====== UFW Firewall ======

UFW is the default firewall configuration tool on Ubuntu and is simple to install on Debian.

https://www.digitalocean.com/community/tutorials/ufw-essentials-common-firewall-rules-and-commands

**Getting Started**: https://www.howtoforge.com/tutorial/ufw-uncomplicated-firewall-on-ubuntu-15-04/

**HowTo**: https://www.digitalocean.com/community/tutorials/how-to-setup-a-firewall-with-ufw-on-an-ubuntu-and-debian-cloud-server

===== Reset UFW =====

<file>
ufw --force disable
ufw --force reset
ufw default deny incoming
ufw default allow outgoing
ufw allow 2222/tcp                #Example
ufw --force enable

ufw status numbered
</file>

===== Custom Rules =====

FIXME This needs further confirmation.  **Consider this a starting point.**

<note warning>This **example** is for filtering (further restricting) **external access to ports published (opened externally) by Docker**.  Consider this a firewall in front of the Docker firewall.  **Once you start with this, you will need to maintain it to control access to all your Docker apps.**</note>

<note important>Docker published ports are **globally accessible** and this is **not limited by normal filtering rules**.  This is probably unwanted in some cases such as **admin URLs** to web apps running under Docker.</note>

<file>
vim /etc/ufw/after.rules
</file>

Insert the lines mentioning Docker, in the locations shown.  Modify the destination ports as needed.

<file>
#
# rules.input-after
#
# Rules that should be run after the ufw command line added rules. Custom
# rules should be added to one of these chains:
#   ufw-after-input
#   ufw-after-output
#   ufw-after-forward
#

# Don't delete these required lines, otherwise there will be errors
*filter
:ufw-after-input - [0:0]
:ufw-after-output - [0:0]
:ufw-after-forward - [0:0]
:DOCKER-USER - [0:0]
# End required lines

# Custom rules for Docker apps
-A DOCKER-USER -i eth0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A DOCKER-USER -i eth0 -m conntrack --ctstate INVALID -j DROP
-A DOCKER-USER -i eth0 --match multiport -p tcp --dports 80,443,22115:22119 -j ACCEPT
-A DOCKER-USER -i eth0 --match multiport -p udp --dports 22116 -j ACCEPT
-A DOCKER-USER -i eth0 --match multiport -p tcp --dports 81,9443 --source 192.168.1.0/24,10.0.0.0/24 -j ACCEPT
-A DOCKER-USER -i eth0 -m conntrack --ctstate NEW -j LOG --log-prefix "DOCKER-USER_DROP "
-A DOCKER-USER -i eth0 -m conntrack --ctstate NEW -j DROP

# don't log noisy services by default
-A ufw-after-input -p udp --dport 137 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp --dport 138 -j ufw-skip-to-policy-input
-A ufw-after-input -p tcp --dport 139 -j ufw-skip-to-policy-input
-A ufw-after-input -p tcp --dport 445 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp --dport 67 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp --dport 68 -j ufw-skip-to-policy-input

# don't log noisy broadcast
-A ufw-after-input -m addrtype --dst-type BROADCAST -j ufw-skip-to-policy-input

# don't delete the 'COMMIT' line or these rules won't be processed
COMMIT
</file>