Virtual Architects Support Wiki

User Tools

Site Tools

You are here: start » networking » firewall » ufw
Trace:
networking:firewall:ufw

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
networking:firewall:ufw [2022/07/27 14:47]
gcooper 		networking:firewall:ufw [2022/07/28 13:44] (current)
gcooper
Line 19: Line 19:
 ufw --force enable ufw --force enable
  
-ufw status+ufw status numbered
 </file> </file>
 +
 +===== Custom Rules =====
 +
 +FIXME This needs further confirmation.  **Consider this a starting point.**
 +
 +<note warning>This **example** is for filtering (further restricting) **external access to ports published (opened externally) by Docker**.  Consider this a firewall in front of the Docker firewall.  **Once you start with this, you will need to maintain it to control access to all your Docker apps.**</note>
 +
 +<note important>Docker published ports are **globally accessible** and this is **not limited by normal filtering rules**.  This is probably unwanted in some cases such as **admin URLs** to web apps running under Docker.</note>
 +
 +<file>
 +vim /etc/ufw/after.rules
 +</file>
 +
 +Insert the lines mentioning Docker, in the locations shown.  Modify the destination ports as needed.
 +
 +<file>
 +#
 +# rules.input-after
 +#
 +# Rules that should be run after the ufw command line added rules. Custom
 +# rules should be added to one of these chains:
 +#   ufw-after-input
 +#   ufw-after-output
 +#   ufw-after-forward
 +#
 +
 +# Don't delete these required lines, otherwise there will be errors
 +*filter
 +:ufw-after-input - [0:0]
 +:ufw-after-output - [0:0]
 +:ufw-after-forward - [0:0]
 +:DOCKER-USER - [0:0]
 +# End required lines
 +
 +# Custom rules for Docker apps
 +-A DOCKER-USER -i eth0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 +-A DOCKER-USER -i eth0 -m conntrack --ctstate INVALID -j DROP
 +-A DOCKER-USER -i eth0 --match multiport -p tcp --dports 80,443,22115:22119 -j ACCEPT
 +-A DOCKER-USER -i eth0 --match multiport -p udp --dports 22116 -j ACCEPT
 +-A DOCKER-USER -i eth0 --match multiport -p tcp --dports 81,9443 --source 192.168.1.0/24,10.0.0.0/24 -j ACCEPT
 +-A DOCKER-USER -i eth0 -m conntrack --ctstate NEW -j LOG --log-prefix "DOCKER-USER_DROP "
 +-A DOCKER-USER -i eth0 -m conntrack --ctstate NEW -j DROP
 +
 +# don't log noisy services by default
 +-A ufw-after-input -p udp --dport 137 -j ufw-skip-to-policy-input
 +-A ufw-after-input -p udp --dport 138 -j ufw-skip-to-policy-input
 +-A ufw-after-input -p tcp --dport 139 -j ufw-skip-to-policy-input
 +-A ufw-after-input -p tcp --dport 445 -j ufw-skip-to-policy-input
 +-A ufw-after-input -p udp --dport 67 -j ufw-skip-to-policy-input
 +-A ufw-after-input -p udp --dport 68 -j ufw-skip-to-policy-input
 +
 +# don't log noisy broadcast
 +-A ufw-after-input -m addrtype --dst-type BROADCAST -j ufw-skip-to-policy-input
 +
 +# don't delete the 'COMMIT' line or these rules won't be processed
 +COMMIT
 +</file>
 +
  
networking/firewall/ufw.1658954821.txt.gz · Last modified: 2022/07/27 14:47 by gcooper

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki