Re: ufw rules

Top Page
Attachments:
Message as email
+ (text/plain)
+ (text/html)
+ (text/plain)
Delete this message
Reply to this message
Author: Lisa Kachold
Date:  
To: Main PLUG discussion list
Subject: Re: ufw rules
Larry:

Good questions all:

On Tue, Oct 16, 2012 at 5:18 PM, Dazed_75 <> wrote:

> Thanks Lisa, having the commands to add and the rules to add is very
> helpful. A couple of clarifications will help me as well.
>
>
> sudo ufw deny from 192.168.0.1 to any port 22
> ## assuming 192.168.0.1 was my router/gateway, the above rule would block any access for outside the LAN, yes?
>
> Yes, if it's on the same subnet as all the other systems and you further

down add an allow statement it won't matter. But you should know that your
router is not rewriting your packets (as in Layer 3 bridging) so the only
thing it will block are people ssh-ing over from the device itself (dd-wrt
for example).

NOTE, in all firewall rules you have a choice to disallow all and then
allow selectively (or the reverse), so you should do a ufw status to see
what you currently have.

Keep in mind the order of your rules is critical. As such I like to block
first, accept second. So for example let us assume we wish to block a
misbehaving client on our LAN, 192.168.0.20:

sudo ufw insert 1 deny from 192.168.0.20


So you disallow for the world you would preface:

sudo ufw deny from 0.0.0.0 to any port 22

Also do you have forwarding on with this linux box? A linux box can be
setup to forward or act as a bridge or gateway to other systems. I am
assuming you are not!



>
>
> sudo ufw deny from 192.168.0.7 to any port 22
> ## I believe you added this as just an example of blocking a single address on the LAN
>
>
> sudo ufw allow from 192.168.0.0/24 to any port 22
> ## Clear but I have always wondered if the 0/24 just means the first 24 bits must match and the last 8 can be anything?
>
> Also:
> 1) If I normally plugged this machine into192.168.1.x, 192.168.2.x and
> 198.162.3.x LANs would I just repeat the 3 rules with changed numbers? Or
> is there an easier way?
>


Correct!

I personally like all my subnets to be "real" that way I can see rogue
addresses, etc.

sudo ufw allow proto tcp from 192.168.0.0/24 to 192.168.0.10 port 22

You can also allow the whole class B

sudo ufw allow from 192.168.0.0/ <http://192.168.0.0/24>16 to any port 22

Make sure you add some portknocker stuff if you leave open port 22
(forwarded) from your router!

ufw supports native connection limits:

sudo ufw limit ssh

Here's an example ruleset (migrated from iptables):

#
# rules.before
#
# Rules that should be run before the ufw command line added rules. Custom
# rules should be added to one of these chains:
# ufw-before-input
# ufw-before-output
# ufw-before-forward
#

# Don't delete these required lines, otherwise there will be errors
*filter
:ufw-before-input - [0:0]
:ufw-before-output - [0:0]
:ufw-before-forward - [0:0]
:ufw-not-local - [0:0]
# End required lines
:SSH_DEFAULT - [0:0]
:SSH_CUSTOM - [0:0]
:SSH_FRIEND - [0:0]
# End Additional chains

# allow all on loopback
-A ufw-before-input -i lo -j ACCEPT
-A ufw-before-output -o lo -j ACCEPT

# quickly process packets for which we already have a connection
-A ufw-before-input -m state --state RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-output -m state --state RELATED,ESTABLISHED -j ACCEPT

# drop INVALID packets (logs these in loglevel medium and higher)
-A ufw-before-input -m state --state INVALID -j ufw-logging-deny
-A ufw-before-input -m state --state INVALID -j DROP

# ok icmp codes
-A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT
-A ufw-before-input -p icmp --icmp-type source-quench -j ACCEPT
-A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT
-A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT
-A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT

# allow dhcp client to work
-A ufw-before-input -p udp --sport 67 --dport 68 -j ACCEPT

#
# ufw-not-local
#
-A ufw-before-input -j ufw-not-local

# if LOCAL, RETURN
-A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN

# if MULTICAST, RETURN
-A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN

# if BROADCAST, RETURN
-A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN

# all other non-local packets are dropped
-A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny
-A ufw-not-local -j DROP

# allow MULTICAST, be sure the MULTICAST line above is uncommented
-A ufw-before-input -s 224.0.0.0/4 -j ACCEPT
-A ufw-before-input -d 224.0.0.0/4 -j ACCEPT

### Begin Additional Rules ###

# Script kiddie check
#-A ufw-before-input -p tcp --dport 22 -m state --state NEW -j SSH_CHECK
#-A SSH_CHECK -m recent --set --name SSH
#-A SSH_CHECK -m recent --update --seconds 60 --hitcount 4 --name SSH -j DROP

## Drop Default SSH port access With Logging
-A ufw-before-input -p tcp --dport 22 -m state --state NEW -j SSH_DEFAULT
-A SSH_DEFAULT -m recent --set --name SSH -j LOG --log-prefix "SSH_default_port"
-A SSH_DEFAULT -m recent --set --name SSH -j DROP

## Drop Custom SSH port access With Logging
-A ufw-before-input -p tcp --dport 118118 -m state --state NEW -j SSH_CUSTOM
-A SSH_CUSTOM -m recent --set --name SSH -j LOG --log-prefix "SSH_friend_port"
-A SSH_CUSTOM -m recent --set --name SSH -j DROP

## Allow Custom SSH port from allowed URL with brute force logging
-A SSH_CUSTOM -s my.friends.url.net -j SSH_FRIEND
-A SSH_FRIEND -m recent --set --name SSH -j ACCEPT
-A SSH_FRIEND -m recent --update --seconds 60 --hitcount 4 --name SSH
-j LOG --log-prefix "SSH_friend_port_brute_force"
-A SSH_FRIEND -m recent --update --seconds 60 --hitcount 4 --name SSH -j DROP

### End Additional Rules ###

# don't delete the 'COMMIT' line or these rules won't be processed
COMMIT




> 2) Does UFW allow environment variable substitution in its rules? I
> already set such variables as part of the PXE server portability.
>


You can specify custom applications; use Applications; set custom variables
and more:

From: http://blog.bodhizazen.net/linux/firewall-ubuntu-servers/

As an example, /etc/ufw/applications.d/apache2.2-common contains

[Apache]
title=Web Server
description=Apache v2 is the next generation of the omnipresent Apache web
server.
ports=80/tcp

[Apache Secure]
title=Web Server (HTTPS)
description=Apache v2 is the next generation of the omnipresent Apache web
server.
ports=443/tcp

[Apache Full]
title=Web Server (HTTP,HTTPS)
description=Apache v2 is the next generation of the omnipresent Apache web
server.
ports=80,443/tcp


> 3) Do both TCP and UDP need blocking.allow for ssh on port 22?
>

Yes, ssh is both UDP/TCP, the best way to easily invoke is via protocol

ufw all ssh

Reference: https://help.ubuntu.com/community/UFW

>



> On Tue, Oct 16, 2012 at 4:27 PM, Lisa Kachold <>wrote:
>
>> Hi Larry!
>>
>> On Tue, Oct 16, 2012 at 4:14 PM, Dazed_75 <> wrote:
>>
>>> Can anyone tell me how to make a ufw (uncomplicated firewall) rule to
>>> allow incoming ssh but only from the LAN or even a specific LAN. Not sure
>>> I need to specify an alternate port, but that would be good to know as well.
>>
>>
>> UFW rule:
>>
>> *advanced allow example for allowing access from an ip address range
>> 10.120.0.1 - 10.120.0.255 to port 22*
>> sudo ufw allow from 10.0.0.0/24 to any port 22
>>
>> you want to block access to port 22 from 192.168.0.1 and 192.168.0.7 but
>> allow all other 192.168.0.x IPs to have access to port 22
>>
>> Code:
>>
>> sudo ufw deny from 192.168.0.1 to any port 22
>> sudo ufw deny from 192.168.0.7 to any port 22
>> sudo ufw allow from 192.168.0.0/24 to any port 22
>>
>> if you do the allow statement before either of the deny statements it
>> will be matched first and the deny will not be evaluated.
>>
>> you can check this by checking ufw status
>> Code:
>>
>> sudo ufw status
>> To                         Action  From
>> --                         ------  ----
>> 22:tcp                     DENY    192.168.0.1
>> 22:udp                     DENY    192.168.0.1
>> 22:tcp                     DENY    192.168.0.7
>> 22:udp                     DENY    192.168.0.7
>> 22:tcp                     ALLOW   192.168.0.0/24
>> 22:udp <http://192.168.0.0/2422:udp>                     ALLOW   192.168.0.0/24

>>
>> the allow is at the bottom and will be the last command evaluated if it
>> appeared above the deny rules the deny rules would not be evaluated.
>>
>> Reference: http://ubuntuforums.org/showthread.php?t=823741
>>
>>>
>>> Dazed_75 a.k.a. Larry
>>>
>>> Please protect my address like I protect yours. When sending messages to
>>> multiple recipients, always use the BCC: (Blind carbon copy) and not To: or
>>> CC:. Remove all addresses from the message body before sending a Forwarded
>>> message. This can prevent spy programs capturing addresses from the
>>> recipient list and message body.
>>>
>> --
>> (503) 754-4452 Android
>> (623) 239-3392 Skype
>> (623) 688-3392 Google Voice
>> **
>> it-clowns.com
>> Chief Clown
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> ---------------------------------------------------
>> PLUG-discuss mailing list -
>> To subscribe, unsubscribe, or to change your mail settings:
>> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>>
>
>
>
> --
> Dazed_75 a.k.a. Larry
>
> Please protect my address like I protect yours. When sending messages to
> multiple recipients, always use the BCC: (Blind carbon copy) and not To: or
> CC:. Remove all addresses from the message body before sending a Forwarded
> message. This can prevent spy programs capturing addresses from the
> recipient list and message body.
>
> ---------------------------------------------------
> PLUG-discuss mailing list -
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>




--
(503) 754-4452 Android
(623) 239-3392 Skype
(623) 688-3392 Google Voice
**
it-clowns.com
Chief Clown
---------------------------------------------------
PLUG-discuss mailing list -
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss