found in /etc/ufw/applications.d/, which specify rules for particular applications.
- User-defined Rules: Finally, it applies user-defined rules specified via the ufw command or rules defined in the /etc/ufw/ufw.conf and /etc/ufw/user.rules files.