Webevaluation wiki

User Tools

Site Tools

Trace: network_ufw
network_ufw

Table of Contents

If you want to send us your comments, please do so. Thanks
More on comments

ufw

We use UFW - Uncomplicated FireWall, which is based on network_iptables for workstations

ufw is not intended to provide complete firewall functionality via its command interface, but instead provides an easy way to add or remove simple rules

For servers and routers we use nftables

Remark: The first match wins, so order is important

An alternatieve for a dedicated computer is the pfSense Firewall which runs on Free BSD

Configuration files

/etc/default/ufw
/etc/ufw/applications.d/ufw-bittorent
/etc/ufw/sysctl.conf

Logging

No logging is performed when a packet matches a rule. This is the default 

ufw logging on|off
ufw logging low|medium|high

The logfile can be found in /var/log/ufw
Entries can also occur in /var/log/messages

Status

ufw status verbose
ufw status numbered

Adding and removing rules

CommandRemark
ufw default deny incomingStandard rule. All incomming trafic is blocked. Set this1
ufw default allow outgoingStandard rult. All outgoing traffic is allowed. You can access the Internet. Set this
ufw delete 2Delete rule number 2, shown with ufw status numbered
ufw allow 22/tcpAllow all traffic with the tcp protocol to port 22
ufw delete allow 22/tcp
ufw allow from 192.168.0.1Allow all connections form 192.168.0.1
ufw allow from 192.168.0.1 port 22Allow all connections form 192.168.0.1 on port 22
ufw allow from 192.168.0.1 port 22 proto tcpAllow all connections form 192.168.0.1 on port 22 with the tcp protocol
ufw allow from 192.168.1.0/24 proto tcp to any port 22
ufw allow from 192.168.0.0/24 to 192.168.0.1 port 22192.168.0.1 is the IP of the local machine
ufw allow from 192.168.0.0/24 to 192.168.0.1 port 22 proto tcpAllow all traffic from any host on the 192.168.0.x networks port 22 to port 22 on 192.168.0.1

Denying access

CommandRemark
ufw deny to 93.184.220.29/16
ufw deny to 23.32.0.0/10 proto tcp from any
ufw deny from 23.32.0.0/10 proto tcp to any

Error situations

CommandErrormessage
ufw deny from 23.32.0.0/10 proto tcp to anyWARN: Rule changed after normalization. Skipping adding existing rule
ufw deny to 23.32.0.0/10 proto tcp to anyERROR: Improper rule syntax
ufw deny out 23.32.0.0/10 proto tcp to anyERROR: Wrong number of arguments
ufw deny out 23.32.0.0/10 proto tcpERROR: Wrong number of arguments
ufw deny out 23.32.0.0/10ERROR: Bad port
ufw deny out 23.32.0.0/10 to anyERROR: Wrong number of arguments
ufw deny out 23.32.0.0/10 proto tcp port anyERROR: Wrong number of arguments
ufw deny out 23.32.0.0/10 proto tcp anyERROR: Need 'to' or 'from' clause
ufw deny out 23.32.0.0/10 proto tcp to anyERROR: Wrong number of arguments
ufw deny out 23.32.0.0/10 to any proto tcp port anyERROR: Wrong number of arguments

Remarks

  • the proto item is only allowed (and needed) once per entry

Reodering rules

The first match wins, so order is important
Change one rule at a time!

  • Show the list of rules
    • ufw status numbered
  • Remove the rule that you want to have on a different place
    • ufw delete rulenumber
  • Show the list of rules
    • ufw status numbered
  • Add the rule at its intended place
    • ufw insert intendedplace deny from iptoblock to any

Example 

ufw status numbered
ufw delete 14
ufw status numbered
ufw insert 2 deny from iptoblock to any

Debugging

Follow these steps until you have solved the problem

  • ufw disable
  • ufw enable
    • Use to actually disable the firewall ufw allow from any to any . It does not break any (ssh) connections compared to ufw disable / ufw enable
  • ufw status numbered
  • ufw delete x x is the number of the from anywhere to anywhere rule
  • ufw allow form 192.168.0.0/16 to any if you are on an other network change the IP address range accordingly

Errors and warnings

Rule changed after normalization

WARN: Rule changed after normalization
Rule added

This is no issue. You can ignore the WARN
From the ufw man page: “Because rules are normalized by ufw, rules may look different than the originally added rule.” So it seems to be some internal ufw thing.

Skipping adding existing rule

Rule to be added 

ufw allow from 192.168.2.2/24 to 192.168.1.1 port 22 proto tcp

Result 

WARN: Rule changed after normalization
Skipping adding existing rule

This means it is the second rule that has the /24 for the same 192.168.x.x IP range

Only use /24 (24 is an example) once when you want a whole range of IP addresses

Connection attempt time out

  • Check the firewall rules and Network manager. If, in network manager, IPv6 is enabled there has to be a firewall rule for IPv6 to make the connection work

Port forwarding

  1. Enter the IP address or, if applicable, an IP address range that is granted access in the router
  2. Enter the port number to forward to in the router
  3. On the compute, enter a rule in ufw to forward the port from the router. Example: ufw allow from any to any port thedesiredportnumber proto thedesiredprotocol . Example: ufw allow from any to any port 22 proto tcp

Routing

When you want to be able to login with ssh on PC 1 from PC 2 do in a terminal as root on PC 1 ufw allow from 10.0.0.1/32 to any port 22 . Do not enter 172.16.0.5 since Router 1 does not know about anything on the 172,16,x,x side of Router 2
This setup assumes that the routers use NAT

UFW and NAT

Work in progress

Log in as root
To set up NAT do

  • In /etc/default/ufw set
    • DEFAULT_FORWARD_POLICY=“ACCEPT”
  • In /etc/ufw/sysctl.conf allow ipv4 forwarding, leave IPv6 commented out if you do not need it
    • net.ipv4.ip_forward=1
    • #net/ipv6/conf/default/forwarding=1
    • #net/ipv6/conf/all/forwarding=1
  • Add in /etc/ufw/before.rules just before the filter rules
# NAT table rules
*nat
-F
:POSTROUTING ACCEPT [0:0]

# Forward the traffic through eth0. Change the IP address to your needs and eth0 to match the name of the outgoing interface
-A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE

# The 'COMMIT' line is needed to get these nat table rules processed
COMMIT
  • ufw disable && ufw enable
  • Check with iptables -t nat -L -v

Errors

# ufw disable && ufw enable
ERROR: Missing policy for 'forward'
# systemctl restart ufw.service
Job for ufw.service failed because the control process exited with error code.
See "systemctl status ufw.service" and "journalctl -xe" for details.

This has something to do with the lines added to /etc/ufw/before.rules

Issues

IPV6 kernel module on Bookworm

apr 30 09:32:13 Hostname ufw-init[744]: line 50: RULE_APPEND failed (No such file or directory): rule in chain ufw6-before-input
apr 30 09:32:13 Hostname ufw-init[744]: line 51: RULE_APPEND failed (No such file or directory): rule in chain ufw6-before-input
apr 30 09:32:13 Hostname ufw-init[744]: line 52: RULE_APPEND failed (No such file or directory): rule in chain ufw6-before-input
apr 30 09:32:13 Hostname ufw-init[744]: line 53: RULE_APPEND failed (No such file or directory): rule in chain ufw6-before-input
apr 30 09:32:13 Hostname ufw-init[744]: line 55: RULE_APPEND failed (No such file or directory): rule in chain ufw6-before-input
apr 30 09:32:13 Hostname ufw-init[744]: line 130: RULE_APPEND failed (No such file
apr 30 09:32:14 Hostname ufw-init[863]: Problem running '/etc/ufw/before6.rules'
apr 30 09:32:14 Hostname systemd[1]: ufw.service: Main process exited, code=exited, status=1/FAILURE
apr 30 09:32:14 Hostname systemd[1]: ufw.service: Failed with result 'exit-code'.
apr 30 09:32:14 Hostname systemd[1]: Failed to start ufw.service - Uncomplicated firewall.

# /usr/lib/ufw/ufw-init status
Firewall is running
# /usr/lib/ufw/ufw-init stop
# /usr/lib/ufw/ufw-init start
Warning: Extension icmp6 revision 0 not supported, missing kernel module?
ip6tables-restore v1.8.9 (nf_tables): 
line 36: RULE_APPEND failed (No such file or directory): rule in chain ufw6-before-input
line 43: RULE_APPEND failed (No such file or directory): rule in chain ufw6-before-input
line 44: RULE_APPEND failed (No such file or directory): rule in chain ufw6-before-input
line 46: RULE_APPEND failed (No such file or directory): rule in chain ufw6-before-input
line 48: RULE_APPEND failed (No such file or directory): rule in chain ufw6-before-input
line 49: RULE_APPEND failed (No such file or directory): rule in chain ufw6-before-input
line 50: RULE_APPEND failed (No such file or directory): rule in chain ufw6-before-input
line 51: RULE_APPEND failed (No such file or directory): rule in chain ufw6-before-input
line 52: RULE_APPEND failed (No such file or directory): rule in chain ufw6-before-input
line 53: RULE_APPEND failed (No such file or directory): rule in chain ufw6-before-input
line 55: RULE_APPEND failed (No such file or directory): rule in chain ufw6-before-input
line 130: RULE_APPEND failed (No such file 

Problem running '/etc/ufw/before6.rules'

Solution:
This needs a kernel module. Which one?
Workaround: turn IPv6 off. As root do:

  • vi /etc/default/ufw
  • Set: IPV6=no
  • systemctl ufw stop
  • systemctl ufw start
  • systemctl ufw status
  • systemctl stop ufw.service
  • systemctl start ufw.service
  • systemctl status ufw.service

Gufw Firewall
UncomplicatedFirewall
UFW
UFW (French)
UFW (French)
How to set up a firewall with ufw on ubuntu 18-04
---- Main subjects on this wiki: Linux, Debian, HTML, Microcontrollers, Privacy\\ \\ [[http://wiki.webevaluation.nl/feed.php?type=rss|RSS
Disclaimer
Privacy statement
Bugs statement
Cookies
Copyright © : 2014 - 2024 Webevaluation.nl and the authors
Changes reserved.

This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.More information about cookies
network_ufw.txt · Last modified: 30-04-2023 12:33 by wim