Differences

This shows you the differences between two versions of the page.

--- networking:firewall:ufw [2022/07/27 13:24]
gcooper
+++ networking:firewall:ufw [2022/07/28 13:44] (current)
gcooper
@@ Line 2: / Line 2: @@
 UFW is the default firewall configuration tool on Ubuntu and is simple to install on Debian.
+https://www.digitalocean.com/community/tutorials/ufw-essentials-common-firewall-rules-and-commands
 **Getting Started**: https://www.howtoforge.com/tutorial/ufw-uncomplicated-firewall-on-ubuntu-15-04/
@@ Line 14: / Line 16: @@
 ufw default deny incoming
 ufw default allow outgoing
-ufw allow 22/tcp                #SSH from everywhere
+ufw allow 2222/tcp                #Example
 ufw --force enable
-ufw status
+ufw status numbered
 </file>
+===== Custom Rules =====
+FIXME This needs further confirmation.  **Consider this a starting point.**
+<note warning>This **example** is for filtering (further restricting) **external access to ports published (opened externally) by Docker**.  Consider this a firewall in front of the Docker firewall.  **Once you start with this, you will need to maintain it to control access to all your Docker apps.**</note>
+<note important>Docker published ports are **globally accessible** and this is **not limited by normal filtering rules**.  This is probably unwanted in some cases such as **admin URLs** to web apps running under Docker.</note>
+<file>
+vim /etc/ufw/after.rules
+</file>
+Insert the lines mentioning Docker, in the locations shown.  Modify the destination ports as needed.
+<file>
+#
+# rules.input-after
+#
+# Rules that should be run after the ufw command line added rules. Custom
+# rules should be added to one of these chains:
+#   ufw-after-input
+#   ufw-after-output
+#   ufw-after-forward
+#
+# Don't delete these required lines, otherwise there will be errors
+*filter
+:ufw-after-input - [0:0]
+:ufw-after-output - [0:0]
+:ufw-after-forward - [0:0]
+:DOCKER-USER - [0:0]
+# End required lines
+# Custom rules for Docker apps
+-A DOCKER-USER -i eth0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+-A DOCKER-USER -i eth0 -m conntrack --ctstate INVALID -j DROP
+-A DOCKER-USER -i eth0 --match multiport -p tcp --dports 80,443,22115:22119 -j ACCEPT
+-A DOCKER-USER -i eth0 --match multiport -p udp --dports 22116 -j ACCEPT
+-A DOCKER-USER -i eth0 --match multiport -p tcp --dports 81,9443 --source 192.168.1.0/24,10.0.0.0/24 -j ACCEPT
+-A DOCKER-USER -i eth0 -m conntrack --ctstate NEW -j LOG --log-prefix "DOCKER-USER_DROP "
+-A DOCKER-USER -i eth0 -m conntrack --ctstate NEW -j DROP
+# don't log noisy services by default
+-A ufw-after-input -p udp --dport 137 -j ufw-skip-to-policy-input
+-A ufw-after-input -p udp --dport 138 -j ufw-skip-to-policy-input
+-A ufw-after-input -p tcp --dport 139 -j ufw-skip-to-policy-input
+-A ufw-after-input -p tcp --dport 445 -j ufw-skip-to-policy-input
+-A ufw-after-input -p udp --dport 67 -j ufw-skip-to-policy-input
+-A ufw-after-input -p udp --dport 68 -j ufw-skip-to-policy-input
+# don't log noisy broadcast
+-A ufw-after-input -m addrtype --dst-type BROADCAST -j ufw-skip-to-policy-input
+# don't delete the 'COMMIT' line or these rules won't be processed
+COMMIT
+</file>

Virtual Architects Support Wiki

User Tools

Site Tools

Differences

Page Tools