Brodriguez: Brodriguez moved page Linux Uncomplicated Firewall to Linux/Uncomplicated Firewall: Clean url with subpages

2020-05-15T08:53:53Z

Brodriguez moved page Linux Uncomplicated Firewall to Linux/Uncomplicated Firewall: Clean url with subpages

← Older revision

Revision as of 08:53, 15 May 2020

Brodriguez: Add local network example

2019-11-06T05:01:48Z

Add local network example

← Older revision		Revision as of 05:01, 6 November 2019
Line 89:		Line 89:
	* <code>sudo ufw allow from <ip_address> to any port <port> proto <protocol></code>		* <code>sudo ufw allow from <ip_address> to any port <port> proto <protocol></code>
	** This will only allow the given protocol from the given ip to the given port.		** This will only allow the given protocol from the given ip to the given port.

			For example, to allow ssh only on the local network, run:
			<code>sudo ufw allow from 192.168.1.0/24 to any port 22</code>

Brodriguez: Add advanced rules

2019-10-13T01:31:28Z

Add advanced rules

← Older revision		Revision as of 01:31, 13 October 2019
Line 81:		Line 81:
	* '''MySQL''': <code>sudo ufw allow 3306/tcp</code>		* '''MySQL''': <code>sudo ufw allow 3306/tcp</code>
	* '''PostgreSQL''': <code>sudo ufw allow 5432/tcp</code>		* '''PostgreSQL''': <code>sudo ufw allow 5432/tcp</code>


			== Advanced Rules ==
			It's possible to only allow/deny from specific ip addresses. Some examples:
			* <code>sudo ufw allow from <ip_address> to any port <port></code>
			** This will only allow the given ip to the given port.
			* <code>sudo ufw allow from <ip_address> to any port <port> proto <protocol></code>
			** This will only allow the given protocol from the given ip to the given port.

Brodriguez: Create page

2019-10-08T07:03:18Z

Create page

New page

'''Uncomplicated Firewall''', or UFW, is a simple firewall manager for Arch Linux, Debian, and Ubuntu based systems.

== Install UFW ==
For Arch Linux, Debian, and Ubuntu systems, UFW is likely installed by default. If it's not, then install with the following commands:
* Arch Linux: <code>sudo pacman -S ufw</code>
* Ubuntu/Debian: <code>sudo apt install ufw</code>

Depending on the system, you may also have to run:
* <code>sudo systemctl start ufw</code>
* <code>sudo systemctl enable ufw</code>

== Setting Firewall Rules ==

=== General Command Syntax ===
Generally speaking, ufw rules will follow one of two formats:
* <code>sudo ufw allow <port></code>
** The '''allow''' rule sets the provided port to be open to the outside world, for both incoming and outgoing messages.
 
* <code>sudo ufw deny <port></code>
** The '''deny''' rule sets the provided port to be closed to the outside world, for both incoming and outgoing messages.
 
In either case, the <port> argument can be define in one of the following ways:
* <code><port_number></code>
** This allows all connection types at the provided port number.
* <code><port_number>/tcp</code>
** This allows only tcp connections at the provided port number.
* <code><port_number>/udp</code>
** This allows only udp connections at the provided port number.

=== Removing Rules ===
If you accidentally add a wrong rule, or simply want to remove an existing rule, use the command:
* <code>sudo ufw delete <rule></code>, where <code><rule></code> follows the same <code><allow/deny> <port></code> syntax defined above.

=== Specifying General Rules ===
UFW also allows specifying general rules. These are the rules applied for any ports not explicitly defined by the above commands. 
These general commands are as simple as:
* <code>sudo ufw default <allow|deny> <incoming|outgoing></code>
** Ex: <code>sudo ufw default allow outgoing</code>

== Recommended Rules ==
Before setting any rules, it's strongly recommended to allow ssh. 
If using a default ssh setup, then you can use the command:
* <code>sudo ufw allow ssh</code> or <code>sudo ufw allow 22/tcp</code>
If using a non-standard setup, then allow whatever given port is associated with your ssh connection.
 
Next, it's recommended to set defaults for both incoming and outgoing. These might be set by default, depending on your system, but it's always a good idea to double check. 
For most setups, defaults of "allow all outgoing" and "deny all incoming" are good:
* <code>sudo ufw default allow outgoing</code>
* <code>sudo ufw default deny incoming</code>
 
At this point, you'd want to set individual rules for whatever your given setup needs. 
For security reasons, it's best to only open those ports that you need, and keep the rest closed.

== Enabling UFW and Viewing Status ==
View general UFW status with:
* <code>sudo ufw status</code>
 
To get more detailed output, use:
* <code>sudo ufw status verbose</code>
 
If status comes back "inactive", enable UFW with:
* <code>sudo ufw enable</code>
{{warn | If connecting remotely, do not enable UFW until you allow ssh ports!}}
 
To disable it again, use:
* <code>sudo ufw disable</code>

== Common Ports to Allow ==
Below are commands to allow commonly opened ports. 
For security reasons, it's best to only open those ports that you need, and keep the rest closed.
* '''SSH''': <code>sudo ufw allow 22/tcp</code>
* '''HTTP''': <code>sudo ufw allow 80/tcp</code>
* '''HTTPS''': <code>sudo ufw allow 443/tcp</code>
* '''RDP''': <code>sudo ufw allow 3389/tcp</code>
* '''MySQL''': <code>sudo ufw allow 3306/tcp</code>
* '''PostgreSQL''': <code>sudo ufw allow 5432/tcp</code>

Linux/Uncomplicated Firewall - Revision history

Brodriguez: Brodriguez moved page Linux Uncomplicated Firewall to Linux/Uncomplicated Firewall: Clean url with subpages

Brodriguez: Add local network example

Brodriguez: Add advanced rules

Brodriguez: Create page