Difference between revisions of "En:HOWTO: Introduction Firewalling with UFW"

From Sabayon Wiki
Jump to: navigation, search
(first submit)
 
m (With OpenRC: update: OpenRC no longer supported)
(One intermediate revision by the same user not shown)
Line 16: Line 16:
 
== Enable / Disable UFW ==
 
== Enable / Disable UFW ==
  
 +
=== With systemd ===
 +
UFW is by default started with system while booting. You can check this with:
 +
# systemctl status ufw
 +
 +
You can disable it by:
 +
# systemctl disable ufw
 +
 +
And enable again:
 +
# systemctl enable ufw
 +
 +
It's better to disable / enable UFW with:
 +
# ufw disable
 +
# ufw enable
 +
 +
=== With OpenRC ===
 +
{{Warning| Please note that '''OpenRC is no longer supported''' in Sabayon.}}
 
UFW is by default added to the default boot. You can check this with:
 
UFW is by default added to the default boot. You can check this with:
  
  # sudo rc-update | grep ufw
+
  # rc-update | grep ufw
  
 
You can remove it with:
 
You can remove it with:
  
  # sudo rc-update remove ufw default
+
  # rc-update remove ufw default
  
 
But it's better to disable / enable UFW with:
 
But it's better to disable / enable UFW with:
  
  # sudo ufw disable
+
  # ufw disable
  # sudo ufw enable
+
  # ufw enable
  
 
== Open / Close ports for applications ==
 
== Open / Close ports for applications ==
Line 34: Line 50:
 
list of applications available use:
 
list of applications available use:
  
  # sudo ufw app list
+
  # ufw app list
  
 
Then you can open the port with:
 
Then you can open the port with:
  
  # sudo ufw allow <application>
+
  # ufw allow <application>
  
 
Take ssh for example
 
Take ssh for example
  
  # sudo ufw allow ssh
+
  # ufw allow ssh
  # sudo ufw deny ssh
+
  # ufw deny ssh
  
 
== Open / Close specific ports ==
 
== Open / Close specific ports ==
  
 
If an application is not in the application list, you have to find out which
 
If an application is not in the application list, you have to find out which
port it's using. The file /etc/services can be helpfull or
+
port it's using. The file /etc/services can be helpful or
  
  # sudo ss -tul
+
  # ss -tul
  
 
Let's open udp port 53
 
Let's open udp port 53
  
  # sudo ufw allow 53/udp
+
  # ufw allow 53/udp
  
 
You can be more specific, maybe you want only access from a specific range to
 
You can be more specific, maybe you want only access from a specific range to
Line 60: Line 76:
 
happening:
 
happening:
  
  # sudo ufw allow proto tcp from any to any port 22
+
  # ufw allow proto tcp from any to any port 22
  
 
To be more restrictive:
 
To be more restrictive:
  
  # sudo ufw allow proto tcp from 192.168.0.0/24 to any port 22
+
  # ufw allow proto tcp from 192.168.0.0/24 to any port 22
  
 
== Delete rules ==
 
== Delete rules ==
Line 70: Line 86:
 
If you want to delete rules, then you have to know which rules are available:
 
If you want to delete rules, then you have to know which rules are available:
  
  # sudo ufw show added
+
  # ufw show added
  
 
Maybe you see somehing like "ufw deny 53/udp". Actually it's a summarization
 
Maybe you see somehing like "ufw deny 53/udp". Actually it's a summarization
 
of:
 
of:
  
  # sudo ufw deny proto udp from any to any port 53
+
  # ufw deny proto udp from any to any port 53
  
 
You can delete the rule with:
 
You can delete the rule with:
  
  # sudo ufw delete deny proto udp from any to any port 53
+
  # ufw delete deny proto udp from any to any port 53
  
 
Another way:
 
Another way:
  
  # sudo ufw status numbered
+
  # ufw status numbered
  # sudo delete <number>
+
  # ufw delete <number>
  
 
[[Category:Firewalls|Introduction Firewalling with UFW]]
 
[[Category:Firewalls|Introduction Firewalling with UFW]]

Revision as of 13:24, 9 March 2014

{{i18n| en}

Introduction

During the installation of Sabayon Linux, there is a possibility in the Anaconda installer that you activate a firewall. That is actually a good idea.

Sabayon Linux is using "Uncomplicated Firewall" (UFW) to generate the iptables rules. In the repositories you can find ufw-frontends and kcm-ufw (KDE specific) as graphical interfaces to configure UFW, but in this article we're going to use the command-line interface.

The manpage of UFW is very well documented, this article is just an introduction.

Enable / Disable UFW

With systemd

UFW is by default started with system while booting. You can check this with:

# systemctl status ufw

You can disable it by:

# systemctl disable ufw

And enable again:

# systemctl enable ufw

It's better to disable / enable UFW with:

# ufw disable
# ufw enable

With OpenRC

Stop.png
Please note that OpenRC is no longer supported in Sabayon.

UFW is by default added to the default boot. You can check this with:

# rc-update | grep ufw

You can remove it with:

# rc-update remove ufw default

But it's better to disable / enable UFW with:

# ufw disable
# ufw enable

Open / Close ports for applications

You can open and close ports for a specific set of applications. To show the list of applications available use:

# ufw app list

Then you can open the port with:

# ufw allow <application>

Take ssh for example

# ufw allow ssh
# ufw deny ssh

Open / Close specific ports

If an application is not in the application list, you have to find out which port it's using. The file /etc/services can be helpful or

# ss -tul

Let's open udp port 53

# ufw allow 53/udp

You can be more specific, maybe you want only access from a specific range to your ssh server. If you use the parameter "allow ssh", this is what actually happening:

# ufw allow proto tcp from any to any port 22

To be more restrictive:

# ufw allow proto tcp from 192.168.0.0/24 to any port 22

Delete rules

If you want to delete rules, then you have to know which rules are available:

# ufw show added

Maybe you see somehing like "ufw deny 53/udp". Actually it's a summarization of:

# ufw deny proto udp from any to any port 53

You can delete the rule with:

# ufw delete deny proto udp from any to any port 53

Another way:

# ufw status numbered
# ufw delete <number>