En:HOWTO: Introduction Firewalling with UFW
{{i18n| en}
Contents
Introduction
During the installation of Sabayon Linux, there is a possibility in the Anaconda installer that you activate a firewall. That is actually a good idea.
Sabayon Linux is using "Uncomplicated Firewall" (UFW) to generate the iptables rules. In the repositories you can find ufw-frontends and kcm-ufw (KDE specific) as graphical interfaces to configure UFW, but in this article we're going to use the command-line interface.
The manpage of UFW is very well documented, this article is just an introduction.
Enable / Disable UFW
With systemd
UFW is by default started with system while booting. You can check this with:
# systemctl status ufw
You can disable it by:
# systemctl disable ufw
And enable again:
# systemctl enable ufw
It's better to disable / enable UFW with:
# ufw disable # ufw enable
With OpenRC
UFW is by default added to the default boot. You can check this with:
# rc-update | grep ufw
You can remove it with:
# rc-update remove ufw default
But it's better to disable / enable UFW with:
# ufw disable # ufw enable
Open / Close ports for applications
You can open and close ports for a specific set of applications. To show the list of applications available use:
# ufw app list
Then you can open the port with:
# ufw allow <application>
Take ssh for example
# ufw allow ssh # ufw deny ssh
Open / Close specific ports
If an application is not in the application list, you have to find out which port it's using. The file /etc/services can be helpful or
# ss -tul
Let's open udp port 53
# ufw allow 53/udp
You can be more specific, maybe you want only access from a specific range to your ssh server. If you use the parameter "allow ssh", this is what actually happening:
# ufw allow proto tcp from any to any port 22
To be more restrictive:
# ufw allow proto tcp from 192.168.0.0/24 to any port 22
Delete rules
If you want to delete rules, then you have to know which rules are available:
# ufw show added
Maybe you see somehing like "ufw deny 53/udp". Actually it's a summarization of:
# ufw deny proto udp from any to any port 53
You can delete the rule with:
# ufw delete deny proto udp from any to any port 53
Another way:
# ufw status numbered # ufw delete <number>