====== UFW - Uncomplicated Firewall ====== Setup of UFW on Precise Pangolin LTS 12.04 (Ubuntu) ===== Steps ===== The steps below will make the firewall active, but almost non-existent. This is a better way to start in my opinion especially for a soft firewall. My router takes care of the hard firewall and only ports that need to be open or open, so it begs to setup another filter here. So (at least for me) the sole purpose of this firewall is to block specific (also read dynamic) incoming (or may be even outgoing) traffic. If I notice a particular IP is attempting to break in, then I will add a rule and so on. Also I like the LIMIT feature that ufw has. ==== Basic setup ==== Setup basic firewall - net result zero effect ufw status ufw default allow incoming ufw default allow outgoing ufw enable ufw status ==== Setup for Nginx Server active as reverse Proxy ==== NOTE: THIS HAS NOT BEEN TESTED! When setting up Nginx server as reverse proxy, you want incoming connections, but limit outgoing. Reasoning: Incoming connections are already limited to Port 80, 443 by the Incoming Firewall or Router. If someone gains access to the shell (hopefully not root shell then all UFW bets are off), then we want to limit access to all other servers on the Network except the ones that are required. # Turn on logging ufw logging on # Allow ALL incoming - Depend on the network to only allow 80, 443. If network itself is hacked you have bigger problems! ufw default allow incoming # Deny ALL outgoing - You want to limit outgoing to just what is required ufw default deny outgoing # Allow server to access DNS servers ufw allow out to 192.168.1.1 port 53 ufw allow out to 192.168.1.39 port 53 ufw allow out to 192.168.1.40 port 53 # Allow server to access Web/Application servers ufw allow out to 192.168.1.18 port 80 ufw allow out to 192.168.1.19 port 80 # Enable and check status ufw enable ufw status verbose To check what servers and outgoing ports are in use, use this command grep proxy_pass /etc/nginx/sites-enabled/*|awk '{print $3}'|sort|uniq ==== Basic setup - Command and Typical responses ==== Same as above [root@someserver]:/etc/ufw[2]# ufw status Status: inactive [root@someserver]:/etc/ufw[2]# ufw default allow incoming Default incoming policy changed to 'allow' (be sure to update your rules accordingly) [root@someserver]:/etc/ufw[2]# ufw default allow outgoing Default outgoing policy changed to 'allow' (be sure to update your rules accordingly) [root@someserver]:/etc/ufw[2]# ufw enable Firewall is active and enabled on system startup [root@someserver]:/etc/ufw[2]# ufw status Status: active ==== Deny a single IP ==== === For All ports and protocols === Below is to show how to setup rule to deny a single IP. And then to delete the rule as well. [root@someserver]:~[1]# ufw deny from 192.168.1.101 Rule added [root@someserver]:~[1]# ufw status Status: active To Action From -- ------ ---- Anywhere DENY 192.168.1.101 [10:00:12 PM][root@someserver]:~[1]# ufw status numbered Status: active To Action From -- ------ ---- [ 1] Anywhere DENY IN 192.168.1.101 [root@someserver]:~[1]# ufw delete 1 Deleting: deny from 192.168.1.101 Proceed with operation (y|n)? y Rule deleted === To a Port for All protocols === Denying a single IP to a single port for all protocols (tcp/udp/etc) [root@someserver]:~[1]# ufw deny from 192.168.1.100 to any port 22 Rule added [root@someserver]:~[1]# ufw status numbered Status: active To Action From -- ------ ---- [ 1] 22 DENY IN 192.168.1.100 === To a Port for a protocol === Denying a single IP to a single port for a protocol. In this example we use ssh/22 with tcp protocol. [root@someserver]:~[1]# ufw deny from 192.168.1.100 to any port 22 proto tcp Rule added [root@someserver]:~[1]# ufw status numbered Status: active To Action From -- ------ ---- [ 1] 22/tcp DENY IN 192.168.1.100 ==== Limit connections ==== Command to limit ssh connections on tcp port to 6 connections only every 30 seconds. UFW does the 6/30 by default. [root@someserver]:~[1]# ufw limit ssh/tcp Rule added Skipping unsupported IPv6 'limit' rule [root@someserver]:~[1]# ufw status Status: active To Action From -- ------ ---- 22/tcp LIMIT Anywhere Checking the changes in the config file. The following file /lib/ufw/user.rules changes after this new rule as below: The following lines are added ### tuple ### limit tcp 22 0.0.0.0/0 any 0.0.0.0/0 in -A ufw-user-input -p tcp --dport 22 -m state --state NEW -m recent --set -A ufw-user-input -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -A ufw-user-input -p tcp --dport 22 -j ufw-user-limit-accept Notice the "--seconds 30 --hitcount 6" in the command. This can be updated manually (I think) - not sure. I have done it and it seems to work. Do it your own risk! If you do update you will have to use the reload command ufw reload ==== Firewall reset ==== The reset to factory defaults use the below command. This also makes the firewall inactive as this was the original configuration. [06:26:17 AM][root@someserver]:~[1]# ufw reset Resetting all rules to installed defaults. Proceed with operation (y|n)? y Backing up 'user.rules' to '/lib/ufw/user.rules.20130716_062632' Backing up 'after6.rules' to '/etc/ufw/after6.rules.20130716_062632' Backing up 'user6.rules' to '/lib/ufw/user6.rules.20130716_062632' Backing up 'before6.rules' to '/etc/ufw/before6.rules.20130716_062632' Backing up 'after.rules' to '/etc/ufw/after.rules.20130716_062632' Backing up 'before.rules' to '/etc/ufw/before.rules.20130716_062632' So after this operation you would want to redo the [[#basic_setup|Basic setup]]. ===== Other considerations ===== ==== Resources ==== * [[http://daemonkeeper.net/781/mass-blocking-ip-addresses-with-ipset/|Mass-blocking IP addresses with ipset » d(a)emonkeeper's purgatory]] ==== Logging ==== Ref: [[https://handyman.dulare.com/ufw-block-messages-in-syslog-how-to-get-rid-of-them/|[UFW BLOCK] messages in syslog – how to get rid of them?]] === Prevent dual logging in syslog === In file ''/etc/rsyslog.d/20-ufw.conf'' uncomment the last line ''& stop'' === Log in batches === For efficiency log in batches rather than real time. Add a dash to the start of file name in ''/etc/rsyslog.d/20-ufw.conf'' :msg,contains,"[UFW " -/var/log/ufw.log === logrotate === May also need to update ''/etc/logrotate.d/ufw'' and remove ''rsyslog'' from the files to rotate.