06-ufw-firewall.md at 0580cf7cd8e1e670dba9e3bc660523f9c1f7abf4 · dunkirk.sh/ncae-tools

dunkirk.sh / ncae-tools
this repo has no description
ncae-tools / 06-ufw-firewall.md
at 0580cf7cd8e1e670dba9e3bc660523f9c1f7abf4 5.0 kB view raw view rendered
  1# UFW Firewall Configuration
  2
  3## Overview
  4UFW (Uncomplicated Firewall) sits on top of iptables and provides a more user-friendly interface for managing firewall rules on Ubuntu systems.
  5
  6## Distribution Differences
  7
  8| Distribution | Firewall Tool |
  9|--------------|---------------|
 10| Ubuntu | UFW (built-in) |
 11| Kali | iptables (UFW not installed by default) |
 12| CentOS/RHEL | firewall-cmd (firewalld) |
 13
 14## Basic Commands
 15
 16### Check Status
 17```bash
 18sudo ufw status              # Basic status
 19sudo ufw status verbose      # Detailed status with default policies
 20sudo ufw status numbered     # Show rule numbers
 21```
 22
 23### Enable/Disable
 24```bash
 25sudo ufw enable              # Turn on firewall (persists after reboot)
 26sudo ufw disable             # Turn off firewall
 27```
 28
 29## Default Policies
 30When you enable UFW, default behavior is:
 31- **Incoming**: DENY (block all incoming traffic by default)
 32- **Outgoing**: ALLOW (allow all outgoing traffic)
 33- **Routed**: DENY (no routing/forwarding)
 34
 35This means services won't be accessible until you explicitly allow them.
 36
 37## Creating Rules
 38
 39### Allow Rules - By Service Name
 40```bash
 41sudo ufw allow ssh           # Allow SSH (port 22, IPv4 and IPv6)
 42sudo ufw allow http          # Allow HTTP (port 80)
 43sudo ufw allow https         # Allow HTTPS (port 443)
 44```
 45
 46### Allow Rules - By Port
 47```bash
 48sudo ufw allow 22/tcp        # Allow TCP port 22
 49sudo ufw allow 80/tcp        # Allow TCP port 80
 50sudo ufw allow 53/udp        # Allow UDP port 53 (DNS)
 51```
 52
 53### Allow Rules - By IP Address
 54```bash
 55sudo ufw allow from 192.168.1.100               # Allow all traffic from specific IP
 56sudo ufw allow from 192.168.1.0/24              # Allow from entire subnet
 57```
 58
 59### Deny Rules
 60```bash
 61sudo ufw deny from 192.168.195.0/24             # Block entire subnet
 62sudo ufw deny 23/tcp                             # Block telnet
 63```
 64
 65## Rule Processing Order
 66
 67**Critical**: UFW processes rules in the order they were added.
 68
 69```bash
 70# Example 1 - This works (allow processed first)
 71sudo ufw allow from 192.168.195.100
 72sudo ufw deny from 192.168.195.0/24
 73# Result: .100 is allowed, rest of subnet blocked
 74
 75# Example 2 - This doesn't work as intended (deny processed first)
 76sudo ufw deny from 192.168.195.0/24
 77sudo ufw allow from 192.168.195.100
 78# Result: .100 is also blocked (caught by first deny rule)
 79```
 80
 81## Deleting Rules
 82
 83### By Rule Number
 84```bash
 85sudo ufw status numbered     # See rule numbers
 86sudo ufw delete 4            # Delete rule #4
 87```
 88
 89**Warning**: After deleting a rule, all rules are renumbered. Delete one at a time and re-check numbers.
 90
 91### By Specification
 92```bash
 93sudo ufw delete allow ssh
 94sudo ufw delete allow from 192.168.1.100
 95```
 96
 97## IPv6 Considerations
 98
 99Many UFW commands automatically create both IPv4 and IPv6 rules:
100
101```bash
102sudo ufw allow ssh
103# Creates BOTH:
104# - Port 22 (IPv4)
105# - Port 22 (IPv6)
106```
107
108**Security Tip**: If you're not using IPv6, consider deleting those rules to reduce attack surface:
109```bash
110sudo ufw status numbered
111sudo ufw delete 4            # Delete the IPv6 rule
112```
113
114## Before/After Rules
115
116UFW has built-in rules that process **before** and **after** your user-defined rules. These are stored in:
117- `/etc/ufw/before.rules` - Processed before user rules
118- `/etc/ufw/after.rules` - Processed after user rules
119
120Example before-rules:
121- Allow DHCP client (so you can get an IP)
122- Allow established connections
123- Allow loopback traffic
124
125You can edit these files if needed, but typically user rules are sufficient.
126
127## Common Service Configurations
128
129### SSH Server
130```bash
131sudo ufw allow ssh
132# or
133sudo ufw allow 22/tcp
134```
135
136### Web Server (Apache/Nginx)
137```bash
138sudo ufw allow http
139sudo ufw allow https
140# or
141sudo ufw allow 80/tcp
142sudo ufw allow 443/tcp
143```
144
145### DNS Server
146```bash
147sudo ufw allow 53/tcp
148sudo ufw allow 53/udp
149```
150
151## Competition Tips
152
1531. **Start by enabling it**: `sudo ufw enable` - even basic defaults improve security
1542. **Allow services incrementally**: Only open ports for services you're actually running
1553. **Check after each change**: `sudo ufw status verbose`
1564. **Don't lock yourself out**: If configuring SSH remotely, make sure you allow SSH before enabling the firewall
1575. **Monitor conflicts**: If a service stops working after enabling UFW, you likely forgot to allow its port
158
159## Troubleshooting
160
161### Service not accessible after enabling firewall
162```bash
163sudo ufw status numbered     # Check if port is allowed
164sudo ufw allow <port>/tcp    # Add the missing rule
165```
166
167### Locked out of SSH
168- If you have console access: `sudo ufw allow ssh` then `sudo ufw enable`
169- Always add SSH rule before enabling firewall on remote systems
170
171### Rule not working as expected
172- Check rule order with `sudo ufw status numbered`
173- More specific rules should come before general deny rules
174- Remember: first match wins
175
176## Integration with System Services
177
178UFW rules persist across reboots once enabled. The firewall starts automatically on boot if you've run `sudo ufw enable`.
179
180To disable automatic start:
181```bash
182sudo ufw disable
183```