/munetakaJupyterHub/Computer/2024/Firewall/05-ufw_application

§2024-09-30

UFW supports application profiles that make it easy to manage firewall rules for common services. These profiles are typically defined in /etc/ufw/applications.d/ . Here's how you can create and use application profiles with UFW.

$ ls -al /etc/ufw/applications.d/
total 16
drwxr-xr-x 2 root root   59 Sep 27 15:36 .
drwxr-xr-x 3 root root 4096 Sep 27 14:16 ..
-rw-r--r-- 1 root root  374 May 31  2023 nginx
-rw-r--r-- 1 root root  145 Jun 26 21:11 openssh-server
-rw-r--r-- 1 root root  183 Feb 11  2021 turnserver

/etc/ufw/applications.d/nginx

[Nginx HTTP]
title=Web Server (Nginx, HTTP)
description=Small, but very powerful and efficient web server
ports=80/tcp

[Nginx HTTPS]
title=Web Server (Nginx, HTTPS)
description=Small, but very powerful and efficient web server
ports=443/tcp

[Nginx Full]
title=Web Server (Nginx, HTTP + HTTPS)
description=Small, but very powerful and efficient web server
ports=80,443/tcp
``


- /etc/ufw/applications.d/openssh-server

[OpenSSH] title=Secure shell server, an rshd replacement description=OpenSSH is a free implementation of the Secure Shell protocol. ports=22/tcp


- /etc/ufw/applications.d/turnserver

[Turnserver] title=Coturn Turnserver description=Free open source implementation of TURN and STUN Server ports=3478,3479,5349,5350,49152:65535/tcp|3478,3479,5349,5350,49152:65535/udp


- Breakdown of the Profile
    - [Turnserver]:
        - This is the profile name, which is used when applying rules with UFW (e.g., ufw allow Turnserver).
    - title=Coturn Turnserver:
        - This line provides a human-readable title for the application, making it easier to identify.
    - description=Free open source implementation of TURN and STUN Server:
        - A brief description of the application, explaining its purpose.
    - ports=3478,3479,5349,5350,49152:65535/tcp|3478,3479,5349,5350,49152:65535/udp:
        - This line specifies the ports and protocols that the application uses:
        - TCP Ports: 3478, 3479, 5349, 5350, and the range 49152:65535.
        - UDP Ports: The same ports are listed for UDP.
        - The | symbol separates TCP and UDP configurations.


---

&para;TURN and STUN Servers

- STUN (Session Traversal Utilities for NAT):

STUN is a protocol that helps clients discover their public IP address and the type of NAT (Network Address Translation) they are behind.
It allows a client to find out if it is behind a NAT and to communicate its public address to other peers.
This is useful for peer-to-peer applications like VoIP and video conferencing, where direct communication between clients is required.
TURN (Traversal Using Relays around NAT):

- TURN is an extension of STUN that provides a way to relay media traffic when direct peer-to-peer communication is not possible (e.g., due to strict NAT or firewall configurations).
TURN servers act as intermediaries, allowing data to flow between clients even when they cannot establish a direct connection.
This is particularly useful for scenarios where one or both clients are behind restrictive firewalls.

- Key Differences:

STUN is primarily for discovering public IPs and NAT types, enabling direct peer-to-peer connections when possible.
TURN relays data when direct connections can't be established, adding extra overhead but ensuring connectivity.
Both protocols are often used together in real-time communication applications. If you have any more questions about them, feel free to ask!