UFW (Uncomplicated Firewall) 使用速查,个人笔记,非入门教程。
Uncomplicated Firewall, is an interface to iptables that is geared towards simplifying the process of configuring a firewall. While iptables is a solid and flexible tool, it can be difficult for beginners to learn how to use it to properly configure a firewall.

Quick Start

1
2
3
4
5
6
pacman -S ufw

# gufw for GUI
# pacman -S gufw

systemctl enable --now ufw
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
# install ufw
sudo vim /etc/default/ufw
# Enable IPv6 support. Default on, no need to do it.
IPV6=yes

# 默认已经配置了,无需再来一遍
sudo ufw default deny incoming
sudo ufw default allow outgoing

# ssh 请直接使用limit
# sudo ufw allow /
sudo ufw allow ssh  # find port from /etc/services
sudo ufw allow 22 # equivalent
sudo ufw limit 'OpenSSH' # sudo ufw app list
Note:
  • /etc/services, this file list all kinds of services and their corresponding ports.
    1
    2
    
    ❯ pacman -Fo /etc/services
    /etc/services is owned by core/iana-etc 20190329-1
  • By default, UFW allows ping requests.
  • allow 规则默认针对 incoming,因为outgoing默认是开启的,且没必要限制
  • deny is different with reject, deny drops the packets
  • --dry-run, a useful option
常用命令、规则示例
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
# continue ufw setup
sudo ufw enable # activate ufw
sudo ufw disable # disable
sudo ufw reset # reset all rules

sudo ufw status verbose
# show raw iptables rules
sudo ufw show raw
sudo ufw status numbered # order by number 规则序列号

sudo ufw allow http # sudo ufw allow 80 实际是设置端口规则
sudo ufw allow https # sudo ufw allow 443

# 如何区分 in out 分别设置规则
sudo ufw allow in on eth1 to any port 3306 # any指代IP

# 区分udp tcp
# 80/udp http/tcp
sudo ufw allow proto tcp from any to any port 80,443

# limit IPv6 only, 直接使用ipv6地址
# proto ipv6, is for IPv6 over IPv4 tunnels and 6to4

# range
sudo ufw allow 6000:6007/tcp
sudo ufw allow 6000:6007/udp

sudo ufw allow from  to  port 
sudo ufw allow from  to  port  proto 
sudo ufw allow proto tcp from any to any port 80,443

# IP
sudo ufw allow from 203.0.113.4
sudo ufw allow from 203.0.113.4 to any port 22

sudo ufw allow from 203.0.113.0/24
sudo ufw allow from 203.0.113.0/24 to any port 22

# network interface
ip addr show
sudo ufw allow in on etho0 to any port 80
sudo ufw allow in on {network_interface} to any port 3306 # mysql

# deny
sudo ufw deny from  to  port 
sudo ufw deny http
sudo ufw deny from 203.0.113.4

sudo ufw status numbered # order by number 规则序列号
sudo ufw delete 2
# 把原规则再输入一遍删除
sudo ufw delete allow http # allow http is the actual rule

Common services and ports

Service Port TCP/UDP
ssh 22
sftp 115
rsync 873
http 80
https 443
mysql 3306
postgresql 5432
smtp 25
imap 143
imaps 993
pop3 110
pop3s 995

Numbered rules

既然有number,就说明有优先级存在。
1
sudo ufw insert 1 allow from 

logging

1
2
sudo ufw logging on
sudo ufw logging off
Recommended: Disabling logging may be useful to stop UFW filling up the kernel (dmesg) and message logs.

VPN and Forwarding

Enable forwarding for VPN like OpenVPN, WireGuard.
1
2
# /etc/default/ufw
DEFAULT_FORWARD_POLICY="ACCEPT"

Pre-Definde App Policy

The PKG comes with some defaults based on the default ports of many common daemons and programs.
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
ufw app list

❯ ls -al /etc/ufw/applications.d
total 52
drwxr-xr-x 2 root root 4096 Apr  2 23:22 .
drwxr-xr-x 3 root root 4096 Apr  2 23:21 ..
-rw-r--r-- 1 root root  129 Mar 26 18:10 mosh
-rw-r--r-- 1 root root  349 Dec 25 10:27 ufw-bittorent
-rw-r--r-- 1 root root  627 Dec 25 10:27 ufw-chat
-rw-r--r-- 1 root root  513 Dec 25 10:27 ufw-directoryserver
-rw-r--r-- 1 root root   89 Dec 25 10:27 ufw-dnsserver
-rw-r--r-- 1 root root  358 Dec 25 10:27 ufw-fileserver
-rw-r--r-- 1 root root  212 Dec 25 10:27 ufw-loginserver
-rw-r--r-- 1 root root  524 Dec 25 10:27 ufw-mailserver
-rw-r--r-- 1 root root  131 Dec 25 10:27 ufw-printserver
-rw-r--r-- 1 root root  155 Dec 25 10:27 ufw-proxyserver
-rw-r--r-- 1 root root  320 Dec 25 10:27 ufw-webserver
Custom app policy/rule. Don’t override pre-defined rules.
1
2
3
4
5
6
7
8
# /etc/ufw/applications.d/custom
[Deluge-my]
title=Deluge
description=Deluge BitTorrent client
ports=20202:20205/tcp

# ports=10000:10002/tcp|10003/udp
# ports=10000:10002/tcp|10003,10009/udp
1
2
3
# enable custom application rule
ufw delete allow Deluge
ufw allow Deluge-my

Blacklist IP Addresses

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
# /etc/ufw/before.rules
...
# blacklist section
# block just 199.115.117.99
-A ufw-before-input -s 199.115.117.99 -j DROP
# block 184.105.*.*
-A ufw-before-input -s 184.105.0.0/16 -j DROP

# don't delete the 'COMMIT' line or these rules won't be processed
COMMIT

SSH Protection and Rate Limit

Deny connections from an IP address that has attempted to initiate 6 or more connections in the last 30 seconds. 30s内请求达到6次,拒绝连接。
Currently only IPv4 is supported.
1
ufw limit ssh/tcp

User Config

/etc/ufw/user.rules and /etc/ufw/user6.rules for IPv4 and IPv6 respectively.

Disable ping

Disable icmp protocol
1
2
3
4
5
6
7
# /etc/ufw/before.rules
# ok icmp codes
-A ufw-before-input -p icmp --icmp-type destination-unreachable -j DROP
-A ufw-before-input -p icmp --icmp-type source-quench -j DROP
-A ufw-before-input -p icmp --icmp-type time-exceeded -j DROP
-A ufw-before-input -p icmp --icmp-type parameter-problem -j DROP
-A ufw-before-input -p icmp --icmp-type echo-request -j DROP

Manual

Default policies
  • default incoming policy of deny
  • forward policy of deny
  • outgoing policy of allow
  • see others in manual (icmp, icmpv6…)
  • IPV6 is allowed by default
Other useful commands
1
2
3
4
5
man ufw

# --dry-run

sudo ufw reload

show

1
2
3
4
5
6
7
8
sudo ufw show REPORTS
# raw, comp0lte firewall
# builtins, before-rules, user-rules, after-rules, logging-rules, listening, added

# raw is equivalent to
iptables -n -L -v -x -t 
ip6tables -n -L -v -x -t 
# filter, nat, mangle, raw tables

logging

  • LOG_KERN syslog facility is used by default.
  • rsyslog support may also log to /var/log/ufw.log
Enable/disable logging.
1
2
sudo ufw logging on|off|LEVEL # level like low,medium,full,high
sudo ufw allow log 22/tcp # per rule logging

rule settings

If no direction is specified, the rule applies to incoming traffic
For rules destined for the host itself, use route keyword
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
sudo ufw allow in on eth0 from 192.168.0.0/16
ufw allow out on eth1 to 10.0.0.0/8

# add comment
ufw limit 2222/tcp comment 'SSH port'

# simple syntax
ufw allow 25/tcp # ufw allow smtp
# incoming traffic rule by default
ufw allow in http
ufw reject out smpt

# fuller syntax, based on OpenBSD's PF syntax
ufw deny proto tcp to any port 80
ufw deny proto tcp from 10.0.0.0/8 to 192.168.0.1 port 25
ufw deny in on tho0 to 224.0.0.1 proto igmp

ufw allow proto udp from 1.2.3.5 port 5469 to 1.2.3.4 port 6459

route

1
ufw route allow in on eth1 out on eth2
Setup IP forwarding to use routing rules.
1
2
3
4
5
6
7
# /etc/ufw/sysctl.conf
net/ipv4/ip_forward=1
net/ipov6/conf/default/forwarding=1
net/ipv6/conf/all/forwarding=1

# restart ufw
sudo ufw disable && sudo ufw enable

rate limit

Use reject instead of deny to let user know they’re rejected
1
2
ufw limit ssh/tcp
ufw reject auth

delete rules

  • Use the original rule ufw delete deny 80/tcp
  • Delete rule use status number. sudo ufw status numbered
    • again for the IPv6 version of the rule

insert and prepend

  • prepend, equivalent to insert at number 1

app integration

1
2
3
4
5
6
ufw app list
ufw allow 
ufw allow from 192.168.0.0./16 to any app 

ufw app info 
sudo ufw allow in "Apache Full"

References