En:HOWTO: Introduction Firewalling with UFW

From Sabayon Wiki
Revision as of 19:22, 13 January 2014 by Zetok (talk | contribs) (adjust for systemd presence, fix typo, fix command)

Jump to: navigation, search

{{i18n| en}

Introduction

During the installation of Sabayon Linux, there is a possibility in the Anaconda installer that you activate a firewall. That is actually a good idea.

Sabayon Linux is using "Uncomplicated Firewall" (UFW) to generate the iptables rules. In the repositories you can find ufw-frontends and kcm-ufw (KDE specific) as graphical interfaces to configure UFW, but in this article we're going to use the command-line interface.

The manpage of UFW is very well documented, this article is just an introduction.

Enable / Disable UFW

With systemd

UFW is by default started with system while booting. You can check this with: 

# systemctl status ufw

You can disable it by: 

# systemctl disable ufw

And enable again: 

# systemctl enable ufw

It's better to disable / enable UFW with: 

# ufw disable
# ufw enable

With OpenRC

Question.png
Please note that OpenRC will be dropped in summer 2014.

UFW is by default added to the default boot. You can check this with: 

# rc-update | grep ufw

You can remove it with: 

# rc-update remove ufw default

But it's better to disable / enable UFW with: 

# ufw disable
# ufw enable

Open / Close ports for applications

You can open and close ports for a specific set of applications. To show the list of applications available use: 

# ufw app list

Then you can open the port with: 

# ufw allow <application>

Take ssh for example 

# ufw allow ssh
# ufw deny ssh

Open / Close specific ports

If an application is not in the application list, you have to find out which port it's using. The file /etc/services can be helpful or 

# ss -tul

Let's open udp port 53 

# ufw allow 53/udp

You can be more specific, maybe you want only access from a specific range to your ssh server. If you use the parameter "allow ssh", this is what actually happening: 

# ufw allow proto tcp from any to any port 22

To be more restrictive: 

# ufw allow proto tcp from 192.168.0.0/24 to any port 22

Delete rules

If you want to delete rules, then you have to know which rules are available: 

# ufw show added

Maybe you see somehing like "ufw deny 53/udp". Actually it's a summarization of: 

# ufw deny proto udp from any to any port 53

You can delete the rule with: 

# ufw delete deny proto udp from any to any port 53

Another way: 

# ufw status numbered
# ufw delete <number>
Retrieved from "https://wiki.sabayon.org/index.php?title=En:HOWTO:_Introduction_Firewalling_with_UFW&oldid=21895"