Thanks Lisa, having the commands to add and the rules to add is very
helpful. A couple of clarifications will help me as well.
sudo ufw deny from 192.168.0.1 to any port 22
## assuming 192.168.0.1 was my router/gateway, the above rule would
block any access for outside the LAN, yes?
sudo ufw deny from 192.168.0.7 to any port 22
## I believe you added this as just an example of blocking a single
address on the LAN
sudo ufw allow from 192.168.0.0/24 to any port 22
## Clear but I have always wondered if the 0/24 just means the first
24 bits must match and the last 8 can be anything?
Also:
1) If I normally plugged this machine into192.168.1.x, 192.168.2.x and
198.162.3.x LANs would I just repeat the 3 rules with changed numbers? Or
is there an easier way?
2) Does UFW allow environment variable substitution in its rules? I
already set such variables as part of the PXE server portability.
3) Do both TCP and UDP need blocking.allow for ssh on port 22?
On Tue, Oct 16, 2012 at 4:27 PM, Lisa Kachold <
lisakachold@obnosis.com>wrote:
> Hi Larry!
>
> On Tue, Oct 16, 2012 at 4:14 PM, Dazed_75 <lthielster@gmail.com> wrote:
>
>> Can anyone tell me how to make a ufw (uncomplicated firewall) rule to
>> allow incoming ssh but only from the LAN or even a specific LAN. Not sure
>> I need to specify an alternate port, but that would be good to know as well.
>
>
> UFW rule:
>
> *advanced allow example for allowing access from an ip address range
> 10.120.0.1 - 10.120.0.255 to port 22*
> sudo ufw allow from 10.0.0.0/24 to any port 22
>
> you want to block access to port 22 from 192.168.0.1 and 192.168.0.7 but
> allow all other 192.168.0.x IPs to have access to port 22
>
> Code:
>
> sudo ufw deny from 192.168.0.1 to any port 22
> sudo ufw deny from 192.168.0.7 to any port 22
> sudo ufw allow from 192.168.0.0/24 to any port 22
>
> if you do the allow statement before either of the deny statements it will
> be matched first and the deny will not be evaluated.
>
> you can check this by checking ufw status
> Code:
>
> sudo ufw status
> To Action From
> -- ------ ----
> 22:tcp DENY 192.168.0.1
> 22:udp DENY 192.168.0.1
> 22:tcp DENY 192.168.0.7
> 22:udp DENY 192.168.0.7
> 22:tcp ALLOW 192.168.0.0/24
> 22:udp <http://192.168.0.0/2422:udp> ALLOW 192.168.0.0/24
>
> the allow is at the bottom and will be the last command evaluated if it
> appeared above the deny rules the deny rules would not be evaluated.
>
> Reference: http://ubuntuforums.org/showthread.php?t=823741
>
>>
>> Dazed_75 a.k.a. Larry
>>
>> Please protect my address like I protect yours. When sending messages to
>> multiple recipients, always use the BCC: (Blind carbon copy) and not To: or
>> CC:. Remove all addresses from the message body before sending a Forwarded
>> message. This can prevent spy programs capturing addresses from the
>> recipient list and message body.
>>
> --
> (503) 754-4452 Android
> (623) 239-3392 Skype
> (623) 688-3392 Google Voice
> **
> it-clowns.com
> Chief Clown
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>
--
Dazed_75 a.k.a. Larry
Please protect my address like I protect yours. When sending messages to
multiple recipients, always use the BCC: (Blind carbon copy) and not To: or
CC:. Remove all addresses from the message body before sending a Forwarded
message. This can prevent spy programs capturing addresses from the
recipient list and message body.
---------------------------------------------------
PLUG-discuss mailing list -
PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
(text/plain)