Table of Contents
If you want to send us your comments, please do so. Thanks
More on comments
ufw
We use UFW - Uncomplicated FireWall, which is based on network_iptables for workstations
ufw is not intended to provide complete firewall functionality via its command interface, but instead provides an easy way to add or remove simple rules
For servers and routers we use nftables
Remark: The first match wins, so order is important
An alternatieve for a dedicated computer is the pfSense Firewall which runs on Free BSD
Configuration files
/etc/default/ufw |
/etc/ufw/applications.d/ufw-bittorent |
/etc/ufw/sysctl.conf |
Logging
No logging is performed when a packet matches a rule. This is the default
ufw logging on|off ufw logging low|medium|high
The logfile can be found in /var/log/ufw
Entries can also occur in /var/log/messages
Status
ufw status verbose ufw status numbered
Adding and removing rules
Command | Remark |
---|---|
ufw default deny incoming | Standard rule. All incomming trafic is blocked. Set this1 |
ufw default allow outgoing | Standard rult. All outgoing traffic is allowed. You can access the Internet. Set this |
ufw delete 2 | Delete rule number 2, shown with ufw status numbered |
ufw allow 22/tcp | Allow all traffic with the tcp protocol to port 22 |
ufw delete allow 22/tcp | |
ufw allow from 192.168.0.1 | Allow all connections form 192.168.0.1 |
ufw allow from 192.168.0.1 port 22 | Allow all connections form 192.168.0.1 on port 22 |
ufw allow from 192.168.0.1 port 22 proto tcp | Allow all connections form 192.168.0.1 on port 22 with the tcp protocol |
ufw allow from 192.168.1.0/24 proto tcp to any port 22 | |
ufw allow from 192.168.0.0/24 to 192.168.0.1 port 22 | 192.168.0.1 is the IP of the local machine |
ufw allow from 192.168.0.0/24 to 192.168.0.1 port 22 proto tcp | Allow all traffic from any host on the 192.168.0.x networks port 22 to port 22 on 192.168.0.1 |
Denying access
Command | Remark |
---|---|
ufw deny to 93.184.220.29/16 | |
ufw deny to 23.32.0.0/10 proto tcp from any | |
ufw deny from 23.32.0.0/10 proto tcp to any |
Error situations
Command | Errormessage |
---|---|
ufw deny from 23.32.0.0/10 proto tcp to any | WARN: Rule changed after normalization. Skipping adding existing rule |
ufw deny to 23.32.0.0/10 proto tcp to any | ERROR: Improper rule syntax |
ufw deny out 23.32.0.0/10 proto tcp to any | ERROR: Wrong number of arguments |
ufw deny out 23.32.0.0/10 proto tcp | ERROR: Wrong number of arguments |
ufw deny out 23.32.0.0/10 | ERROR: Bad port |
ufw deny out 23.32.0.0/10 to any | ERROR: Wrong number of arguments |
ufw deny out 23.32.0.0/10 proto tcp port any | ERROR: Wrong number of arguments |
ufw deny out 23.32.0.0/10 proto tcp any | ERROR: Need 'to' or 'from' clause |
ufw deny out 23.32.0.0/10 proto tcp to any | ERROR: Wrong number of arguments |
ufw deny out 23.32.0.0/10 to any proto tcp port any | ERROR: Wrong number of arguments |
Remarks
- the proto item is only allowed (and needed) once per entry
Reodering rules
The first match wins, so order is important
Change one rule at a time!
- Show the list of rules
- ufw status numbered
- Remove the rule that you want to have on a different place
- ufw delete rulenumber
- Show the list of rules
- ufw status numbered
- Add the rule at its intended place
- ufw insert intendedplace deny from iptoblock to any
Example
ufw status numbered ufw delete 14 ufw status numbered ufw insert 2 deny from iptoblock to any
Debugging
Follow these steps until you have solved the problem
- ufw disable
- ufw enable
- Use to actually disable the firewall ufw allow from any to any . It does not break any (ssh) connections compared to ufw disable / ufw enable
- ufw status numbered
- ufw delete x x is the number of the from anywhere to anywhere rule
- ufw allow form 192.168.0.0/16 to any if you are on an other network change the IP address range accordingly
Errors and warnings
Rule changed after normalization
WARN: Rule changed after normalization Rule added
This is no issue. You can ignore the WARN
From the ufw man page: “Because rules are normalized by ufw, rules may look different than the originally added rule.” So it seems to be some internal ufw thing.
Skipping adding existing rule
Rule to be added
ufw allow from 192.168.2.2/24 to 192.168.1.1 port 22 proto tcp
Result
WARN: Rule changed after normalization Skipping adding existing rule
This means it is the second rule that has the /24 for the same 192.168.x.x IP range
Only use /24 (24 is an example) once when you want a whole range of IP addresses
Connection attempt time out
- Check the firewall rules and Network manager. If, in network manager, IPv6 is enabled there has to be a firewall rule for IPv6 to make the connection work
Port forwarding
- Enter the IP address or, if applicable, an IP address range that is granted access in the router
- Enter the port number to forward to in the router
- On the compute, enter a rule in ufw to forward the port from the router. Example: ufw allow from any to any port thedesiredportnumber proto thedesiredprotocol . Example: ufw allow from any to any port 22 proto tcp
Routing
When you want to be able to login with ssh on PC 1 from PC 2 do in a terminal as root on PC 1 ufw allow from 10.0.0.1/32 to any port 22 . Do not enter 172.16.0.5 since Router 1 does not know about anything on the 172,16,x,x side of Router 2
This setup assumes that the routers use NAT
UFW and NAT
Work in progress
Log in as root
To set up NAT do
- In /etc/default/ufw set
- DEFAULT_FORWARD_POLICY=“ACCEPT”
- In /etc/ufw/sysctl.conf allow ipv4 forwarding, leave IPv6 commented out if you do not need it
- net.ipv4.ip_forward=1
- #net/ipv6/conf/default/forwarding=1
- #net/ipv6/conf/all/forwarding=1
- Add in /etc/ufw/before.rules just before the filter rules
# NAT table rules *nat -F :POSTROUTING ACCEPT [0:0] # Forward the traffic through eth0. Change the IP address to your needs and eth0 to match the name of the outgoing interface -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE # The 'COMMIT' line is needed to get these nat table rules processed COMMIT
- ufw disable && ufw enable
- Check with iptables -t nat -L -v
Errors
# ufw disable && ufw enable ERROR: Missing policy for 'forward'
# systemctl restart ufw.service Job for ufw.service failed because the control process exited with error code. See "systemctl status ufw.service" and "journalctl -xe" for details.
This has something to do with the lines added to /etc/ufw/before.rules
Issues
IPV6 kernel module on Bookworm
apr 30 09:32:13 Hostname ufw-init[744]: line 50: RULE_APPEND failed (No such file or directory): rule in chain ufw6-before-input apr 30 09:32:13 Hostname ufw-init[744]: line 51: RULE_APPEND failed (No such file or directory): rule in chain ufw6-before-input apr 30 09:32:13 Hostname ufw-init[744]: line 52: RULE_APPEND failed (No such file or directory): rule in chain ufw6-before-input apr 30 09:32:13 Hostname ufw-init[744]: line 53: RULE_APPEND failed (No such file or directory): rule in chain ufw6-before-input apr 30 09:32:13 Hostname ufw-init[744]: line 55: RULE_APPEND failed (No such file or directory): rule in chain ufw6-before-input apr 30 09:32:13 Hostname ufw-init[744]: line 130: RULE_APPEND failed (No such file apr 30 09:32:14 Hostname ufw-init[863]: Problem running '/etc/ufw/before6.rules' apr 30 09:32:14 Hostname systemd[1]: ufw.service: Main process exited, code=exited, status=1/FAILURE apr 30 09:32:14 Hostname systemd[1]: ufw.service: Failed with result 'exit-code'. apr 30 09:32:14 Hostname systemd[1]: Failed to start ufw.service - Uncomplicated firewall. # /usr/lib/ufw/ufw-init status Firewall is running # /usr/lib/ufw/ufw-init stop # /usr/lib/ufw/ufw-init start Warning: Extension icmp6 revision 0 not supported, missing kernel module? ip6tables-restore v1.8.9 (nf_tables): line 36: RULE_APPEND failed (No such file or directory): rule in chain ufw6-before-input line 43: RULE_APPEND failed (No such file or directory): rule in chain ufw6-before-input line 44: RULE_APPEND failed (No such file or directory): rule in chain ufw6-before-input line 46: RULE_APPEND failed (No such file or directory): rule in chain ufw6-before-input line 48: RULE_APPEND failed (No such file or directory): rule in chain ufw6-before-input line 49: RULE_APPEND failed (No such file or directory): rule in chain ufw6-before-input line 50: RULE_APPEND failed (No such file or directory): rule in chain ufw6-before-input line 51: RULE_APPEND failed (No such file or directory): rule in chain ufw6-before-input line 52: RULE_APPEND failed (No such file or directory): rule in chain ufw6-before-input line 53: RULE_APPEND failed (No such file or directory): rule in chain ufw6-before-input line 55: RULE_APPEND failed (No such file or directory): rule in chain ufw6-before-input line 130: RULE_APPEND failed (No such file Problem running '/etc/ufw/before6.rules'
Solution:
This needs a kernel module. Which one?
Workaround: turn IPv6 off. As root do:
- vi /etc/default/ufw
- Set: IPV6=no
- systemctl ufw stop
- systemctl ufw start
- systemctl ufw status
- systemctl stop ufw.service
- systemctl start ufw.service
- systemctl status ufw.service
Useful links
Gufw Firewall
UncomplicatedFirewall
UFW
UFW (French)
UFW (French)
How to set up a firewall with ufw on ubuntu 18-04
----
Main subjects on this wiki: Linux, Debian, HTML, Microcontrollers, Privacy\\
\\
[[http://wiki.webevaluation.nl/feed.php?type=rss|RSS
Disclaimer
Privacy statement
Bugs statement
Cookies
Copyright © : 2014 - 2024 Webevaluation.nl and the authors
Changes reserved.