simple ruleset for ufw - advanced users welcomed to read and review

graysky · 2011-07-16 17:27:54

Since tcp_wrappers is now flushed, I think it's time to add a firewall

I have a very simplistic setup here and want to make sure I'm understanding this applications. My goal:

1) Allow incoming "LAN" traffic (all ports/protocols from machines in my subsnet). This will encompass services such as CIFS, Samba, Printing, distcc, etc. etc.
2) Allow incoming bittorrent traffic from the entire Internal via the [Deluge] preset
3) Allow incoming ssh connections from the entire Internet AND allow port forwarding therein. I access my machine via tunneling through ssh.

# ufw default deny
Default incoming policy changed to 'deny'
(be sure to update your rules accordingly)

# ufw allow from 192.168.0.0/24
Rules updated

# ufw allow Deluge
Rules updated

# ufw allow SSH
Rules updated

Is this it? Do I need to worry about localhost or 127.0.0.1 to facilitate the port forwarding? For example, vnc only accepts connections from 127.0.0.1 since again, I tunnel into it from outside the LAN. I do the same from my lighttpd.

# ufw status
Status: active

To                         Action      From
--                         ------      ----
Anywhere                   ALLOW       192.168.0.0/24
Deluge                        ALLOW       Anywhere
SSH                        ALLOW       Anywhere

Last edited by graysky (2011-07-16 18:26:14)

R00KIE · 2011-07-16 22:29:11

Any reason not to go full on with iptables? It isn't that hard to use and the wiki already has a good example of a starting point [1] and I'd say that it might be easier to get help for tricky problems if you are using iptables.

[1] https://wiki.archlinux.org/index.php/Si … l_Firewall

T13one · 2011-07-16 23:34:05

Graysky: it looks like we both did something similar today. I tested port forwarding, and it didn't appear that I needed to add any extra rules other than SSH.

R00KIE wrote:

Any reason not to go full on with iptables? It isn't that hard to use and the wiki already has a good example of a starting point [1] and I'd say that it might be easier to get help for tricky problems if you are using iptables.
[1] https://wiki.archlinux.org/index.php/Si … l_Firewall

For simple dekstop or laptop configurations, setting up iptables by hand is a little ridiculous. But yes, if you have some sort of tricky problem or complicated setup, you should probably go with something a little more advanced than ufw.

BTW, I'd noticed a neat graphical tool for ufw in the AUR today: kcm-ufw.
It integrates with KDE's systemsettings very nicely, and has more options than gufw from [community].

Meyithi · 2011-07-17 00:34:49

Seems that ufw is the way for me to go as well.

Status: active

To                         Action      From
--                         ------      ----
Anywhere                   ALLOW       192.168.1.0/24
Transmission               ALLOW       Anywhere
SSH                        ALLOW       Anywhere
Samba                      ALLOW       Anywhere

Had to change a few ports around in the /etc/ufw/applications.d/ files but that's it, took all of 5 minutes.

EDIT/ actually only use Samba on LAN

Meyithi-NB meyithi ~
$ sudo ufw allow from 192.168.1.0/24 to any app Samba
Rule added

Meyithi-NB meyithi ~
$ sudo ufw status
Status: active

To                         Action      From
--                         ------      ----
Anywhere                   ALLOW       192.168.1.0/24
Transmission               ALLOW       Anywhere
SSH                        ALLOW       Anywhere
Samba                      ALLOW       192.168.1.0/24

Last edited by Meyithi (2011-07-17 00:47:27)

graysky · 2011-07-17 00:48:10

@mey - I'd be careful about modding files that the pkg installs... I believe that future updates could overwrite your files, no? ...or would the new ones get installed as *.pacnew.

Hmm... probably the later.

Meyithi · 2011-07-17 00:51:30

Doh, allowing LAN traffic obviously allows Samba, so I can remove that rule I think.

Actually sod it, I'd rather remove the Anywhere rule.

End up with

Meyithi-NB meyithi ~
$ sudo ufw status
Status: active

To                         Action      From
--                         ------      ----
Transmission               ALLOW       Anywhere
SSH                        ALLOW       Anywhere
Samba                      ALLOW       192.168.1.0/24

@graysky - I hope so yeah, my ports are all different so not sure where else I could do it from.

Last edited by Meyithi (2011-07-17 00:56:43)

graysky · 2011-07-17 01:01:50

In any file under /etc/ufw/applications.d/ although you'd have it give it a non-standard identifier since the standard one already exists in the PKG files... after looking at the PKGBUILD for ufw I don't believe that any file that the PKG installed will be spared from being overwritten. I believe only files in the backups array are spared.

Last edited by graysky (2011-07-17 01:28:49)

Larsson · 2011-07-17 08:10:16

Do one need to ad booth iptables and ufw to the daemons array in /etc/rc.conf ?

Meyithi · 2011-07-17 09:55:02

graysky wrote:

In any file under /etc/ufw/applications.d/ although you'd have it give it a non-standard identifier since the standard one already exists in the PKG files... after looking at the PKGBUILD for ufw I don't believe that any file that the PKG installed will be spared from being overwritten. I believe only files in the backups array are spared.

Yup, this was spot on. I've created a ufw-custom file and just appended My to the front of each identifier, MySamba, MySSH etc.

[MySamba]
title=Windows file and printer server for Unix
description=Tools to access a server's filespace and printers via SMB
ports=111,111/udp|111,111/tcp

[MySSH]
title=SSH server
description=SSH server
ports=11111/tcp

[MyTransmission]
title=Transmission
description=Transmission BitTorrent client
ports=11111/tcp

Ports changed ofc

Larsson wrote:

Do one need to ad booth iptables and ufw to the daemons array in /etc/rc.conf ?

Just ufw, make sure you

#ufw enable

before you do though.

Last edited by Meyithi (2011-07-17 10:08:36)

graysky · 2011-07-17 12:13:12

I updated the ufw section on the wiki.

Arch Linux

#1 2011-07-16 17:27:54

simple ruleset for ufw - advanced users welcomed to read and review

#2 2011-07-16 22:29:11

Re: simple ruleset for ufw - advanced users welcomed to read and review

#3 2011-07-16 23:34:05

Re: simple ruleset for ufw - advanced users welcomed to read and review

#4 2011-07-17 00:34:49

Re: simple ruleset for ufw - advanced users welcomed to read and review

#5 2011-07-17 00:48:10

Re: simple ruleset for ufw - advanced users welcomed to read and review

#6 2011-07-17 00:51:30

Re: simple ruleset for ufw - advanced users welcomed to read and review

#7 2011-07-17 01:01:50

Re: simple ruleset for ufw - advanced users welcomed to read and review

#8 2011-07-17 08:10:16

Re: simple ruleset for ufw - advanced users welcomed to read and review

#9 2011-07-17 09:55:02

Re: simple ruleset for ufw - advanced users welcomed to read and review

#10 2011-07-17 12:13:12

Re: simple ruleset for ufw - advanced users welcomed to read and review

Board footer