Uncomplicated Firewall (UFW)

1 Въведение
      2. Инсталиране
      3. Активиране/дезактивиране
      4. Базови команди
      5. Разширени команди


        1.        Въведение

  Ядрото в Ubuntu предоставя система за филтриране на пакети, наречена netfilter, както и интерфейс за нейното управление -   набор от команди iptables. Това е мощен и гъвкав менанизъм, но директната работа с него изисква добра подготовка. За облекчаване на процеса с течение на времето са създадени  "frontend" пакети, които улесняват работата с iptables и са насочени към различни типове потребители.
     The Uncomplicated Firewall (ufw) е frontend за iptables, включва неголям брой прости команди  и е особено подходящ за защитни стени на  host-based сървъри.  Той се инсталира по подразбиране на всички Ubuntu дистрибуции от версия 8.04 LTS. насам и може да се използва за  IPv4 или IPv6 host-based защитни стени.
      От неговата man страница:
“ufw is not intended to provide complete firewall functionality via its command interface, but instead provides an easy way to add or remove simple rules. It is currently mainly used for host-based firewalls.”

2 Инсталиране 

  При инсталацията на Ubuntu ufw е инсталиран и деактивириран. Ако поради ннякаква причина е изтрит, инсталацията се извършва като стандартен пакет:

$ sudo apt update
$ sudo apt update
$ sudo apt install ufw

        3.        Enable/Disable UFW

 enable:

$ sudo ufw enable

       disable:

$ sudo ufw disable

       check status:.

$ sudo ufw status
$ sudo ufw status verbose
$ sudo ufw status numbered

      The status can be checked after each modification.

4.        Базови команди

      To block any incoming and allow outgoing data traffic, which is the default configuration in the UFW policy:

$ sudo ufw default allow outgoing
$ sudo ufw default deny incoming

       To add, modify, and delete firewall rules can be used two different methods -  port number or service name:

$ sudo ufw allow http
$ sudo ufw allow https
$ sudo ufw allow 80
$ sudo ufw allow 443
$ sudo ufw deny http
$ sudo ufw deny 80

        To filter the data packets using different protocols

$ sudo ufw allow 80/tcp

        To delete a rule - by number: 

$ sudo ufw status numbered
Status: active

     To                         Action      From
     --                         ------      ----
[ 1] 80/tcp                     ALLOW IN    Anywhere                 
[ 2] 80/tcp (v6)                ALLOW IN    Anywhere (v6)

$ sudo ufw delete 2
Deleting:
 allow 80/tcp
Proceed with operation (y|n)? y
Rule deleted (v6)

$ sudo ufw status numbered
Status: active

     To                         Action      From
     --                         ------      ----
[ 1] 80/tcp                     ALLOW IN    Anywhere 

                  or by actual rule:

$ sudo ufw status
Status: active

To                         Action      From
--                         ------      ----
80/tcp                     ALLOW       Anywhere                  
80/tcp (v6)                ALLOW       Anywhere (v6)     
        

$ sudo ufw delete allow 80/tcp
Rule deleted
Rule deleted (v6)


$ sudo ufw status
Status: active
 

       To reset all the rules (and disable ufw):

$ sudo ufw reset     

5.        Разширени команди

       Specific Port Ranges. Some applications use multiple ports, instead of a single port.For example, to allow X11 connections, which use ports 6000-6007:

$ sudo ufw allow 6000:6007/tcp
$ sudo ufw allow 6000:6007/udp   

       Specific IP Addresses (to any port or only to one port) :

$ sudo ufw allow from 81.161.252.17 
$ sudo ufw allow from 81.161.252.17  to any port 22   

       Subnets (from 81.161.252.1 to 81.161.252.254 ):

$ sudo ufw allow from 81.161.252.0/24
$ sudo ufw allow from 81.161.252.0/24 to any port 22 

       To a specific network interface:

$ ip a |egrep enp
2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    inet 192.168.1.70/24 brd 192.168.1.255 scope global noprefixroute enp0s3

$ sudo ufw allow in on enp0s3 to any port 80
Rule added
Rule added (v6)

$ sudo ufw status numbered
Status: active

     To                         Action      From
     --                         ------      ----
[ 1] 80 on enp0s3               ALLOW IN    Anywhere                 
[ 2] 80 (v6) on enp0s3          ALLOW IN    Anywhere (v6)
     

       To stop all ping request - in the file /etc/ufw/before.rules the folowing 4 lines must be deleted or commented:

# ok icmp codes for INPUT
-A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT
-A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT
-A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT
-A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT

$ sudo nano  /etc/ufw/before.rules

Забележка (копирана от https://www.cloudflare.com/learning/ddos/glossary/internet-control-message-protocol-icmp/ )
The Internet Control Message Protocol (ICMP) is a network layer protocol used by network devices to diagnose network communication issues. ICMP is mainly used to determine whether or not data is reaching its intended destination in a timely manner. Commonly, the ICMP protocol is used on network devices, such as routers. ICMP is crucial for error reporting and testing, but it can also be used in distributed denial-of-service (DDoS) attacks.

       Supplementary information can be found with:

$ man ufw